Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unleashing the kernel with eBPF

Liz Rice
April 10, 2024
150

Unleashing the kernel with eBPF

For QCon London in the Efficient Programming Languages track

Liz Rice

April 10, 2024
Tweet

Transcript

  1. Unleashing the kernel with eBPF Liz Rice | @lizrice Chief

    Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards
  2. @lizrice What is ? eBPF is a kernel technology enabling

    high-performance, low overhead tools for networking, security and observability
  3. @lizrice SEC("kprobe/sys_execve") int hello(void *ctx) { bpf_printk("Hello!"); return 0; }

    $ sudo ./hello bash-20241 [004] d... 84210.752785: 0: I'm alive! bash-20242 [004] d... 84216.321993: 0: I'm alive! bash-20243 [004] d... 84225.858880: 0: I'm alive! Info about process that called execve syscall + userspace code to load eBPF program eBPF Hello World
  4. @lizrice SEC("xdp/bye") int goodbye_ping(struct xdp_md *ctx) { ... if (iph->protocol

    == IPPROTO_ICMP) return XDP_DROP; return XDP_PASS; } eBPF Packet Drop
  5. @lizrice eBPF code has to be safe userspace kernel app

    event system calls eBPF program 🔍 verifier
  6. @lizrice eBPF code runs as native instructions userspace kernel app

    event system calls eBPF program ✍ JIT compiler
  7. @lizrice userspace kernel app XDP event system calls eBPF program

    eXpress Data path - ingress, before network stack network packet XDP_DROP network stack XDP_TX XDP_PASS
  8. @lizrice userspace kernel app event system calls eBPF program Run

    custom code on network packets network packet Program triggered by packet No polling from user space Packet in kernel memory Per CPU eBPF maps
  9. @lizrice Improved network performance (eBPF) (eBPF) (eBPF) (not eBPF) Miano

    et al: A Framework for eBPF-Based Network Functions in an Era of Microservices
  10. @lizrice host pod app socket veth veth eth0 iptables conntrack

    iptables INPUT Linux routing iptables PREROUTING mangle iptables conntrack iptables FORWARD Linux routing iptables PREROUTING nat iptables POSTROUTING mangle iptables PREROUTING mangle iptables POSTROUTING nat
  11. @lizrice host pod app socket veth veth eth0 iptables conntrack

    iptables INPUT Linux routing iptables PREROUTING mangle Linux routing
  12. @lizrice userspace kernel app app pods networking access files create

    containers Kernel aware of everything on the host
  13. @lizrice userspace app kernel app pods networking access files create

    containers eBPF programs can be aware of everything
  14. @lizrice Sidecars need YAML userspace pod container sidecar container userspace

    pod container sidecar container my-app.yaml containers: - name: my-app ... - name: my-app-init … - name: my-sidecar ...
  15. @lizrice eBPF does not need any app changes userspace pod

    container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel
  16. @lizrice eBPF can see ALL activity on the node userspace

    pod container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel 👿
  17. @lizrice Reduce resource usage of per-pod sidecar Avoid sidecar config

    in every pod Avoid updating sidecar config in every pod
  18. @lizrice “[Moving to a proxy-per-node model can] reduce costs up

    to 90% while simplifying operations and improving performance for applications” - Tetrate Sidecarless service mesh improves performance
  19. @lizrice userspace kernel app event eBPF program Run custom code

    in the kernel Interesting for security system calls
  20. @lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi

    /etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1275 bytes 📪 close default/xwing /usr/bin/vi 💥 exit default/xwing /usr/bin/vi /etc/passwd 0 Cilium Tetragon observe security events Policy events Kubernetes info
  21. @lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi

    /etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1269 bytes 💥 exit default/xwing /usr/bin/vi /etc/passwd SIGKILL Cilium Tetragon enforce sensitive file access Killed before write
  22. @lizrice 🚀 process default/xwing /usr/bin/curl deathstar/v1 💥 exit default/xwing /usr/bin/curl

    deathstar/v1 0 🚀 process default/xwing /usr/bin/curl example.com 🔌 connect default/xwing /usr/bin/curl tcp 10.244.1.124:49874 -> 93.184.216.34:80 💥 exit default/xwing /usr/bin/curl example.com SIGKILL Cilium Tetragon enforce network access Killed before write Policy allows in-cluster traffic
  23. Remember to vote and share feedback on the InfoQ App

    or online. Please vote and leave feedback! Any questions?