►
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Welcome + Opening: Why Everyone is Excited about eBPF in Cloud Native in 2021 - Moderated By: Dan Papandrea, Sysdig; Loris Degioanni, Sysdig, Thomas Graf & Liz Rice, Isovalent; Sarah Novotny & Andrew Randall, Microsoft
A
My
name
is
dan
papandrea.
I'm
the
director
of
open
source
ecosystem
in
community
for
a
company
called
systig.
I
also
have
a
show
called
the
popcast.
If
you
all
have
seen
it's
pretty
good.
I
guess
we're
gonna
talk
today.
This
is
the
first
cloud
native
ebpf
day.
We
have
a
great
great
set
of
talks.
Wonderful
talks!
That's
going
to
help!
You
understand
this
magic
that
is
enhanced,
berkeley
packet
filtering,
I'm
going
to
hand
it
over
to
my
man
duffy,
to
talk
a
little
bit
more
about
the
tech
and,
what's
going
on
today,.
B
B
Hey:
that's
better:
hey
everybody!
I'm
duffy
cooley,
I'm
maui
lyon
online,
I'm
also
a
blogger
and
a
vlogger,
and
that
kind
of
thing
I
do
a
lot
of
broadcasts
on
kubernetes
and
and
now
on
ebpf
every
friday
at
2pm.
B
It's
about
it's
a
really
great
series,
and
so,
if
you're
interested
in
ebbs
definitely
check
it
out,
I'm
here
to
kind
of
talk
a
little
bit
about
technology,
and
can
I
get
everybody
excited
about
what
we're
here
to
do.
I'm
actually
really
excited
to
see
what
you
are
all
here
to
to
learn.
We
have
a
number
of
really
great
presentations
coming
up
today.
B
B
You
know
just
context
and
and
information
about
what
processes
are
running
and
those
sorts
of
things
in
a
way
that
we've
just
never
had
certainly
not
integrated
in
the
way
that
we
do
now.
So
that's
the
piece
that
I
think
is
is
probably
really
driving
me
and
just
the
fact
that
it's
you
know
it's
superpowers
right.
B
You
have
the
everything
from
the
ability
to
profile
applications
and
spend
and
understand
where
those
applications
are
spending
their
time
to
really
making
very
you
know
complex
decisions
about
how
to
handle
routing
whether
to
whether
to
route
like
memcache
to
a
local
memcache
process
for
any
process
running
I
mean
I
just
saw
the
incredible
paper
from
orange
on
that.
It's
just
a
lot
of
really
great
stuff
happening
out
there,
so
I'm.
I
hope
that
you're
all
really
looking
forward
to
this
session.
A
So
without
further
ado,
everyone
we
are
going
to
have
this
panel
in
our
first
panel.
We
have
why
everyone
is
excited
about
ebpf
and
again
this
day
that
when
we
were
putting
together
this
day,
we
wanted
this
to
be
you
for
you
all
to
look
at
this
technology.
A
A
lot
of
the
magic
that's
here
and
be
able
to
apply
this
to
your
day-to-day
from
a
networking
perspective
from
a
security
perspective
from
a
troubleshooting
perspective
from
a
debugging
perspective,
so
again,
first
panel
is
we
have
I'm
going
to
introduce
to
the
stage
first,
the
matriarch
ser.
Nobody.
A
Next
on
the
stage
which
we
have
some
remote
folks.
I
don't
know
if
you
know
those
two
faces
over
there.
I
don't
know
they
know
a
little
bit
about
ebpf.
I
guess
a
little
right
coming
to
the
stage.
We
also
have
one
of
the
creators
of
wireshark
and
systig.
This
is
laura
stigiani.
D
A
D
Hello,
why
is
it
that
we're
excited
about
epa
ebpf,
giving
access
safely
and
securely
to
kernel
capabilities
has
always
been
a
challenge,
and
ebpf
has
started
to
allow
us
all
sorts
of
really
interesting
ways
to
do
this
safely
and
we,
I
have
to
say
we're
happy
to
have
exciting,
interesting
ways
to
evolve.
