►
From YouTube: CNeBPF Day | Closing Perspectives - Duffie Cooley, Isovalent, Sarah Novotny & Andrew Randall
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
CNeBPF Day | Closing Perspectives - Duffie Cooley, Isovalent, Sarah Novotny & Andrew Randall, Microsoft
A
So
this
talk
is
actually
going
to
be
one
of
my
favorite
things
its
perspective
and
it
kind
of
ties
kind
of
the
day
together
and
we
start
off
with
a
story
of
six
blind
men
discovering
an
elephant
and
kind
of
taking
a
look
at
it
for
the
first
time
right.
So
the
first
person,
the
first
blind
man
feeling
the
trunk,
declares
that
because
it
must
be
a
snake
and
the
second
standing
by
the
flapping
ear
says
that
it
must
be
a
fan.
A
The
third
grasping
the
trunk
declares
that
this
must
be
a
spear
or
the
tusk,
sorry
tusk,
being
a
spear.
The
fourth
wrapping
his
legs
around
the
leg
wrapping
his
legs,
his
arms
around
the
leg
says
that
it
must
be
a
tree
trunk
and
the
fifth
touches
the
side
of
the
beast
and
says
that
this
must
be
a
wall.
A
I
think
that
many
people,
when
they
start
discovering
and
exploring
evp
for
the
first
time
kind
of
feel,
like
these
blind
men
they're
confused
by
how
many
things
that
ebpf
can
apply
to
right.
It's
just
a
huge
field.
I
mean
we've:
we've
heard
everything
from
how
to
handle
how
to
use
this
for
networking,
how
to
use
it
for
security,
how
to
use
a
vorpa
profiling,
how
to
use
it
for
application
tracing
it's
just.
I
mean
this
is
the
reason
why
a
lot
of
people
call
these
things.
A
So
taking
these
kind
of
taking
these
one
at
a
time,
the
first
one
that
we're
going
to
talk
about
is
an
sre.
A
A
For
the
sres,
among
you
with
responsibility
for
keeping
clusters
running
smoothly,
evpf
is
all
about
that
large
and
growing
set
of
powerful
tools
that
make
that
are
available
off
the
shelf,
ready
and
waiting
to
help.
You
solve
a
problem
that
you
can't
solve
with
other
means
or
with
or
without
the
rich
context,
that
ebp
can
provide
you
at
a
recent
ebpf
summit.
A
I
actually
helped
host
that
brennan
greg
who's,
one
of
the
authors
of
the
bpf
trace
work
and
a
lot
of
the
kind
of
surrounding
area
gave
a
talk
on
getting
started
with
epf
observability,
and
he
had
a
great
slide
in
that.
That
said,
think,
like
a
sysadmin
not
like
a
programmer-
and
his
point,
I
think,
was
that
you
don't
have
to
get
into
the
low
level
details
of
eppf
and
how
it
is
implemented
or
even
write
your
own
ppf
code.
A
A
So,
for
a
lot
of
the
time
when
we
talk
about
like
one
of
the
biggest
superpowers
that
a
lot
of
people
are
using,
it's
about
context,
sres
love
context,
it's
one
of
the
it's
one
of
the
things
that
puts
a
light
on
in
the
darkness
and
being
able
to
actually
access
that
context.
With
simple
tools
like
bpf
trace
is
a
pretty
powerful
thing.
You
know
it
really.
It
really
moves
the
ball
forward.
A
The
same
sort
of
technology
that
we
see
in
in
typically
in
service,
meshes
right
to
be
able
to
auto
instrument
an
application
without
making
changes,
be
able
to
understand
what
that
application
is
doing
at
runtime
without
actually
instrumenting
the
application
code
itself
right,
pretty
amazing
stuff
that
we
can.
Actually,
I
mean
just
some
of
the
stuff
that
we
can
do,
and
I
think
that
would
be
very
attractive
to
developers.
