Raphaël PINSON, profile picture
Uploaded byRaphaël PINSON
PPTX, PDF172 views

Cfgmgmtcamp 2023 — eBPF Superpowers

The document discusses eBPF (Extended Berkeley Packet Filter), highlighting its capabilities to enhance the Linux kernel for observability, networking, and security. It emphasizes eBPF's dynamic programmability, making it a powerful tool for performance improvements and real-time event handling. The document also mentions various projects and resources related to eBPF, such as Cilium and Hubble, showcasing practical applications and future developments.

Embed presentation

Download to read offline
eBPF Superpowers Raphaël Pinson | @raphink | @raphink@mastodon.social A dynamic Kernel Solutions Architect, Isovalent
⬢ What is eBPF? eBPF Superpowers A dynamic Kernel
⬢ What is eBPF? ⬢ Principles eBPF Superpowers A dynamic Kernel
⬢ What is eBPF? ⬢ Principles ⬢ Observability eBPF Superpowers A dynamic Kernel
⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking eBPF Superpowers A dynamic Kernel
⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security eBPF Superpowers A dynamic Kernel
⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future eBPF Superpowers A dynamic Kernel
⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
The Linux Kernel The Power Behind Modern Technology - From cars to servers to fridges - Foundation of the GNU/Linux operating system - Most widely used operating system in the world - Powers the vast majority of: - embedded systems / IoT - Cloud Server - Super Computers @raphink | @raphink@mastodon.social
Before @raphink | @raphink@mastodon.social
With @raphink | @raphink@mastodon.social
Have you used eBPF? eBPF is already used in many places - Load balancing - DDOS protection on large Internet platforms - Kernel live-patching (5.7+ with LSM/eBPF) - Android (e.g. app data stats) @raphink | @raphink@mastodon.social
Who am I Raphaël Pinson Solutions Architect @ Isovalent
⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” @raphink | @raphink@mastodon.social
@raphink | @raphink@mastodon.social
eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
How does it work? @raphink | @raphink@mastodon.social
eBPF Helpers @raphink | @raphink@mastodon.social
Stacks & hooks @raphink | @raphink@mastodon.social
BPF / user-space communication @raphink | @raphink@mastodon.social
SDK (cilium/ebpf) @raphink | @raphink@mastodon.social
SDK (cilium/ebpf) @raphink | @raphink@mastodon.social
SDK (cilium/ebpf) @raphink | @raphink@mastodon.social
SDK (cilium/ebpf) @raphink | @raphink@mastodon.social
Safety @raphink | @raphink@mastodon.social
Performance @raphink | @raphink@mastodon.social
@raphink | @raphink@mastodon.social Cloud Native Identities
eBPF Projects & SDKs @raphink | @raphink@mastodon.social
Cilium & Friends - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@mastodon.social
Cilium & Friends Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@mastodon.social
Cilium & Friends Tetragon - observe & export kernel events - act on events (e.g. SIGKILL) - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry @raphink | @raphink@mastodon.social
eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
Observability Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace) @raphink | @raphink@mastodon.social
Observability Example software - BCC - bpftrace - Pixie - Cilium (network) - Cilium Tetragon (system) @raphink | @raphink@mastodon.social Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace)
Observability: bpftrace @raphink | @raphink@mastodon.social
Observability: Hubble (CLI) @raphink | @raphink@mastodon.social $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s $ hubble observe --follow -l class=xwing # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)
