►
From YouTube: OpenShift Commons Briefing: Unleash eBPF Superpowers with Kubectl Gadget - Alban Crequy (Kinvolk io)
Description
OpenShift Commons Briefing
Unleash your Cluster's eBPF Superpowers with Kubectl Gadget
Alban Crequy (Kinvolk io)
A
The
title
unleash
your
clusters
in
BPF
superpowers
with
Google
anyways
gadget,
I'm
gonna.
Let
him
explain
what
they've
been
doing
over
at
kinfolk
and
then
at
the
end
of
this
we'll
do
some
live
Q&A
and
have
a
bit
of
a
conversation
about
what's
going
on.
It
can
folk
these
days
because
there's
lots
of
news
over
there
so
Alvin.
Take
it
away.
Tell
us
what
your
superpower
is.
You're
enabling
Lewis
today.
B
Do
yes,
I
will
talk
about
ebps
EPR
powers
in
Pepsi,
jail,
gadget
or
pussycat
has
been
Inspector
Gadget
first,
my
name
is
dawn
I'm
at
the
founder
and
director
of
Afghan
fun.
That's
what
control
that's
a
new
things
we
announced
recently
Utkin
fact
we
do
consulting
or
an
open
source
project
like
index
on
communities,
and
we
recently
announced
that
we
have
a
dedicated
team
to
do.
Consulting
humanities
on
Inspector.
Gadget
is
one
of
the
project
we
work
on.
There.
B
First
I
will
describe
a
bit
the
problem
statement.
Why
do
we
do
we
work
on
Inspector
Gadget?
First
debugging
distributed
application.
It
is
hard
when
you
have
an
application
working
on
abilities
and
something
is
not
good.
It's
kind
of
difficult
to
debug
it.
At
the
same
time
we
have
now
a
lot
of
EPs
tracing
tools
on
linux,
but
being
available
on
linux
doesn't
necessarily
mean
that
it's
easy
to
use
on
communities.
B
So
there's
not
really
on
the
goal
of
Inspector
Gadget
is
to
plug
that
up,
make
it
easy
to
use
EPF
tracing
tools
to
debug
your
applications
on
communities.
Also
Inspector
Gadget
is
not
just
one
tool,
but
it's
a
collection
of
gadgets
for
developers
of
kubernetes
applications.
We
know
other
communities
like
Jeannette
on
Inspector
Gadget
and
it's
an
open-source
project
available
on
github.
Oh
I
will
talk
about
a
lot
of
humanity
zombie
beer
here
now,
as
I
mentioned,
there
are
many
different
IPPF
pressing
tool
on
linux
that
you
can
use
on
the
command
line.
B
B
New
things
about
BBF,
I
will
talk
about
about
a
twist
loop
as
well,
because
that
has
been
in
the
design
from
Inspector
Gadget
on
others
as
well
to
you
that
in
kubernetes
there
are
tools
like
you
see,
GL
twist
that
use
PPF
twist,
but
also
given
it
is
developed
on
Inspector
Gadget
that
tries
to
pick
different
bases,
PPF
a
code
and
make
it
available
at
the
kubernetes
the
value,
with
specific
use
case,
that
I
will
describe
the
Martian.
It
has
a
lot
of
gadgets,
so
there
are
different
use
case.
B
Capabilities
is
another
gadget
that
helps
you
to
see
what
capabilities
are
exercised,
valuing
thoughts
and
then
you
can
white
part
security
policies
in
a
easier
way.
Then
try
to
guess
what
is
happening
under
the
other
things
to
inspect
what
your
application
are
doing.
What
kind
of
files
open
with
opens?
What
kind
of
programs
are
executed
with
exact
snoop,
but
what
kind
of
cell
gets
a
bound
easy
people,
for
example,
with
men,
snoop
and
so
on?
So
in
my
talk,
I
will
have
a
few
demos
of
this
different
caches.
B
Now,
if
you
want
to
try
cube,
cube,
CTL
gadget
or
Inspector
Gadget
by
yourself,
it
should
be
easy
to
install
on
your
laptop
by
insulin,
to
not
increase
ETL
gadget
and
then
deploying
the
gadget
demon
set
on
your
cluster.
You
can
do
that
with
the
Aussie
catch
it
deploy
command
because
Inspector
Gadget
is
actually
a
cube
city,
LLC
plug-in
and
then
apply
it
with
this
command.
B
If
you
want
to
opposite
the
demo,
I
will
actually
just
use
the
open
shift.
Iran
proverb
dichotic
CUDA
at
this
address
and
you
can
catch
the
slides
on
with
the
steps
not
at
this
link.