A
The
other
benefit
of
ebpf
for
application
developers
is
that
they
know
are
no
longer
constrained
to
write
code
in
user
space,
which
means
that,
like
like
that
talk
that
we
saw
or
a
paper
that
recently
came
out
basically
making
things
like
memcache
available,
so
that
when
a
system
call
that
makes
a
a
call
to
memcache
shows
up,
we
just
basically
grab
that
system
call
and
throw
it
directly
to
the
memcache
statement
right,
like
shortcutting
the
whole
networking
process
entirely
and
making
memca
making
that
local
memcache
demon,
something
that
you
could
deploy
alongside
all
of
the
applications
in
a
in
a
container
orchestration
system
like
kubernetes,
pretty
amazing
stuff,
one
of
the
very
first
things
that
I
saw
that
really
blew
my
mind
and,
I
think,
probably
impressed
most
application.
A
Developers
was
an
effort
to
basically
allow
for
applications
to
use
tls
or
to
be
or
to
use
some
sort
of
tls
authentication
method
without
actually
making
any
changes
to
the
code
again.
This
is
one
of
those
things
where
we
see
service
meshes
really
kind
of
taking
storm,
but
I've
seen
this
using
ebpf
with
a
kafka
topic
right.
C
I
think
I'm
gonna
talk
about
the
next
blind
man
here,
the
and
not
always
so
blind,
but
from
the
perspective
of
the
security
professional
right
and
we
we
heard
this
in
several
of
the
talks,
but
particularly
from
eric
and
melissa
apple
right.
Ebpf
is
really
exciting.
They're,
probably
one
of
the
one
of
the
profiles
of
people
that
gets
most
excited
about
ebpf,
because
the
ability
to
attach
probes
throughout
the
kernel
anywhere
they
want
and
see.
What's
going
on
from
syscalls
to
to
network
packet
processing.
C
That
means
that
they
can
actually
monitor
in
in
real
time
everything
that's
going
on
in
a
cluster
and
and
use
that
to
baseline
normal
behavior,
and
you
know
information
you
can
use
to
define
policies.
So
we
saw
that
with
margaret
manterola's
talk
where
she
monitored
the
syscalls
that
were
happening
and
used
that
to
automatically
generate
a
second
policy.
I
mean.
How
brilliant
is
that
I
mean
the
problem.
Most
of
the
security
professionals
have
is
just
not
knowing
what
policies
to
define.
C
Now
we
can
use
ebpf
to
tell
us
or
suggest
what
policies
should
be
applied
in
the
cluster
and
then,
of
course,
you
actually
have
the
power
to
enforce
these
policies
using
ebpf
as
well.
So
you
know
or
detect
anomalous
behavior,
an
alert
on
it,
and
you
you
saw
in
the
the
work
with
the
ebgf
based
linux,
security
module,
the
kpc
and
leo
and
donato
showed.
C
You
know
we
saw
how
you
know
that
could
really
get
down
at
the
the
lowest
levels
of
the
limits
kernel
to
enforce
policies
that
you
you
wanted
applied
across
the
system
or
you
know
a
slightly
different.
Take
on
this
mauricio
showed
us
how
we
could
do
that
specific
to
system
d.
So
when
you
start
up
system
d,
you
can
create
with
on
a
just
a
command
line,
parameter,
saying
well,
which
which
type
of
file
systems
should
a
a
particular
system.
C
G
module
be
able
to
to
access
so
some
really
exciting
things
there
and
and
really
crucial
to
this
working
and
being
viable.
Because
this
you
know
it
needs
to
actually
work
in
production.
It
needs
to
be
acceptable
to
the
operators,
the
people
that
are
trying
to
make
these
clusters
work
is
the
fact
that
ebpf
enables
these
capabilities
with
a
very
low
overhead
right,
so
you
can
deploy
it
in
production.
C
Enforcing
these
policies
without
having
some
kind
of
you
know,
massive
performance
hit,
and
you
know,
and
in
part
of
how
it
does
that
is,
is
getting
closer
to
the
hardware
as
well,
and
you
know
liz
talked
about
how
you
know
some
ebpf
programs
could
even
be
put
down
as
as
onto
the
network
hardware
and
dave
mentioned
that
as
well.