Observability: Hubble (UI) @raphink | @raphink@mastodon.social
Observability: Cilium + Grafana ❤️ @raphink | @raphink@mastodon.social
Observability: Network Metrics (Hubble) @raphink | @raphink@mastodon.social
Observability: HTTP Metrics (Hubble) @raphink | @raphink@mastodon.social
Observability: Network Policy Verdicts @raphink | @raphink@mastodon.social
Observability: TLS (Tetragon) @raphink | @raphink@mastodon.social
Observability: Combined Network & Runtime @raphink | @raphink@mastodon.social
eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
Networking Bypass native kernel network stack: - eXpress Data Path (XDP) - TCP improvements (bandwidth manager, BBR, Big TCP) - NAT64/NAT46 - Performant load-balancing algorithms (Maglev) - Network Policies - Cluster Mesh - Egress Gateway - Sidecar-free service mesh - etc. @raphink | @raphink@mastodon.social
Networking: XDP Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack @raphink | @raphink@mastodon.social
Networking: XDP Efficient Cloud Native LB - E.g. Socket Load Balancer @raphink | @raphink@mastodon.social Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack
Networking: IPtables vs eBPF kube-proxy / iptables - Linear list / sieve - All rules have to be replaced as a whole eBPF based - Per-CPU hash table ⇒ more performant - Native metadata (e.g. Pod labels) ⇒ Cloud Native routing 🏆 @raphink | @raphink@mastodon.social
Networking: BBR (TCP Congestion) @raphink | @raphink@mastodon.social https://isovalent.com/blog/post/accelerate-network-performance-with-cilium-bbr/
Networking: NAT46/NAT64 IPv6 / IPv4 bridge DNS64 NAT64 [64:ff9b::<z>] -> [<z>] IPv6 Single Stack K8s cluster bar.com A 4.3.2.1 DNS bar.com AAAA 64:ff9b::4.3.2.1 SYN 64:ff9b::4.3.2.1 IPv4 / Internet SYN 4.3.2.1 ext. node (Dual Stack) https://www.youtube.com/watch?v=Kvdh78TURck @raphink | @raphink@mastodon.social
Networking: BIG TCP https://www.youtube.com/watch?v=Kvdh78TURck Back to back: AMD Ryzen 9 3950X @ 3.5 GHz, 128G RAM @ 3.2 GHz, PCIe 4.0, ConnectX-6 Dx, mlx5 driver netperf -t TCP_RR -H <remote pod> -- -r 80000,80000 -O MIN_LATENCY,P90_LATENCY,P99_LATENCY,THROUGHPUT 2.2x lower p99 latency @raphink | @raphink@mastodon.social
Networking: Sidecar-free Service Mesh @raphink | @raphink@mastodon.social
eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
Security Observe and manipulate kernel events in real time - Performant and transparent process visibility - Metadata - Fix kernel bugs on the fly - Catch & kill @raphink | @raphink@mastodon.social
Security Visibility & Enforcement Traditional approaches - App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables - ptrace(2) ⇒ TOCTTOU with syscalls - Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+) - Kernel module ⇒ stability & maintenance @raphink | @raphink@mastodon.social
Security Visibility & Enforcement with eBPF @raphink | @raphink@mastodon.social
Security: Catch & Kill @raphink | @raphink@mastodon.social
eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
To Infinity… … and beyond 🚀 - Improved device I/O perf with eBPF (XRP) - Support for 100% of C (in a safe way) - Cross-platform: - archs - compilers (LLVM/gcc) - platforms (Linux, Windows, etc.) - Towards a micro-kernel approach? @raphink | @raphink@mastodon.social
All major cloud providers have picked -based Networking & Security for their Kubernetes platforms @raphink | @raphink@mastodon.social How about you?
eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social
⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
Practical Labs … to become a Cilium & eBPF Jedi 📅 Come tomorrow 2023-02-08, 09:00–13:00 🏛️ In room B.2.015 💻 Bring your laptop (web-based labs) Get badges 🏅 and goodies 👕! @raphink | @raphink@mastodon.social
Thank you!