Oh
let's
start
by
the
first
demo,
I
will
try
to
install
it
live
yeah.
Let
me
if
the
slides
on
go
to
the
cutta
cutta
come
on.
B
B
Okay,
I
will
present
the
first
red
Network
policy
advice
on
the
use
case
of
that
is
when
a
developer
join
a
project,
and
that
already
exists.
It
has
already
plenty
of
micro
services
or
pods
and
so
on,
but
no
network
policies,
admittin
developed
and
so
it's
kind
of
difficult
for
this
developer
to
start
working
network
policy
when
they
don't
know
the
architectural
project,
so
that's
kind
of
what
I
called
port
security
as
an
afterthought,
because
the
security
has
not
been
designed
from
the
beginning.
But
after
all
the
project
exists.
We
think
Oh.
B
B
B
B
B
B
Okay,
meanwhile,
while
this
application
is
the
plane,
I
can
explain
ETF
in
a
nutshell,
how
things
works,
we're
not
going
through
the
details,
but
give
an
overview
of
PPF
keys,
and
so
BBF
is
kind
of
a
mini
via
to
let
machine
in
your
Linux
kernel
and
the
workflow
how
it
works
the
PPF
program
in
c,
and
then
you
compile
this
program
in
with
Salonga
LLVM
into
this
PDF
by
code.
Once
you
have
this
PDF
by
code,
you
can
upload
that
into
the
ghanian,
with
a
specially
designed
system
called
come
in
here
and
the
Linux
kernel.
B
B
If
you
verify
that
it's
a
good
DPF
organ
and
this
VPS
program
can
be
allowed
to
run
and
it
will
be
executed
as
on
specific
triggers
or
it
could
be,
a
network
trigger
every
time.
Packet
problem
on
the
network
interface
or
it
could
be
attached
to
system
calls
so
every
time
a
system
call
is
executed,
it
will
want
the
biblical
round
and
then
it
will
be
able
to
send
messages
to
applications,
ngos,
user
space,
yeah
vpf
maps.
B
With
this
mechanism
we
have
a
way
which
is
safe
for
the
linux
kernel
to
execute
arbitrary
BPF
programs
in
the
linux
kernel
on
inspect,
what's
happening
there,
Inspector
Gadget,
using
that
or
not
and
I,
will
show
the
next
slide.
How
he
does
that
tour.
Inspector
Gadget
is
a
command-line
tool
that
you
run
on
your
laptop
and
then
it
communicate
with
the
kubernetes
cluster
or
not
Olivia
the
API
server
or
the
humanities
caster.
It
does
not
access
a
show,
you
know,
does
not
open
up.
A
B
B
C
B
We
have
a
network
policy
that
applies
on
the
shipping
service
spot
because
it
has
about
selector
on
the
shipping
service
and
it
has
brought
in
quests
on
US
policy,
Network
policies
and
then
here
see
it's
a
lot
to
have
increase
traffic
coming
from
is
at
record
service
to
the
shipping
service,
and
there
are
a
lot
of
other
network
policy.
That
is,
my
god,
there's
the
real
traffic
that
happen
unaddressed.
Oh,
of
course,
that's
not
something
that
the
developer
should
apply.
B
B
The
next
gadget
I
will
present
is
called
traceroute
and
fresh
hope
if
I
go
into
technical
details,
but
he
does
he
tres
system
course
a
bit
like
stress,
but
in
Cyclops,
is
in
DPF
unavoidable,
bring
my
friends
that
may
be
a
bit
complicated
to
say,
but
I
will
explain
the
use
case
of
that
as
a
developer.
I
really
like
to
use
trace
has
to
debug
my
application,
because
I
can
see
what
system
calls
it
does,
but
stress
can
be
a
bit
difficult
to
use
on
communities
first.
B
B
Underrated
idea
of
the
scope
is
the
idea
of
a
flight
recorder,
but
all
the
ways
we
called
all
the
system
calls
in
a
memory
in
a
ring
buffer
of
limited
size
and
then,
if
something
gosh
I
have
the
last
few
system
calls
that
are
still
in
the
wing
buffer.
They
can
I
can
inspect
to
see
what
was
wrong
there.
B
B
So
when
it
is
fully
sort
of
like
the
older
students
but
and
all
because,
because
of
the
way
it
was
it's
possible
that
we
can
lose
some
some
time
stress,
on
the
other
hand,
is
a
Lionel,
oh
and
never
lose
anything,
but
even
if
Facebook
is
not
as
reliable
is
still
very
useful
to
debug
applications
like
this
the
way
tres
loop
works.