This
and
loras
can
tell
us
more
about
it.
Why
are
you
so
excited
about
it.
F
F
To
me
so
clearly
the
the
linux
kernel
is
the
underlying
engine
for
for
cloud
native,
and
linux
in
general,
you
know
is,
is
the
operating
system
that
runs
our
workloads.
Our
applications
in
in
the
cloud
and
ebpf
makes
it
programmable,
which
is
incredibly
powerful.
It's
like
you
know
the
underlying
engine
that
is
powering
our
car
is.
We
can
open
the
hood
and
in
a
safe
way,
essentially
work
on
it
and
and
make
it
more
powerful
extend
extended
in
incredible
ways.
F
I
come
from
my
previous
10
years,
where
the
first
10
years
of
my
career
were
in
networking
and
peki
capture
in
particular,
so
I
come
from
the
age
of
the
old
bpf,
without
without
the
e
and
and
and
there.
G
F
Already
exciting
about
that,
at
the
time
when
you
could
filter
packets,
you
know
with
with
the
virtual
machine
and
what
you
can
do
today.
You
know
the
power
the
tooling
around
it.
The
programmability
is
just
incredible
for
somebody
that
witnessed
the
evolution
and
yeah
super
excited
about
what's
happening.
A
H
So
I
think,
building
what
the
previous
speakers
have
already
said.
The
really
interesting
thing
is
that
there
is
one
kernel
per
host
when
we
have
a
cluster
of
machines.
Each
machine
is
only
running
one
host,
and
that
means
we
can
instrument
all
of
the
application
code.
That's
running
on
each
host
with
one
set
of
ebpf
programs.
We
only
have
to
apply
our
instrumentation,
whether
that's
for
observability
or
networking
or
security.
E
E
They
are,
they
are.
This
is
actually
the
most
famous
north
face
in
switzerland.
I
can
see
in
the
background
like
for
all
the
mountaineers
and
climbers
out
there
that's
kind
of
the
dream,
so
I'm
I've
been
involved
from
the
vpf
since
the
early
days.
2014
and
uvpf
is
just
massive
right.
I
think,
before
working
on
evpf,
I
was
working
at
red
hat,
doing
windows,
kernel
development
and
we
tried
to
kind
of
predict
what
what
customers
and
users
would
eventually
need
from
the
linux
kernel,
and
why?
E
Because
it
took
so
long
for
a
linux
kernel
version
to
get
into
the
hands
of
users
multiple
years
right.
You
would
not
want
the
latest
bleeding
edge
kernel
if
you,
if
you're,
if
you're,
like
a
production
level
user.
So
that
meant
that
you
would,
you
would
would
take
years
for
a
kernel
development
feature
to
get
into
the
hands
of
users
if
ebpf.
This
is
now
different,
like
we
can
now
reprogram
change
to
behavior
and
the
serum
noted
in
a
safe
way.
E
That's
so
crucial,
because
technically
this
was
possible
before,
if
with
external
modules,
but
with
the
potential
to
crash
your
kernel
right.
Nobody
wants
that.
Evpf
gives
us
this
sandboxed
ability
to
run
programs
very,
very,
very
similar
to
how
a
web
browser
allows
to
allow
allows
extension
of
javascript
like
think
back
pre-javascript
when
you
have
to
install
new
versions
of
a
web
browser
in
order
to
view
certain
websites.
We
were
basically
there
with
with
standard
operating
systems
and
with
ebpf
all
of
a
sudden.
E
We
can
innovate
because
we
can
get
a
curl
change
into
the
hands
of
users
within
hours
or
or
days.
So
we
can
use
the
the
significant
like
the
the
high
strategic
ground
of
an
operating
system
that
can
see
and
control
everything
and
actually
innovate,
and
that's
just
fascinating
and
I
think
we'll
see
a
ton
of
open
source
projects
make
make
make
use
of
that.