More Related Content

PDF
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
PDF
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
byseo18
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
PDF
The Open Source Ecosystem for eBPF in Kubernetes
byAll Things Open
 
PDF
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
byRaphaël PINSON
 
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
eBPF — Divulging The Hidden Super Power.pdf
byseo18
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
The Open Source Ecosystem for eBPF in Kubernetes
byAll Things Open
 
DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...
byRaphaël PINSON
 

Similar to Cfgmgmtcamp 2023 — eBPF Superpowers

PDF
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
PDF
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
PDF
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
byRaphaël PINSON
 
PDF
Cloud Native Networking & Security with Cilium & eBPF
byRaphaël PINSON
 
PDF
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
PDF
Introduction of eBPF - 時下最夯的Linux Technology
byJace Liang
 
PDF
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
PDF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
PDF
Linux Native, HTTP Aware Network Security
byThomas Graf
 
PPTX
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
PDF
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
PDF
Explore the World of Cilium, Tetragon & eBPF
byRaphaël PINSON
 
PDF
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
byyingxinwang4
 
PPTX
eBPF Basics
byMichael Kehoe
 
PDF
story_of_bpf-1.pdf
byhegikip775
 
PDF
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
byNETWAYS
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
PDF
Introduction to eBPF
byRogerColl2
 
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
byRaphaël PINSON
 
Cloud Native Networking & Security with Cilium & eBPF
byRaphaël PINSON
 
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
Introduction of eBPF - 時下最夯的Linux Technology
byJace Liang
 
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
Linux Native, HTTP Aware Network Security
byThomas Graf
 
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
Explore the World of Cilium, Tetragon & eBPF
byRaphaël PINSON
 
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
byyingxinwang4
 
eBPF Basics
byMichael Kehoe
 
story_of_bpf-1.pdf
byhegikip775
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
byNETWAYS
 
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
Introduction to eBPF
byRogerColl2
 

More from Raphaël PINSON

PDF
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
byRaphaël PINSON
 
PDF
Cloud Native Bern 05.2023 — Zero Trust Visibility
byRaphaël PINSON
 
PPTX
Révolution eBPF - un noyau dynamique
byRaphaël PINSON
 
PDF
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
byRaphaël PINSON
 
PDF
SKS in git ops mode
byRaphaël PINSON
 
PDF
The Hare and the Tortoise: Open Source, Standards & Technological Debt
byRaphaël PINSON
 
PDF
Devops stack
byRaphaël PINSON
 
PDF
YAML Engineering: why we need a new paradigm
byRaphaël PINSON
 
PDF
Container Security: a toolchain for automatic image rebuilds
byRaphaël PINSON
 
PDF
K9s - Kubernetes CLI To Manage Your Clusters In Style
byRaphaël PINSON
 
PDF
Argocd up and running
byRaphaël PINSON
 
PDF
Bivac - Container Volumes Backup
byRaphaël PINSON
 
PDF
Automating Puppet Certificates Renewal
byRaphaël PINSON
 
PDF
Running the Puppet Stack in Containers
byRaphaël PINSON
 
PDF
Automating Puppet Certificates Renewal
byRaphaël PINSON
 
PDF
Narcissus — mapping configs in Go
byRaphaël PINSON
 
ODP
FTTH Factory — an illustration of the "Everything as Code" paradigm
byRaphaël PINSON
 
PDF
Puppet Test Driven Development with Travis CI and Docker
byRaphaël PINSON
 
PDF
Orchestrated Functional Testing with Puppet-spec and Mspectator
byRaphaël PINSON
 
PDF
Augeas @RMLL 2012
byRaphaël PINSON
 
Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...
byRaphaël PINSON
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
byRaphaël PINSON
 
Révolution eBPF - un noyau dynamique
byRaphaël PINSON
 
2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf
byRaphaël PINSON
 
SKS in git ops mode
byRaphaël PINSON
 
The Hare and the Tortoise: Open Source, Standards & Technological Debt
byRaphaël PINSON
 