B
It
use
a
PPF
program
at
a
sudden
twist
front
consistent
well,
and
that
was
that
is
executed
every
time
there
is
a
new
system
called
executed,
UNIX
system
and
the
first
thing
that
the
BBF
programming
tool
is
to
find
out
which
continuities
I
can
look
at
the
cycle
or
different,
try
to
figure
out.
Ok,
that's
this
board
or
this
other
problem
and
then
reject
the
execution
flow
to
another
BPF
organ
that
will
log
the
events
in
a
pearpod
wing
before
the
swing
before
never
looked
at.
B
B
B
Every
level
ooh,
it's
boxy
gadget,
that's
look
what
I
can
do
with
that?
There
is
a
few
subcommands,
the
first
one
is
least
least
what
is
available
as
I
mentioned
before.
I
don't
have
any
patterning
in
the
different
in
space,
so
I
will
hold
on
interest
and
I
can
see.
I
have
all
those
things
running
here
and
I
will
take
an
example
of
this
cubic.
Is
my
space
I'll
see
I
have
a
few
trace
that
are
available
for
me
to
see
I.
B
Okay,
the
command
is
to
get
a
picked
banner
of
them.
With
this
command
and
I
should
be
able
to
see.
The
last
system
calls
pilot
pod
there.
Everyone
who
is
currently
running
I
see
the
system
phones
well,
mostly
dipping
not
knowing
much
that's
about
it.
More
I
will
do
with
that.
Let
me
read:
screen
I
will
start
a
new
Prada,
this
one
multiplication
and
then
trying
to
save
this
to
a
file
and
then
printing
this
file.
But
if
you
notice
my
shell
script
is
not
really
good,
because
I
might
not
get
the
correct.
A
B
B
B
B
A
B
Yes,
some
of
them
are
relatively
new,
like
the
profile
gadget
was
a
Patito
couple
of
weeks
ago.
I
think
Thanks
I
will
present.
I
will
start
first,
its
exact
new
project,
but
it
does
it
I
specified
on
the
command
line
which
father
wall
to
monitor,
so
I
can
use
namespace
or
cube
unity,
stable
or
the
pond
name
and
so
on,
and
then,
if
you
think
that
new
process
that
we
executed
in
the
order
in
the
pods
that
much
disk
italia,
I
will
have
a
new
line
to
describe
them
in
the
order
terminal.
B
B
B
I
execute
a
script
which
I
don't
really
know
what
it
is
if
I
hunt
so
here,
Inspector
Gadget
will
be
useful
to
be
able
to
inspect
what
programs
are
executed
on
what
files
are
open
by
executing
that
not
will
have
control
on
what
is
it
secreting
here?
It
takes
a
bit
of
time
because
it
needs
to
do
not
put
it
on
this
gotta
connect.
Now
here,
I
see
at
the
top
I
see
all
the
files
that
are
being
opened
and
at
the
bottom
I
can
see
the
sorry.
B
B
B
B
In
this
case,
I
don't
know
this
image
very
well
and
that
no
no
is
not
so
not
always
easy
to
know
whether
it
will
listen
under
eighty
or
eighty.
Eight
here
are
some
other
ports,
and
so
when
I
work
manually,
my
identity
services
in
the
yeah
melody
to
know
which
part
is
listening
on
to
be
able
to
write
it
Harry
upon.
So
here
you
see
all
the
bind
system
color
with
options.
So
here
are
seeds.
He
stands
on
power,
80
81,
with
a
we
use,
socket
option.
B
Used
this
for
the
busy
parts
command
to
to
get
a
shell
in
my
channel
and
I
will
execute
some
commands
that
are
required.
Some
privilege,
for
example,
create
new
network
interface.
A
sketch
would
and
cannot
being
its
own
privilege
pod
things.
That's
a
one-time
work.
Sometime
doesn't
work
and
first
through
show
you,
but
sometime.
Ok,
is
ping
worked
in
C
work
as
well,
but
and
cannot
bill.
B
Don't
work
here
is
an
example
in
cannot
doesn't
work,
but
it's
kind
of
difficult
to
know
why
I
just
get
operation
at
in,
but
I,
don't
know
which
kind
of
capability
we
are
missing
in
my
part
to
make
it
work.
But
if
I
don't
know
if
I
was
even
I
have
to
deploy
a
container
image
which
does
some
operation,
which
I
don't
really
know
about,
I
want
to
know
what
capacity
I
exercise
then
I
can
use
the
capability
gadget
for
that.