C
Yeah,
I
think,
all
great
points
I'd
like
to
kind
of
step
back
a
bit
and
say
this
is
really
about
speed
and
the
speed
at
which
we
can
move.
You
know
if
you
look
at
the
pace
of
innovation,
that's
happening
in
cloud
native.
How
frequently
kubernetes
releases
are
coming
out?
How
many
new
features
are
in
them?
How
quickly
new
projects
are
getting
created
around
them?
You
know
we're
moving
at
an
incredible
pace.
The
linux
kernel
can't
do
that.
F
C
It
shouldn't
do
that
yeah,
it
needs
to
be
the
stable
basis
on
which
on
which
we're
building
you
know-
and
I
remember
in
the
early
days
of
kubernetes
networking
you
know,
a
lot
of
people
were
still
on
very
old
kernels
in
the
early
early
days
of
kubernetes,
and
we
just
couldn't
get
the
performance
out
of
out
of
the
kernel
just
because
of
they
hadn't
got
all
of
the
latest.
Ip
sets
ip
tables,
kind
of
capabilities
and
yeah.
C
C
So
that's
that's
one
key
piece
and
another
key
piece
is:
is
it
gives
us
this
visibility
and
observability
capabilities
and
ability
to
actually
debug
and
handle
things
at
scale
where
in
in
the
past?
You
know
it's
fine
if
you're
debugging,
a
single
machine,
that's
one
thing,
but
if
you've
got
a
cluster,
a
problem,
that's
happening,
cluster-wide
these
problems
to
troubleshoot
in
production
and
get
really
really
tough
and
evp
gives
you
this
kind
of
visibility.
I
mean
I
remember
at
kinfolk
we
had
a
customer
where
they
had
they
came
to
us
with.
C
Like
a
cpu,
you
know
throttling
performance
issue
in
their
kubernetes
clusters.
These
were
smart
people
and
they've
been
spending
like
three
months
trying
to
get
to
the
bottom
of
this
issue.
We
came
in
and
with
some
ebpf
tooling,
like
basically
in
a
day,
said:
okay,
here's
the
issue
and
solved
it
for
them
and
they
couldn't
believe
it
and
it
wasn't
because
we
were
much
smarter
than
them.
It
was
just.
We
have
these
ebpf
tools
and
you
know
so
I
I
think
those
are
kind
of
two
really
crucial
pieces
that
play
to
cloud
native.
A
With
that
I
mean
we've
all
and
solutions
for
and
from
all
of
these
sponsors
that
have
been
out
of
here
have
kind
of
embedded
ebpf
in
our
tools.
Right,
if
you
think
about
isovalent
azure
excuse
me,
microsoft,
sysdig
and
and
taguera
there's,
so
the
solutions
are
basically
doing
had
made
this
bad
on
ebpf
right.
So
I
kind
of
want
to
ask
the
question
here
and
I'm
looking
at
my
notes,
you
all
sorry.
So
in
terms
of
the
ebpf
and
your
individual
solutions,
why
did
you
go
with
ebpf
I'll
start
with
loris?
F
Yeah
you,
you
can
say
the
story
if
you
want
it
so
the
system,
both
from
the
open
source
point
of
view,
in
particular
with
falco,
which
does
essentially
run
time,
security
for
cloud
native
applications
and
also
with
the
company's
commercial
products
that
are
based
around
it.
F
We
decided
right
away
with
to
go
with
kernel
instrumentation,
so
there
are
multiple
ways
that
essentially,
you
can
instrument
for
security,
in
particular
for
the
like
the
deep
kind
of
visibility
that
you
need
for
runtime
security
or
for
threat
hunting,
and
one
thing
that
lisa
said
that
I
I
agree
very
much
with
this.
