Cloud Native Computing Foundation / Cloud Native eBPF Day EU 2022

Bpftrace Meets Pixie: Dynamic Monitoring of K8s Clusters Unleashed - Omid Azizi, New Relic (Pixie)

Bpftrace is an essential tool for developers investigating the workings and performance of applications on Linux systems; Pixie is an eBPF-based observability platform for real-time troubleshooting of applications on Kubernetes. What if you could bring these two open-source projects together and combine the power of bpftrace with Pixie's approach to monitoring Kubernetes? This session presents Pixie's bpftrace integration and how it enables dynamic monitoring of Kubernetes clusters. This talk will show how Pixie can deploy a bpftrace program across all the nodes of your cluster, and make the collected data available for querying and visualization. Topics include (1) an overview of how the Pixie bpftrace integration works, (2) how to import existing bpftrace scripts (or write new ones) into Pixie, and (3) how to use the Pixie's query language to perform real-time debugging of Kubernetes applications. The talk will include a number of live demonstrations, including how bpftrace + Pixie can identify TCP issues, and even how to discover patterns of unauthorized bitcoin mining in your K8s cluster.

No description provided.

Falco & eBPF: Is the only Limit the Sky? - Federico Di Pierro, Sysdig & Andrea Terzolo, Politecnico di Torino

eBPF is a powerful technology, but how could it be used in critical scenarios with throughputs higher than billions events per second? If this question doesn't make you sleep at night, this is the right talk for you. Building a large scale tracing tool is hard... Falco uses BPF to trace syscalls, page-faults, context-switches, and many other system events; but collecting all of those inevitably leads to data losses. The situation becomes even more complex when we consider the portability issue: supporting lots kernel versions, even very old ones, means not being able to take advantages of all modern BPF concepts like ring-buffer, global variables, and other advanced tracing features. Starting from these assumptions, Andrea and Federico will drive you through the actual BPF probe architecture, its strengths, and the criticalities that must be faced every day. More precisely, they will outline some possible mitigations to actual problems and what they are planning for the future to improve the situation, exploiting, when possible, modern BPF tracing features.

Getting Linux Based eBPF Programs to Run with eBPF for Windows - Poorna Gaddehosur, Microsoft & Anurag Saxena, Microsoft

At Microsoft, we started on the eBPF for Windows story as a recognition of the engineering agility that eBPF as a technology has fostered in the developer community. A fundamental goal for us with this effort has been to meet the developers where they are and because of this, enabling eBPF programs written for Linux to run on top of the eBPF for Windows platform is very important to us. What better way to demonstrate this than a very relevant real world use case! With help from Cilium devs, we have been working to get the Cilium Layer-4 Load Balancer (L4LB) eBPF program running on eBPF for Windows. In this presentation, we will talk about the path we took towards enabling the Cilium L4LB eBPF program on top of eBPF for Windows. We will provide a demo of the work and provide the information required for any developer to try this out on their own. The eBPF-for-Windows platform is fully open sourced and so is the demo code and the instructions required to run it.

IKEA Private Cloud, eBPF Based Networking, Load Balancing, and Observability with Cilium - Karsten Nielsen, IKEA IT AB

The digital systems of IKEA are situated in public cloud and private data centers around the world. In this talk we’ll highlight some of the challenges – and opportunities - we faced in setting up a large scale, multi-cluster distributed Kubernetes environment across our data centers. We’ll share how we have used Cilium and its eBPF features to have a better scaling profile, to improve observability and even to replace some of our proprietary load balancers. * Connecting Kubernetes workloads across our BGP network * Protecting multi-tenant workloads with multi-cluster network policy * Cilium support for multi-homed pods * Mimicking availability zones with Cilium ClusterMesh * Use Cilium with XDP, ServiceType Loadbalancer and Ingress to replace our proprietary load balancer fronting workload. You’ll leave this talk understanding how you can use Cilium and its eBPF capabilities to build and instrument your network and obtain great observability.

L3AF: Complete Lifecycle Management of eBPF Programs - Santhosh Fernandes, Walmart

- In this session, we will talk about how we can launch and manage eBPF programs using a daemon. At Walmart, we have developed a control plane that manages eBPF programs across a number of hosts running this daemon. The daemon can monitor and chain these programs (execute them in a sequence) in a pre-defined configuration state.
It achieves this by reading host-specific configurations that consist of eBPF programs attributes (artifacts, arguments, sequence IDs, policies/rules, network interface) to perform CRUD operations, akin to a linked list. In addition, we would like to discuss how the daemon leverages cilium's eBPF library to read eBPF maps and populate metrics specific to eBPF programs.

L3AF has been open-sourced under Linux Foundation (https://github.com/l3af-project/l3afd). L3AF is developed and managed by an enthusiastic community that is actively working on adding new features to it. We would also like to talk about how L3AF aims to provide a fully integrated software ecosystem around eBPF to unleash its full potential for community adoption across platforms.

