De KubeCon à ContainerDays, eBPF a le vent en poupe dans le monde Cloud Native. Mais de quoi s’agit-il, pourquoi cette technologie est-elle révolutionnaire, et qu’est-ce qu’elle peut m’apporter concrètement?
À travers des exemples concrets appliqués aux domaines de l’observabilité, du réseau et de la sécurité, cette session explique les tenants d’eBPF et ses avantages concrets pour connecter et sécuriser les applications Cloud Native.
Vous y découvrirez comment démarrer votre aventure avec eBPF, avec des outils vous permettant de bénéficier de ses super-pouvoirs en toute simplicité.
1. Révolution eBPF
Un noyau Linux dynamique
Speaker :
Raphaël Pinson, @raphink | @raphink@hachyderm.io
#KCDFrance 2023
2. ⬢ What is eBPF?
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io
3. ⬢ What is eBPF?
⬢ Principles
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io
4. ⬢ What is eBPF?
⬢ Principles
⬢ Observability
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io
5. ⬢ What is eBPF?
⬢ Principles
⬢ Observability
⬢ Networking
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io
6. ⬢ What is eBPF?
⬢ Principles
⬢ Observability
⬢ Networking
⬢ Security
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io
7. ⬢ What is eBPF?
⬢ Principles
⬢ Observability
⬢ Networking
⬢ Security
⬢ The Future
#KCDFrance 2023
Agenda
@raphink | @raphink@hachyderm.io
8. The Linux Kernel
#KCDFrance 2023
The Power Behind Modern Technology
- From cars to servers to fridges
- Foundation of the GNU/Linux operating system
- Most widely used operating system in the
world
- Powers the vast majority of:
- embedded systems / IoT
- Cloud Server
- Super Computers
@raphink | @raphink@hachyderm.io
11. Have you used eBPF?
#KCDFrance 2023
eBPF is already used in many places
- Load balancing
- DDOS protection on large Internet platforms
- Kernel live-patching (5.7+ with LSM/eBPF)
- Android (e.g. app data stats)
@raphink | @raphink@hachyderm.io
12. Who am I
#KCDFrance 2023
Raphaël Pinson
Solutions Architect @ Isovalent
@raphink | @raphink@hachyderm.io
14. #KCDFrance 2023
Makes the Linux kernel
programmable in a
secure and efficient way.
“What JavaScript is to the
browser, eBPF is to the
Linux Kernel”
@raphink | @raphink@hachyderm.io
34. Cloud Native Identities
#KCDFrance 2023
eBPF “understands” Cloud Native identities:
- in kernel observability
- in network traffic
- in kernel security
@raphink | @raphink@hachyderm.io
35. eBPF Projects and SDKs
#KCDFrance 2023
@raphink | @raphink@hachyderm.io
36. Cilium & Friends
#KCDFrance 2023
- performance gains
(no need for iptables, bypass TCP/IP)
- simpler architecture
(e.g. no sidecar proxy for Service Mesh)
Cilium
@raphink | @raphink@hachyderm.io
37. Cilium & Friends
#KCDFrance 2023
- performance gains
(no need for iptables, bypass TCP/IP)
- simpler architecture
(e.g. no sidecar proxy for Service Mesh)
Cilium
Hubble
- fine-grained network observability
- exports to SIEM
- support for OpenTelemetry
@raphink | @raphink@hachyderm.io
38. Cilium & Friends
#KCDFrance 2023
- performance gains
(no need for iptables, bypass TCP/IP)
- simpler architecture
(e.g. no sidecar proxy for Service Mesh)
Cilium
Hubble
- fine-grained network observability
- exports to SIEM
- support for OpenTelemetry
Tetragon
- observe & export kernel events
- act on events (e.g. SIGKILL)
@raphink | @raphink@hachyderm.io
53. Networking: XDP
#KCDFrance 2023
Drop packets before they reach the kernel
- E.g. packet of death, DDOS
- XDP allows to drop packets before
- they reach the kernel routing stack
@raphink | @raphink@hachyderm.io
54. Networking: XDP
#KCDFrance 2023
Drop packets before they reach the kernel
- E.g. packet of death, DDOS
- XDP allows to drop packets before
- they reach the kernel routing stack
Efficient Cloud Native LB
- E.g. Socket Load Balancer
@raphink | @raphink@hachyderm.io
55. Networking: IPtables vs eBPF
#KCDFrance 2023
kube-proxy / iptables
- Linear list / sieve
- All rules have to be replaced as a whole
eBPF based
- Per-CPU hash table ⇒ more performant
- Native metadata (e.g. Pod labels) ⇒
Cloud Native routing
🏆
@raphink | @raphink@hachyderm.io
61. Security
#KCDFrance 2023
Observe and manipulate kernel events in real time
- Performant and transparent process visibility
- Metadata
- Fix kernel bugs on the fly
- Catch & kill
@raphink | @raphink@hachyderm.io
62. Security Visibility & Enforcement
#KCDFrance 2023
Traditional approaches
- App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables
- ptrace(2) ⇒ TOCTTOU with syscalls
- Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+)
- Kernel module ⇒ stability & maintenance
@raphink | @raphink@hachyderm.io
66. To Infinity… and beyond 🚀
#KCDFrance 2023
- Improved device I/O perf with eBPF (XRP)
- Support for 100% of C (in a safe way)
- Cross-platform:
- archs
- compilers (LLVM/gcc)
- platforms (Linux, Windows, etc.)
- Towards a micro-kernel approach?
@raphink | @raphink@hachyderm.io
67. #KCDFrance 2023
@raphink | @raphink@hachyderm.io
All major cloud providers have picked
-based Networking & Security
for their Kubernetes platforms
How about you?