The
kernel
of
the
operating
system,
especially
from
the
point
of
view
of
security
instrumentation,
gives
a
big
advantage
because
it's
essentially
a
big
o
one.
F
Instead
of
big
o
n,
where
n
is
the
number
of
processes,
containers
applications
that
that
you
are
running
on
the
machine,
so
it's
just
much
simpler
and
much
higher
performance
to
instrument
with
the
kernel
of
the
operating
system
when
cystic
started,
ebpf
was
still
not
in
the
in
the
operating
system
kernel.
Actually,
when
we
also
when
we
released
falco
in
2016,
those
were
the
very
very
early
days
of
ebpf
and
when
we
started
looking
at
the
technology
and
how
it
was
evolving
inside
the
kernel,
we
were
like.
That's
it.
F
You
know,
that's
that's
how
this
should
be
done.
You
know
so
forget
about
kernel
modules
and
and
and
everything
that
has
to
do
with
essentially
executing
components
inside
the
inside
the
linux
kernel.
And
you
know
this
is
the
perfect
solution.
It's
sandbox,
it's
safe,
it's
secure,
it's
verified
and
it's
high
performance,
so
essentially
very
very
early
days.
We
decided
to
bet
on
this
and
we
never
looked
back
and
and
we're
still
not
looking
back.
A
He
went
away
a
summer
in
italy
and
came
back
and
there
was
falco
so
all
right
so
next
time
I'd
ask
thomas
and
liz.
You
know
that
same
question
like.
Why
did
you
make
this
bet
on
ebpf?
For
you
know,
psyllium
and,
and
you
know
I
surveillan.
E
Yeah,
the
frosted
story
is
even
simpler.
We
basically,
I
think,
created
huge
portions
of
ebpf
to
then
create
psyllium
right,
so
everything
we
have
built
on
cilium
weather
is
the
networking
pieces,
the
security
pieces,
the
observer
observability
pieces,
they're
all
done
based
on
ebpf,
so
on
purpose,
like
the
entire
reason
why
cylinder
exists
is
we
did
not
want
to
create
yet
another
network,
observability
and
security
solution
that
just
bases
on
existing
linux
kernel
abstractions,
but
instead
start
with
something
completely
new
ebpf,
based
that,
as
andy
mentioned,
really
really
well.
E
That
is
able
to
cope
with
the
pace
of
cloud
native
because
it's
still
evolving
very,
very,
very
quickly.
There's
a
couple
of
pieces
that
are
truly
super
interesting.
I
think
that
makes
ebpf
an
obvious
choice
on
the
networking
side.
It's
all
about
abstracting
away
and
caring
less
about
traditional
networking.
Actually
like
end
users,
users,
they
care
about
services,
connectivity
regulars
in
which
cloud
is
running,
whether
it's
on-prem,
whether
it's
in
a
public
cloud
and
so
on.
E
That
requires
like
the
linux,
networking,
layer
or
linux
network
in
general
to
understand
containers
services,
api
protocols
and
so
on.
On
the
security
side,
it's
all
about
deep
understanding
of
the
system,
really
understanding
what
workload
is
actually,
for
example,
making
a
network
call
it's
not
just
about
understanding
which
part
you
actually
might
want
to
understand
the
difference,
whether
this
is
the
actual
workload
or
what
it
is,
an
application,
developer,
running,
cubecontrol,
exec
and
running
a
bash,
or
something
like
that
and
on
the
observability
side.
E
Yes,
you
still
want
some
level
of
traditional
network
observability,
but
you
also
want
the
application
protocol
parsing,
you
need
dns,
understanding
and
so
on.
Right
and
edpf
is
perfect
because
it
allows
it
basically
allowed
us
to
build
a
high
scale,
highly
efficient
network,
observability
and
security
solution.
That
can
then
keep
up
with
the
pace,
and
it's
not
bound
to
some
use
case
that
we
defined
a
couple
of
years
ago
when
we,
when
we
actually
started
selling,
we
can
continue
to
innovate
and
meet
the
latest
end.