So
so
you
really
can
get
kind
of
realistic,
host-based
denial
of
service
enforcement,
whereas
previously
you
could
only
do
denial
of
service
on
some
kind
of
dedicated.
C
You
know
big
iron
firewall
box.
Now
you
can
put
it
in
more
places
in
the
network.
These
these
kind
of
things
are
super
exciting
for
security.
C
C
Duffy
talked
about
application
developers,
but
there's
another
type
of
developer
as
well.
You
know
the
the
kind
of
maybe
more
rarefied
error
of
the
the
kernel
developer
you
know,
and
and
for
these
folks
you
know
ebpf
actually
is
an
opportunity
as
well.
It
gives
them
the
opportunity
to
develop
and
release
new
features
without
having
to
wait
for
the
upstream
kernel
community
to
merge
what
they're
they're
working
on.
So
you
might
think.
C
There
are
going
to
be
things
where
it
makes
sense
to
release
it
in
ebpf
instead
of
get
instead
of
pushing
changes
upstream
and
because
that
whole
process
just
takes
years
and
years
and
years
right
to
get
not
just
get
merged
into
upstream,
but
then
get
into
all
of
these
downstream
distros
and
then
get
deployed
into
you
know
real
world.
You
know
real
world
networks
and
and
and
and
that
that
process
gets
you
know
can
get
bypassed.
C
So
it
enables
them
now
to
innovate
at
the
same
speed
as
application
developers,
and
you
know
it
was
one
of
the
points
that
I
talked
about
at
the
at
the
beginning
of
today
yeah
and
things
like
ebpf
iterators.
You
know
we're
getting
we're
getting
all
of
these
new
capabilities
and
alabama
talked
about.
C
You
know
how
he's
been
leveraging
ebpf
iterators
to
create
richer
capabilities
with
the
ebpf
programs
that
he's
writing,
and
so
you
know,
there's
a
lot
of
exciting
things
happening
in
ebpf
for
these
kernel
developers
and
the
other
way
of
looking
at
it
as
well
is
not
just
that
the
traditional
kernel
developers
are
now
able
to
do
more.
It's
also
that
folks,
who've,
maybe
traditionally
been
more
on
the
application
development
side
now
can
start
to
think
of
themselves
as
kernel
developers.
C
You
know
that
they're
able
to
actually
enhance
the
capabilities
of
the
kernel
with
these
ebpf
programs
that
they're
developing-
and
you
know
I
thought
the
the
last
talk
that
we
had
you
know.
Kyle
went
through
a
whole
load
of
the
different
libraries
available
to
people
really
kind
of
showed
how
it's
accessible
now,
with
these
libraries
that
are
out
there
for
people
to
develop
these
new
kernel
capabilities.
B
We
also
see
the
colonel
being
able
to
iterate
and
innovate
so
that,
even
before
they
make
a
commitment
to
do
something
multiple
years
to
get
it
into
all
those
downstreams.
We
see
a
way
that
they
can
run
tests.
They
can
run
ideas
and
see
if
there
is
engagement
or
or
a
need
for
that
in
in
talking
in
product
terms,
if
there's
a
customer
and
market
fit
for
what
you
they're
trying
to
think
about.
So
there's
another
group
that
we
work,
we
believe
are
very
important
in
this
and
that's
an
infrastructure
architect.
B
B
B
Of
course,
one
of
the
other
super
important
pieces
there's
tons
of
flexibility,
but
there's
also
performance,
and
this
is
the
thing
that
anyone
who
talks
about
over
observability
has
concerns
about.
You
have
to
be
very
efficient
when
you're
instrumenting,
something
we
saw
a
talk
today
about
running
instrumentation
and
prod
like
go.
Look
at
what's
happening
in
prague.
How
many
people
have
been
in
tech
long
enough
to
never
do
that?
B
That's
me.
I
have
been
in
tech
long
enough
to
never
run
tracing
and
prod,
but
now
there's
a
way
apparently-
and
we
also
heard
from
dave
thaler
where
ebpf
is
becoming
an
enabler
for
the
common
architecture
across
multiple
platforms,
and
it
is
becoming
the
common
architecture
across
platforms
we
heard
also
about
core
and
how
that
is
again.