B
First,
catch
all
the
parts
that
are
in
a
before
namespace
and
see
if
they
do
something
here,
if
I
repeat
the
in
cannot
command
you
see
it
required
the
cut
and
cannot
capability,
I
use
till
middle
of
capital
network.
If
I
use
a
try
to
create
a
new
network
interface
I
just
get
culture,
let
us
see
that
the
capital
mean
was
exercised
by
the
continual
attempted
to
vt.
B
B
B
B
Why
is
it
slow?
What
is
what
it
is
really
doing?
Is
this
option
comes
careful
getting
canal,
but
there
is
an
option
you
to
get
the
tax
from
user
space
that
doesn't
always
work
that
something
that
is
a
bit
in
development
by
the
way
what
those
tools
come
from
BCC.
So
it's
not
something
that
has
been
way
in
front
hit
in
a
jet
instructor
gadget,
mostly
away
use
existing
tools
in
this
case
from
BCC
and
just
adapt
them
to
be
able
to
use
them
in
communities.
B
B
B
So
he
catched
all
the
TCP
connects
disappear,
except
on
TCP,
close
all
the
difference
for
TCP
connections
if
I
were
truly
create
incoming
connection,
I
will
see
it
as
well
here
and
I
can
things
the
right
time
come
with
some
luggage.
Here
is
displaying
two
lines
installed,
but
you
get
their
IDs
I
can
see
what's
happening.
B
B
B
So
in
not
of
this
demo,
it
was
mostly
tools
from
BCC
that
were
adapted
for
Inspector
Gadget
to
run
in
Japan.
It
is
where
do
we
actually
need
to
have
a
DPF
dressing
tool
adapted
to
kubernetes,
but
I'd
like
to
have
is
to
do
tres
pods
for
users,
don't
always
tell
about
process.
Ig
is
more
useful
to
me
to
select
which
bother
with
kubernetes
levels
or
capabilities
in
space,
rather
than
searching
the
PID
of
what
you
want
to
twist
when
we
have
a
lot
of
machines
that
lost
more
practical.
B
Another
component
that
is
using
Inspector
Gadget
is
called
the
catcher
to
a
sermon
angel
and
thus
explain
it.
I
will
show
this
command
here
in
the
exact
snoop
gadget
AutoCAD
jets.
I
can
select
the
parts
I
want
by
lapels
or
by
name
space
or
by
upon
them
or
by
not
all
by.
If
it
is
a
pod
with
several
containers
inside
I
can
get
the
noindex
and
I
can
use
one
or
several
of
those
criteria
to
select
the
parts.
B
B
Another
difficulty
is
that
pods
can
come
and
go
on.
Twitter
can
come
and
go
as
well
as
can
quash,
and
then
the
replication
controller
can
start
a
new
one
and
so
on.
So
during
the
execution
of
a
gadget,
the
parts
can
go.
Come
on
go
adult
past.
Don't
always
have
a
dick
table
names
like
in
this
example.
There
is
a
suffix
hold
on
sir
fix
and
and
some
time
one
part
can
be
traced
by
several
gadgets
at
the
same
time,
depending
on
the
field,
but
to
come
up
with
the
solution.
B
There
is
this
correct
as
a
manager
which
is
a
demand
holding
on
the
inner
didn't
set
on
all
nodes
and
they
implement
gr
PC
API,
a
very
simple
one,
where
this
demand
can
be
in
form
of
nutri
cells
on
new
containers.
But
there
is
kind
of
four
methods
on
this
entropy
api.
On
the
left
side,
you
can
be
informed
of
new
containers
using
OCIO
hooks.
There
is
a
Aussie
oi
Prescott
works.
Every
time
a
new
container
is
created,
the
Aussie
hooks
other
geophysical
to
the
manager
going
from
mid
on
the
north
side.
B
Every
time
I
start
a
new
gadget
with
keep
CTL
gadget
or
OC
gadget.
It
will
use
the
manatees
API
to
delete
something
on
the
node
right.
This
wrapper
script
will
actually
call
the
ER
PC
matada
to
audit
reserve
them.
In
this
way,
this
tracer
manager
knows
about
all
the
tracers
what
they
want
to
do
on
all
the
containers.
What
level
do
they
are
on?
B
What
given
in
his
den
space
with
that
information,
it
will
update
the
PPF
maps,
so
there
is
one
vpf
maps
for
each
tracer
and
each
map
will
contain
the
list
of
containers
that
it
will
trace.
So
when
containers
come
on
go,
this
maps
will
be
updated
and
then
this
PDF
maps
will
be
used
by
the
BBF
program.