E
End
user
asks
basically
so
been
great
and
I
think
definitely
would
definitely
do
it
again
to
kind
of
extend
ebpf
to
then
start
to
then
start
soleum.
Unless
do
you
want
to
add
something.
H
I
think
the
only
thing
I
would
maybe
add
was
a
little
story
that
daniel
balkman
who's,
a
kernel,
maintainer
and
he's
in
our
team,
and
this
is
really
just
a
little
bit
of
an
aside
around
kind
of
how
psyllium
and
ebp
have
kind
of
developed
hand
in
hand-
and
I
remember
asking
him
about
xdp,
and
he
was
talking
about
how
like
it
was
kind
of
well,
it
would
be
kind
of
cool
if
we
could
run
ebpf
programs
on
the
network
card,
and
you
know
that
turned
into
reality.
H
A
So
we
have
five
minutes
here.
I
think
three
minutes
at
this
point,
but
I
want
to
go
into
q
a,
but
I
want
to
ask
this
question
kind
of
a
lightning
round:
okay,
real
quick,
so
the
question
is,
is
you
know
what
do
you
see
this
is
I
can't
believe,
I'm
making
this
question
a
lightning
round,
but
what
do
you
see
for
the
future
of,
like
you
know,
ebpf
in
your
individual
solutions,
just
give
us
like
a
an
elevator?
Maybe
you
want
to
go
first,
sarah.
D
Sure
so
the
elevator
pitch
from
microsoft-
because
I
get
to
do
this
occasionally-
is
we're
making
a
big
bet
on
ebpf,
because
we
think
it's
very
important
and
it's
one
of
those
technologies
can
that
can
help
us
leapfrog
and
innovate,
and
that
is
very
much
the
space.
We're
doing
it
to
the
point
that
we've
brought
this
linux
concept
out
to
the
windows
environment
and
then
we're
going
ahead
and
learning
and
cross-pollinating
that
way.
It
was
almost
lightly.
F
From
the
point
of
view
of
falco,
I
think
that
the
way
I
see
ebpf
support
evolving
is
in
falco
and
security
in
general.
I
think
that
more
hooking
points
more
places
where
you
can
fetch
essentially
relevant
data,
relevant
information
security
signals
from
the
kernel
of
the
operating
system.
Linux
security
modules,
for
example,
is
a
good
example
and,
in
a
general
way,
broadening
that
and
from
the
vertical
point
of
view,
offering
interfaces
that
can
be
clean
and
and
powerful
for
the
specific
use
cases
that
maybe
have
to
do
with
security.
F
For
example,
one
thing
that
we
did
earlier
in
the
year
with
falco,
we
donated
the
libraries
for
that
essentially
wrap
our
ebpf
probe,
wrap
around
our
ebp
probe,
offering
essentially
high
level
state
enhancement
and
decorations
and
stuff
like
that.
So
that's
another
direction
where
I
see
the
community
going
essentially
with
higher
level
abstractions
around
dbpf,
to
make
it
even
easier
to
use
hell.
C
Yeah
I'll
try
and
keep
this
quick.
So
actually
for
those
who
don't
know
I'm
with
kinfolk
team,
we
were
recently
acquired
by
microsoft.
So
we
have
kind
of
insight
both
from
what
we
were
doing
kin
faulk,
where
we
had
ebpf
project
around
kubernetes
called
inspector
gadget
that
took
a
lot
of
the
traditional
host-based
bpf
tools
and
allowed
you
to
deploy
them
in
the
kubernetes
environment.
C
So
we're
gonna
be
doing
a
lot
more
of
that,
taking
many
more
tools
and,
basically
anything
you
could
do
on
a
host
with
ebpf,
with
the
bcc
tools
and
those
kind
of
things
you'll
be
able
to
do
in
a
kubernetes
environment.
