Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Unleashing the kernel with eBPF
Search
Liz Rice
April 10, 2024
0
150
Unleashing the kernel with eBPF
For QCon London in the Efficient Programming Languages track
Liz Rice
April 10, 2024
Tweet
Share
More Decks by Liz Rice
See All by Liz Rice
eBPF's Abilities and Limitations: The Truth
lizrice
0
260
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
160
When is a Secure Connection not encrypted? And other stories
lizrice
1
69
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
580
How Many Proxies Do You Need
lizrice
1
130
eBPF for Security Observability
lizrice
0
1.3k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
45
Cloud Native eBPF Superpowers
lizrice
0
240
Featured
See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.4k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
5
440
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
RailsConf 2023
tenderlove
29
940
Building Your Own Lightsaber
phodgson
103
6.1k
Code Review Best Practice
trishagee
65
17k
We Have a Design System, Now What?
morganepeng
51
7.3k
Music & Morning Musume
bryan
46
6.2k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Reflections from 52 weeks, 52 projects
jeffersonlam
347
20k
Transcript
Unleashing the kernel with eBPF Liz Rice | @lizrice Chief
Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards
@lizrice What is ? extended Berkeley Packet Filter
@lizrice What is ? eBPF is a kernel technology enabling
high-performance, low overhead tools for networking, security and observability
@lizrice What is ? Makes the kernel programmable
@lizrice userspace kernel app event system calls eBPF program Run
custom code in the kernel
@lizrice SEC("kprobe/sys_execve") int hello(void *ctx) { bpf_printk("Hello!"); return 0; }
$ sudo ./hello bash-20241 [004] d... 84210.752785: 0: I'm alive! bash-20242 [004] d... 84216.321993: 0: I'm alive! bash-20243 [004] d... 84225.858880: 0: I'm alive! Info about process that called execve syscall + userspace code to load eBPF program eBPF Hello World
@lizrice Packet of Death mitigation
@lizrice host eth0 Packet of Death
@lizrice host eth0 Packet of Death Discard?
@lizrice SEC("xdp/bye") int goodbye_ping(struct xdp_md *ctx) { ... if (iph->protocol
== IPPROTO_ICMP) return XDP_DROP; return XDP_PASS; } eBPF Packet Drop
@lizrice Dynamically change kernel behaviour
@lizrice
@lizrice
@lizrice eBPF code has to be safe userspace kernel app
event system calls eBPF program 🔍 verifier
@lizrice eBPF code runs as native instructions userspace kernel app
event system calls eBPF program ✍ JIT compiler
@lizrice Custom behaviour without transitions
@lizrice userspace kernel app XDP event system calls eBPF program
eXpress Data path - ingress, before network stack network packet XDP_DROP network stack XDP_TX XDP_PASS
@lizrice userspace kernel app event system calls eBPF program Run
custom code on network packets network packet Program triggered by packet No polling from user space Packet in kernel memory Per CPU eBPF maps
@lizrice Improved network performance (eBPF) (eBPF) (eBPF) (not eBPF) Miano
et al: A Framework for eBPF-Based Network Functions in an Era of Microservices
@lizrice cilium.io/blog/2022/04/12/cilium-standalone-L4LB-XDP/ - Seznam case study Improved network performance
@lizrice Improved performance for container networking
@lizrice host pod app socket veth veth eth0 iptables conntrack
iptables INPUT Linux routing iptables PREROUTING mangle iptables conntrack iptables FORWARD Linux routing iptables PREROUTING nat iptables POSTROUTING mangle iptables PREROUTING mangle iptables POSTROUTING nat
@lizrice host pod app socket veth veth eth0 iptables conntrack
iptables INPUT Linux routing iptables PREROUTING mangle Linux routing
@lizrice cilium.io/blog/2021/05/11/cni-benchmark TCP RR (higher is better) legacy host-routing
@lizrice cilium.io/blog/2020/06/22/cilium-18/#kubeproxy-removal
@lizrice Unleashing the Power of Cilium CNI to Propel Trendyol’s
Performance Up to 40%! 20 July 2023
@lizrice eBPF for performance tracing
@lizrice Measure anything (?) with eBPF
@lizrice Brendan Gregg on performance improvements
@lizrice Brendan Gregg on performance improvements
@lizrice Brendan Gregg on performance improvements “eBPF is essential for
such fast in-situ production analysis”
@lizrice Programmable kernel in Kubernetes
@lizrice userspace kernel networking access files create containers One kernel
per host pod container pod container container
@lizrice userspace kernel app app pods networking access files create
containers Kernel aware of everything on the host
@lizrice userspace app kernel app pods networking access files create
containers eBPF programs can be aware of everything
@lizrice eBPF tools work without any app or config changes
@lizrice - Nathan LeClaire @dotpem
@lizrice A sidecar has a view across one pod userspace
pod container sidecar container
@lizrice Sidecars need YAML userspace pod container sidecar container userspace
pod container sidecar container my-app.yaml containers: - name: my-app ... - name: my-app-init … - name: my-sidecar ...
@lizrice eBPF does not need any app changes userspace pod
container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel
@lizrice eBPF can see ALL activity on the node userspace
pod container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel 👿
@lizrice Reduce resource usage of per-pod sidecar Avoid sidecar config
in every pod Avoid updating sidecar config in every pod
@lizrice eBPF enables efficient sidecarless Service Mesh
@lizrice Network path with sidecar
@lizrice Network path for L3/4 traffic
@lizrice Envoy for Layer 7 terminations when needed
@lizrice “[Moving to a proxy-per-node model can] reduce costs up
to 90% while simplifying operations and improving performance for applications” - Tetrate Sidecarless service mesh improves performance
@lizrice eBPF enables high performance security tools
@lizrice userspace kernel app event eBPF program Run custom code
in the kernel Interesting for security system calls
@lizrice Security observability
@lizrice Security observability - Falco Event filtering in user space
@lizrice kernel userspace Security observability - Falco
@lizrice Security observability - Cilium Tetragon kernel userspace Tetragon
@lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi
/etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1275 bytes 📪 close default/xwing /usr/bin/vi 💥 exit default/xwing /usr/bin/vi /etc/passwd 0 Cilium Tetragon observe security events Policy events Kubernetes info
@lizrice “Traditional solution” = eBPF event collection, filtered in user
space In-kernel event filtering Tetragon
@lizrice Runtime security enforcement in eBPF
@lizrice Traditional preventative actions from user space
@lizrice Tetragon runtime security - synchronous Tetragon
@lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi
/etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1269 bytes 💥 exit default/xwing /usr/bin/vi /etc/passwd SIGKILL Cilium Tetragon enforce sensitive file access Killed before write
@lizrice 🚀 process default/xwing /usr/bin/curl deathstar/v1 💥 exit default/xwing /usr/bin/curl
deathstar/v1 0 🚀 process default/xwing /usr/bin/curl example.com 🔌 connect default/xwing /usr/bin/curl tcp 10.244.1.124:49874 -> 93.184.216.34:80 💥 exit default/xwing /usr/bin/curl example.com SIGKILL Cilium Tetragon enforce network access Killed before write Policy allows in-cluster traffic
@lizrice eBPF makes the kernel programmable enabling a new generation
of powerful & efficient Cloud Native tools
@lizrice Thank you ebpf.io cilium.io @lizrice Download from isovalent.com isovalent.com/labs
Remember to vote and share feedback on the InfoQ App
or online. Please vote and leave feedback! Any questions?