So
in
this
case,
and
it's
a
good
exact
soup
achat,
it
executes
the
peer
program
with
a
capable
on
some
system
column
and
then
in
the
EPF
code.
It
will
actually
check
the
EPF
map.
B
It
will
look
up
if
the
current
process
or
currency
worker
on
this
is
something
that
should
be
traced
or
not,
depending
on
the
configuration
that
has
been
set
up
by
the
general
manager
and
then,
if
it
should
not
be
traced,
he
just
returned
without
passing
anything,
oh
that
how
it
works
to
select
the
part.
In
this
way,
the
PPF
program
don't
need
to
do
any
strain
comparison
with
the
kubernetes
levels
and
so
on,
which
will
be,
which
is
something
which
is
difficult
to
do
in
depierre.
B
A
B
B
B
It
has
been
called
by
the
pod
with
the
save
option.
So
it's
to
have
the
jeppesen
interface
with
option.
It
will
return
the
list
of
continuity
nodes,
a
lot
from
the
list
of
transfers
in
here.
You
don't
have
any
treasure
burning,
but
I
see
list
of
containers
with
some
information
in
those
about
vanity
which
will
have
feel
if
not
I
should
be
able
to
see
in
this.
B
A
Will
get
you
connected,
I
think
that
would
be
cool
and
and
I'd
like
to
see
this
this
working?
It's
it's
it's
interesting
to
me
because
kubernetes
use
a
wonderful,
high-level,
abstract,
good
thing
and
but
to
really
make
sure
you
debug
it,
and
you
can
really
work
with
it
at
the
granular
level
that
you're
showing
it
and
making
it
easy
to
do
so.
It's
pretty
pretty
awesome,
so
I'm
curious.
B
Can
go
back
to
the
list
of
gadget
on
or
well
become
home,
so
most
of
them
come
from
the
project.
Pcc
opens
top
execs
new
plants
group,
other
ones
at
the
bottom,
actually
capabilities
as
well,
but
they
come
from
VCC
and
the
two
ones
at
the
top
will
return
all
pass
through
pond
Elsie.
You
have
seen
it's
in
a
github
repository
on
business
organization
and
network
policy
advisor
it's.
It
relies
on
VP
of
code,
that's
where
we
don't
fall
with
scope.
Initially,.
B
It
is
he
basically
it's
actually.
A
lot
of
gadgets
are
tools
that
are
here.
There
is
a
list
here
and
that's
pretty
useful
to
to
learn
about
bb-8
here,
yeah
released
well
on
a
long
list
and
I
just
pick
a
few
of
them
like
exact,
stove
on
and
so
on,
and
use
them
in
straitjackets
yet,
but
they
are
proper
yourself
that
you
like,
and
that
can
be
adapted
to
vanities
as
well.
Inspector
Gadget
yeah.
A
B
B
A
So,
if
you're
listening
to
this
afterwards,
you
see
something
on
this
list
that
you
think
we
all
ought
to
be
working
on.
You
know
reach
out
to
Alban
and
do
that
the
other
thing
I
did
notice.
You
are
going
to
give
that
tutorial,
I
believe
at
cou
con.
The
virtual
one
you've
got
it's
listed
on
the
schedule.
Is
that
still
a
go
for
you
guys
your
tutorial
on
using
BPF
in
cloud
native
environments?
Does
that
still
ago
on
August?
Yes,.
B
C
A
C
A
I
want
to
have
alvin
back
on
with
some
of
the
other
team
sometime
soon
to
talk
about
flat
car,
especially
hot
car,
in
the
context
of
okd,
which
is
in
its
beta
release
and
going
GA
and,
as
you
probably
have
noted,
is
running
on
Fedora
core
OS
I'm,
very
curious
to
see
what
we
can
do
with
flat
car,
ok,
D,
so
stay
tuned
for
me,
picking
his
brain
and
his
team's
brain
about
that
in
the
not-too-distant
future.
So
Alvin,
thank
you
for
putting
up
with
my
lovely
internet
access
today.
A
I
do
have
fiber
optic
I,
don't
know
why
this
is
going
up
and
down,
but
anyways
thanks
for
joining
us
today.
If
you're
listening,
I
will
put
the
slides
for
this
and
the
video
of
his
demos
and
all
the
links
on
our
youtube
channel
at
rh,
openshift
and
as
well
on
a
blog
post
on
open
comm.
So
don't
scramble
and
try
and
write
notes.
I'll
make
Alvin,
give
me
his
slides
and
links
to
all
the
resources.