Lightning Talk: Armoring Cloud Native Workloads with BPF LSM - Barun Acharya, Accuknox

Cloud Native Workloads are not protected by default as the various tools for security into place provides perimeter security at the host, or the network and not necessarily the workload itself. BPF LSM provides with security hooks necessary to set up least permissive perimeter for various workloads. KubeArmor is a cloud-native runtime security enforcement system that leverages various LSMs to secure the workloads. There’s a need for a declarative policy management system for Mandatory Access Control in modern workloads where underlying infrastructure is abstracted away. This talk will be about how BPF LSM provides fine grained control over security hooks and how KubeArmor leverages these LSM superpowers to abstract away the complexities. How BPF LSM compares with other LSMs to protect modern workloads and what design considerations/challenges for integrating BPF LSM in KubeArmor.

Lightning Talk: BTFGen: one Step Closer to Truly Portable eBPF Programs - Mauricio Vásquez Bernal, Microsoft & Rafael David Tinoco, Aqua Security

Many cloud native projects started using eBPF to provide OS and application observability, networking and security. Kubernetes deployments run on many different kernel versions and currently there is a big challenge on portability, as the eBPF programs depend heavily on the kernel version. BPF CO-RE (Compile Once – Run Everywhere) is a mechanism to solve this issue. It requires the kernel to expose information about its types by using BTF (BPF Type Format), which is not always available. BTFHub aims to solve that by providing BTF files for released kernels that don't support BTF. However, it’s not possible to ship the BTF information for many different kernels with the application because of size limitations. BTFGen generates very small BTF files that can be shipped with the application, making it easier to run eBPF programs in different kernel versions. Mauricio will introduce the challenges of creating portable eBPF cloud native ready applications and how BTFGen helps to solve those challenges. The talk covers BTFGen implementation, in bpftool, and discusses our experience in integrating it to the open-source eBPF powered projects Inspektor Gadget and Tracee.

Lightning Talk: eBPF-Powered Observability for Telco CNFs - Junichi Kawasaki, KDDI

One of the critical KPIs for telecom operators is 99.999% availability. Of course, it should be assured even after introducing Cloud-native Network Functions (CNFs). How can we achieve this carrier-grade quality in the coming networks? How to maintain observability for CNFs? eBPF is expected to help telcos manage CNFs and keep the environment resilient with its high-performance, flexibility, and scalability. This talk will share how you can apply eBPF tools such as bcc and bpftrace to collecting fine-grained information (e.g. TCP retransmit) for network operation as well as how such data can be leveraged to developing ML models. This talk will also walk you through a test result in a 5G core network deployed by Kubernetes to show you what network data derived by eBPF are essential for failure prediction.

Panel - Klustered: eBPF Edition - Moderated by David Flanagan, Pulumi; Duffie Cooley, Isovalent, Loris Degioanni, Sysdig, & Marga Manterola, Microsoft

In this special edition Klustered, David sends our worthy opponents from Isovalent, Microsoft, and Sysdig through a series of eBPF challenges. Wielding only their tools of choice, Cilium, Inspektor Gadget, and Sysdig/Falco, the teams must unravel the 3 breaks across their bare metal Kubernetes clusters to get their applications working.

During this panel we’ll show clips of each episode while discussing how eBPF changes the game for debugging, networking, and security.

We welcome your questions on eBPF and the tools above throughout the session, so come have a giggle and enjoy the show.

Step by Step Kubernetes Observability with eBPF - Denis Jannot & Lin Sun, Solo.io

In this talk, we will explore how someone can use eBPF to get insights about the communications happening in a Kubernetes cluster. We will write an eBPF program and then use the BumbleBee (https://github.com/solo-io/bumblebee) open source project to build and deploy it. This program gathers information about all the network communications happening in the cluster and publishes the corresponding metrics that we store on Prometheus. We will then deploy a service that gets the metrics and correlate them with the Pod and Service IP addresses to build a graph displaying all the communications.

The Future of eBPF in Cloud Native - Thomas Graf, Isovalent

eBPF is taking the cloud native world by storm. Where will it lead us? This talk introduces eBPF by looking at the ecosystem of eBPF-enabled CNCF projects focusing on what they provide for end-users and how they will evolve in the coming years. The projects covered span a wide set of use cases including networking, security, service mesh, observability, and performance monitoring. We will answer questions such as "Why is eBPF so powerful?" "What is different to prior similar technologies?", and "What values does eBPF provide for end users?". To sum it all up, we will together look at how eBPF itself will evolve in the coming years and what impact that will have to the cloud native world.

eBPF? Safety First! - Kemal Akkoyun, Polar Signals & Dave Tucker, Red Hat

eBPF being a promising technology is no news. And C is the defacto choice for writing eBPF programs. The act of writing C programs in an error-prone process. Even the eBPF verifier makes life a lot easier; it is still possible to write unsafe programs and make trivial mistakes that elude the compiler but are detected by the verifier in the load time, which are preventable with compile-time checks. It is where Rust comes in. Rust is a language designed for safety. Recently the Rust compiler gained the ability to compile to the eBPF virtual machine, and Rust became an official language for Linux. We discover more and more use cases where eBPF can be helpful. We find more efficient ways to build safe eBPF programs that are parallel to these developments. We will demonstrate how we made applications combined with Rust in the data plane for more safety and Go in the control plane for a higher development pace to target Kubernetes for security, observability and performance tuning.