So
that's
one
thing
and
then
the
other
is
we're
just
working
across
a
lot
of
different
teams
within
microsoft
and
there's
a
lot
of
different
applications
and
innovation
happening
internally,
which
will
see
its
way
out
into
aks
and-
and
you
know
the
the
you
know-
everything
that
underlays
the
services
that
we're
deploying.
A
If
you
haven't
played
with
flag
car,
please
do
it's
pretty
cool,
it's
really
cool
all
right.
Lastly,
thomas
and
liz
again
elevated
and
then
we're
going
to
go
into
some
q.
A
so
duffy
will
have
the
microphone
around.
Ask
anybody
asking
questions,
but
go
ahead.
Thomas
or
liz
want
to
end
this
end
up.
E
Yeah,
we're
really
looking
we're
really
looking
forward
to
working
with
the
microsoft
team,
support
and
cylinder
window,
so
I
think
that's
a
great
step
for
bringing
all
the
silly
magic
to
windows.
I
think
the
big
one
for
me
will
be-
and
that's
it's
basically
user
user
request.
It
is
everybody's
screaming
for
an
ebpf-based
service
mesh
today
right.
So
that
was
definitely
something
that
we
will
be
looking
into.
We
actually
have
a
lot
of
this
already.
A
lot
of
our
users
are
happy
with
our
layer.
Seven
though
balancing
security
and
so
on.
H
As
well
as
service
mesh
being,
you
know,
potentially
sidecar
less,
I
think
we're
going
to
see
a
ton.
This
isn't
just
about
cilium.
This
is
about
ebpf
in
general,
we're
going
to
see
everything
being
possible
to
be
side
carless,
because
we
can
instrument.
As
I
said
before,
at
the
host
level,
I
think
that's
going
to
be
a
big
performance
improvement.
A
G
Hi,
so
one
of
the
things
we're
finding
is
that
our
the
amount
of
data
we
collect
for
observability,
especially
at
scale,
is
something
that's
a
bit
challenging
to
deal
with.
I
mean
these
are
really
incredible:
advances
in
introspection,
but
being
able
to
store
the
information
and
then
make
sense
of
it
is
at
that
scale
is
becoming
a
problem.
What
do
you
see
is
some
of
the
challenges
to
to
make
that
easier
to
work
with,
not
just
by
exposing
the
observability
but
actually
being
able
to
take
action
off
of
it.
F
Yeah,
I
I
tend
to
agree
with
that.
I
think
that
so
ebpf
essentially
gives
you
access
to
everything
essentially
in
the
linux
kernel,
which
is
gigabytes
per
second,
probably
probably,
of
data.
If
you,
if
you,
if
you
actually,
you
know,
collect
all
of
the
information,
but
I
think
the
philosophy
is
a
in
in
more
and
more
in
the
future.
The
philosophy
will
be
based
on
sort
of
localized
streaming
decisions.
Ideally
you
look
at
the
data
and
you
summarize
it
in
the
kernel.
F
If
you
cannot
do
that,
you
do
it,
you
reach
it
a
little
bit
and
you
and
you
take
you
know
like
your
decision
and
you
you
do
your
observations
in
the
local
host
and
you
all
only
stream
in
this
in
a
centralized
place.
The
summarized
data-
that's
that's
essentially,
what
ebpf
gives
you
is
is
like
sort
of
the
ability
to
program
and
take
decisions
as
close
as
possible
to
the
source,
and
the
only
way
to
survive
in
the
data
is
is,
is
really
applying
this
and
being
close
to
the
source.
A
All
right,
so,
I'm
sorry,
hey,
don't
fire
me!
I
have
to
I'm
gonna
have
to
cut
everybody
off.
We
have
to
go
to
the
nexus
and
win
a
little
late,
everyone
so
duffy
do
you
want
to
come
up
and
introduce
our
next
speaker
in
session.
Thank
you.
All
this
panel
is
amazing.
Thank.