There's
a
long
lead
time
to
get
these
things
in,
but
there
are
ways
that
we're
getting
there
and
that
all
of
this
work
is
really
being
broadened.
So
it's
not
just
a
linux
technology.
B
It's
coming
to
windows,
it's
coming
to
other
operating
systems
and
an
infrastructure
architect
will
no
longer
need
to
worry.
If
ebpf
programs
would
need
to
be
created
for
multiple
architectures
we're
seeing
that
go
to
a
single
architecture,
so
architecture,
infrastructure,
architects,
very
important,
and
then
we
get
to
my
absolute
favorite
topic
of
the
world
and
that's
all
of
you,
which
is
the
community
of
ebpf.
B
So
thank
you
for
participating.
Thank
you
for
being
here.
Thank
you
for
asking
questions
and
listening
and
learning
and
thank
you
for
taking
what
you've
learned
here
today
out
into
the
world
and
inviting
and
engaging
and
welcoming
others
into
this
community,
because
that
is
the
most
important
part
of
open
source,
in
my
opinion,
starting
with
a
community
starting
with
a
small
group
of
experts
and
insiders,
creating
something
really
neat
really
compelling,
and
then
that
group
gets
bigger
and
then
the
group
gets
bigger
beyond
that,
and
then
we
start
seeing
the
industry
take
notice.
B
B
One
other
thing:
all
the
projects
we
talked
about
today
are
open
source.
Please
feel
free
to
jump
in,
please
feel
free
to
contribute,
and
let
me
be
clear:
contributing
is
not
just
by
code.
You
can
contribute
by
running
your
own
ebpf
summits.
You
could
contribute
by
trying
to
help
someone
think
through
an
architectural
problem.
You
could
contribute
by
pointing
a
newbie
in
the
slack
channel,
which
is
of
course
slack.ebpf.io
to
get
registered.
B
You
could
point
a
newbie
in
the
slack
channel
to
some
documentation
and
answer
a
super,
simple
question.
You
could
ask
a
super.
Ask
a
super,
difficult
question:
all
of
these
things
are
contributing
to
the
community.
All
of
these
things
are
growing.
The
group
that
is
involved
with
ebpf
expanding
the
ways
that
the
idea
of
ebp
and
f
as
a
platform
can
be
used
and
engaged
with.
A
A
I
I
completely,
I
completely
echo
everything
that
sarah
said,
and
one
thing
I
would
bring
it
back
to
is
what
we
started
this
this
particular
presentation
with,
which
is
perspective
right
when
you're
involved
in
the
open
source
project.
When
you
see
somebody
ask
a
question
that
you
know
the
answer
to
you're
bringing
your
perspective
to
the
problem
and
that
in
itself
is
a
huge
contribution
right,
it's
not
about
whether
you
can.
You
know
whether
you
know
the
answer
to
some
complicated
bpf
loop,
that
is,
that
is
messing.
A
B
And
being
welcoming
in
that,
because
the
the
conversations
that
hurt
a
community
most
are
the
ones
that
shut
down
something
for
being
too
basic
or
shut
down.
Something
for
you
know.
We
argued
about
that
six
months
ago,
never
mind,
but
going
ahead
and
being
welcoming
being
engaging
and
trying
to
share
your
excitement
about
ebpf,
because
all
of
you
got
out
of
your
houses.
B
C
Yeah,
I
would
like
to
just
add
one
thanks
to
what
you
said,
which
is
you
know.
I
think
this
this
would
not
have
happened
without
a
lot
of
work
by
a
lot
of
people.
B
C
Whom
are
in
this
room,
but
one
in
particular,
I
think
he's
still
in
this
room
dan
pop.
C
Oh
okay,
so
he's
not
he's
not
here.
So
that's
all
right.
We
can.
We
can
talk
behind
his
back,
but
even
behind
his
back.
I
would
say
you
know
this
this
day
was
you
know
very
much
down
to
him.
He
he
produced
the
initial
momentum
that
got
it
off
the
ground,
and
you
know
a
lot
of
folks
from
lexi
helped
lindsay
at
cncf.