Devops stack
byRaphaël PINSON
 
YAML Engineering: why we need a new paradigm
byRaphaël PINSON
 
Container Security: a toolchain for automatic image rebuilds
byRaphaël PINSON
 
K9s - Kubernetes CLI To Manage Your Clusters In Style
byRaphaël PINSON
 
Argocd up and running
byRaphaël PINSON
 
Bivac - Container Volumes Backup
byRaphaël PINSON
 
Automating Puppet Certificates Renewal
byRaphaël PINSON
 
Running the Puppet Stack in Containers
byRaphaël PINSON
 
Automating Puppet Certificates Renewal
byRaphaël PINSON
 
Narcissus — mapping configs in Go
byRaphaël PINSON
 
FTTH Factory — an illustration of the "Everything as Code" paradigm
byRaphaël PINSON
 
Puppet Test Driven Development with Travis CI and Docker
byRaphaël PINSON
 
Orchestrated Functional Testing with Puppet-spec and Mspectator
byRaphaël PINSON
 
Augeas @RMLL 2012
byRaphaël PINSON
 

Recently uploaded

PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PDF
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
PDF
09920-2 JE40CP MB 48.4GY02.021 Schematic Acer Aspire 4741.pdf
bydakjuel1
 
PDF
apidays Australia 2025 | Designing with workflows: Using Arazzo and OpenAPI f...
byapidays
 
PPTX
apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Dete...
byapidays
 
PDF
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
PDF
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
PPTX
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
PDF
apidays Australia 2025 | APIs in Government: A blueprint to automating Busine...
byapidays
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PDF
contusion pulmonar y antibiotico en el atls
byMARIAPETRONILAMONTAO
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PPTX
Anomalies in Relational Database Management systems.pptx
byamutham12
 
PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PDF
IoT/OT Security: Penetration Testing for an Expanding Attack Surface.pdf
byCybernetic Global Intelligence
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
09920-2 JE40CP MB 48.4GY02.021 Schematic Acer Aspire 4741.pdf
bydakjuel1
 
apidays Australia 2025 | Designing with workflows: Using Arazzo and OpenAPI f...
byapidays
 
apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Dete...
byapidays
 
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
apidays Australia 2025 | APIs in Government: A blueprint to automating Busine...
byapidays
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
contusion pulmonar y antibiotico en el atls
byMARIAPETRONILAMONTAO
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
Anomalies in Relational Database Management systems.pptx
byamutham12
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
IoT/OT Security: Penetration Testing for an Expanding Attack Surface.pdf
byCybernetic Global Intelligence
 

Cfgmgmtcamp 2023 — eBPF Superpowers

  • 1.
    eBPF Superpowers Raphaël Pinson| @raphink | @raphink@mastodon.social A dynamic Kernel Solutions Architect, Isovalent
  • 2.
    ⬢ What iseBPF? eBPF Superpowers A dynamic Kernel
  • 3.
    ⬢ What iseBPF? ⬢ Principles eBPF Superpowers A dynamic Kernel
  • 4.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability eBPF Superpowers A dynamic Kernel
  • 5.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability ⬢ Networking eBPF Superpowers A dynamic Kernel
  • 6.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security eBPF Superpowers A dynamic Kernel
  • 7.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future eBPF Superpowers A dynamic Kernel
  • 8.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
  • 9.
    The Linux Kernel ThePower Behind Modern Technology - From cars to servers to fridges - Foundation of the GNU/Linux operating system - Most widely used operating system in the world - Powers the vast majority of: - embedded systems / IoT - Cloud Server - Super Computers @raphink | @raphink@mastodon.social
  • 10.
  • 11.
  • 12.
    Have you usedeBPF? eBPF is already used in many places - Load balancing - DDOS protection on large Internet platforms - Kernel live-patching (5.7+ with LSM/eBPF) - Android (e.g. app data stats) @raphink | @raphink@mastodon.social
  • 13.
    Who am I RaphaëlPinson Solutions Architect @ Isovalent
  • 14.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
  • 15.
    Makes the Linuxkernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” @raphink | @raphink@mastodon.social
  • 16.
  • 17.
    eBPF Superpowers A dynamicKernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
  • 18.
    How does itwork? @raphink | @raphink@mastodon.social
  • 19.
    How does itwork? @raphink | @raphink@mastodon.social
  • 20.
    How does itwork? @raphink | @raphink@mastodon.social
  • 21.
    How does itwork? @raphink | @raphink@mastodon.social
  • 22.
    How does itwork? @raphink | @raphink@mastodon.social
  • 23.
    How does itwork? @raphink | @raphink@mastodon.social
  • 24.
    How does itwork? @raphink | @raphink@mastodon.social
  • 25.
    How does itwork? @raphink | @raphink@mastodon.social
  • 26.
    eBPF Helpers @raphink |@raphink@mastodon.social
  • 27.
    Stacks & hooks @raphink| @raphink@mastodon.social
  • 28.
    BPF / user-spacecommunication @raphink | @raphink@mastodon.social
  • 29.
    SDK (cilium/ebpf) @raphink |@raphink@mastodon.social
  • 30.
    SDK (cilium/ebpf) @raphink |@raphink@mastodon.social
  • 31.
    SDK (cilium/ebpf) @raphink |@raphink@mastodon.social
  • 32.
    SDK (cilium/ebpf) @raphink |@raphink@mastodon.social
  • 33.
  • 34.
  • 35.
  • 36.
    eBPF Projects &SDKs @raphink | @raphink@mastodon.social
  • 37.
    Cilium & Friends -performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@mastodon.social
  • 38.
    Cilium & Friends Hubble -fine-grained network observability - exports to SIEM - support for OpenTelemetry - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@mastodon.social
  • 39.
    Cilium & Friends Tetragon -observe & export kernel events - act on events (e.g. SIGKILL) - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry @raphink | @raphink@mastodon.social
  • 40.
    eBPF Superpowers A dynamicKernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
  • 41.
    Observability Observe directly inthe kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace) @raphink | @raphink@mastodon.social
  • 42.
    Observability Example software - BCC -bpftrace - Pixie - Cilium (network) - Cilium Tetragon (system) @raphink | @raphink@mastodon.social Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace)
  • 43.
    Observability: bpftrace @raphink |@raphink@mastodon.social
  • 44.
    Observability: Hubble (CLI) @raphink| @raphink@mastodon.social $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s $ hubble observe --follow -l class=xwing # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)
  • 45.
    Observability: Hubble (UI) @raphink| @raphink@mastodon.social
  • 46.
    Observability: Cilium +Grafana ❤️ @raphink | @raphink@mastodon.social
  • 47.
    Observability: Network Metrics(Hubble) @raphink | @raphink@mastodon.social
  • 48.
    Observability: HTTP Metrics(Hubble) @raphink | @raphink@mastodon.social
  • 49.
    Observability: Network PolicyVerdicts @raphink | @raphink@mastodon.social
  • 50.
    Observability: TLS (Tetragon) @raphink| @raphink@mastodon.social
  • 51.
    Observability: Combined Network& Runtime @raphink | @raphink@mastodon.social
  • 52.
    eBPF Superpowers A dynamicKernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
  • 53.
    Networking Bypass native kernelnetwork stack: - eXpress Data Path (XDP) - TCP improvements (bandwidth manager, BBR, Big TCP) - NAT64/NAT46 - Performant load-balancing algorithms (Maglev) - Network Policies - Cluster Mesh - Egress Gateway - Sidecar-free service mesh - etc. @raphink | @raphink@mastodon.social
  • 54.
    Networking: XDP Drop packetsbefore they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack @raphink | @raphink@mastodon.social
  • 55.
    Networking: XDP Efficient CloudNative LB - E.g. Socket Load Balancer @raphink | @raphink@mastodon.social Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack
  • 56.
    Networking: IPtables vseBPF kube-proxy / iptables - Linear list / sieve - All rules have to be replaced as a whole eBPF based - Per-CPU hash table ⇒ more performant - Native metadata (e.g. Pod labels) ⇒ Cloud Native routing 🏆 @raphink | @raphink@mastodon.social
  • 57.
    Networking: BBR (TCPCongestion) @raphink | @raphink@mastodon.social https://isovalent.com/blog/post/accelerate-network-performance-with-cilium-bbr/
  • 58.
    Networking: NAT46/NAT64 IPv6 /IPv4 bridge DNS64 NAT64 [64:ff9b::<z>] -> [<z>] IPv6 Single Stack K8s cluster bar.com A 4.3.2.1 DNS bar.com AAAA 64:ff9b::4.3.2.1 SYN 64:ff9b::4.3.2.1 IPv4 / Internet SYN 4.3.2.1 ext. node (Dual Stack) https://www.youtube.com/watch?v=Kvdh78TURck @raphink | @raphink@mastodon.social
  • 59.
    Networking: BIG TCP https://www.youtube.com/watch?v=Kvdh78TURck Backto back: AMD Ryzen 9 3950X @ 3.5 GHz, 128G RAM @ 3.2 GHz, PCIe 4.0, ConnectX-6 Dx, mlx5 driver netperf -t TCP_RR -H <remote pod> -- -r 80000,80000 -O MIN_LATENCY,P90_LATENCY,P99_LATENCY,THROUGHPUT 2.2x lower p99 latency @raphink | @raphink@mastodon.social
  • 60.
    Networking: Sidecar-free ServiceMesh @raphink | @raphink@mastodon.social
  • 61.
    eBPF Superpowers A dynamicKernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
  • 62.
    Security Observe and manipulatekernel events in real time - Performant and transparent process visibility - Metadata - Fix kernel bugs on the fly - Catch & kill @raphink | @raphink@mastodon.social
  • 63.
    Security Visibility &Enforcement Traditional approaches - App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables - ptrace(2) ⇒ TOCTTOU with syscalls - Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+) - Kernel module ⇒ stability & maintenance @raphink | @raphink@mastodon.social
  • 64.
    Security Visibility &Enforcement with eBPF @raphink | @raphink@mastodon.social
  • 65.
    Security: Catch &Kill @raphink | @raphink@mastodon.social
  • 66.
    eBPF Superpowers A dynamicKernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
  • 67.
    To Infinity… … andbeyond 🚀 - Improved device I/O perf with eBPF (XRP) - Support for 100% of C (in a safe way) - Cross-platform: - archs - compilers (LLVM/gcc) - platforms (Linux, Windows, etc.) - Towards a micro-kernel approach? @raphink | @raphink@mastodon.social
  • 68.
    All major cloudproviders have picked -based Networking & Security for their Kubernetes platforms @raphink | @raphink@mastodon.social How about you?
  • 69.
    eBPF resources eCHO eBPF YouTubepodcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @raphink@mastodon.social
  • 70.
    ⬢ What iseBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
  • 71.
    Practical Labs … tobecome a Cilium & eBPF Jedi 📅 Come tomorrow 2023-02-08, 09:00–13:00 🏛️ In room B.2.015 💻 Bring your laptop (web-based labs) Get badges 🏅 and goodies 👕! @raphink | @raphink@mastodon.social
  • 72.

Editor's Notes

  • #10 Linux is used on tons of devices, with a very wide range of device types and sizes, and usages
  • #11 It’s not uncommon to require adding new features to Linux (esp in Cloud Native: security, networking, etc.). However, sending patches is a very long process, and it might take years before the patches end up in a stable distribution.
  • #53 Cloud Native Identities in eBPF
  • #61 BBR = Bottleneck Bandwidth and Round-trip propagation time vs Cubic algo Google saw up to a staggering 2,700x improvement in throughput in their tests
  • #62 Stateful or stateless e.g. k8s on IPv6 on IPv4 network, or the opposite
  • #63 Overcoming the current 64KB TSO/GRO packet limit size for IPv6 traffic using IPv6 jumbogram extension header Not supported in most Linux kernels
  • #68 TOCTTOU = Time-of-check to time-of-use