►
Description
Featuring John Howard, Christian Posta, Lin Sun, and Eitan Yarmush.
A
B
B
I'm
I'm
focused
on
application,
networking
service,
mesh
use
cases
and
I'm
really
interested
in
how
we
can
use
evpf
to
upload
some
of
the
things
that
we
do
in
the
service
mesh
proxy
into
the
kernel
and
and
then
also
augment
and
complement
the
type
of
observability
and
Telemetry
that
we
can
get
from
from
the
mesh.
With
with
what
we
can
see
in
the
kernel
yeah.
That's
what
I'm
interested.
A
Yeah,
that's
great
Lawrence.
Do
you
want
to
go
next.
C
D
C
Explaining
what
it
is
so
as
far
as
what
I'm
most
excited
about
I
also
am
very
interested
in
the
networking
aspect
of
it.
I
think
that
it
will.
D
C
C
Network
acceleration
for
anything,
that's
related
to
service
mesh
and
then,
as
you
look
forward,
you
can
see
that
some
of
the
capabilities
that
are
in
the
proxy
right
now
so
like
an
ambient
with
the
Z
tunnel
or
even
inside
cars
that
we'll
be
able
to
push
those
further
into
the
kernel
with
EPF.
So
hopefully
you
know
one
day
we
won't
even
have
to
have
a
proxy
at
all.
F
Yeah
yeah
for
me,
I'm
just
most
excited
that
you
know
in
one
of
the
previous
talks.
One
mentioned
that
we
take
like
you,
know
a
small
amount
of
istio
config
and
then
generate
a
ton
of
envoy
config
Ure,
for
example.
We
do
the
same
thing
with
other
layers
of
apis.
F
You
know
what
evpf
allows
us
to
do
is
instead
of
trying
to
express
all
this
config
as
this
declarative
config
model,
we
can
just
write
in
a
code
right,
and
so
we
can
take
that
small
amount
of
input
config
and
then
just
write
the
code,
AS
EPF
logic
that
you
do
directly.
Instead
of
trying
to
take
these
apis
that
are
kind
of
generic
and
declarative
and
try
and
model
our
very
bespoke
specific
use
cases
for
them
right.
So
you.
F
G
D
G
Things
that
service
mesh
already
offers
and
potentially
speed
up
the
mesh
by
pushing
them
down,
as
Lauren
said,
pushing
out
these
features
into
the
kernel
and
really
taking
advantage
of.
D
A
Honestly
I
thought
about
this
at
coupon
in
Valencia
in
Europe
there
was
a
lot
of
confusing
around
evpf
and
side
cutlers.
Can
you
help
over
users
clarify
if
they
are
the
same
or
if
they
are
different?
Can
we
dismiss
psychos
now
with
evpf.
A
F
Yeah
to
me,
they're
related
only
because
there's
some
products
that
happen
to
use
them
both
together,
but
otherwise
they're
fairly
orthogonal
right.
You.
F
G
Yeah
yeah
I
yeah
it
just
to
add
on
to
what
John
said.
I
think
that
you
know
in
you
know:
Lawrence
mentioned
that
in
the
long
term
you
know
ways
that
we
can
use
evpf
to
potentially
replace
these
node
level
proxies
like
the
Z
tunnel,
but
I.
G
So
if
the
only
thing
you're
interested
in
is
telemetry
right,
maybe
you
don't
need
to
do
any
L7
processing
so
essentially
taking
individual
use
cases
and
putting
them
in
the
kernel,
yeah
and
so
not
as
John
said,
not
necessarily
needing
to
combine
the
two
concepts
but
using
them
for
what
they
are
good
at.
B
I
think
another
aspect
that
tends
to
come
up
and
contribute
to
the
confusion
that
I
think
could
be
more
clearly
stated
as
where
does
the
proxy
actually
run
I
think
that's
a
more
interesting
question,
because
EVP
applic
can
evpf
replace
all
the
layer
7
all
the
stuff
the
sidecar
does.
No,
maybe
if
you
have
to
be
used
for
some
portions
of
that,
but
so
the
really
the
question
shouldn't
be
about
you
know
well.
B
Sidecars
it's
about:
where
does
the
proxy
run
and
that's
a
that's
a
problem
that
we
tackled
head
on
when
we,
when
we
worked
on
ambient,
so
the
product
doesn't
have
to
run
as
a
sidecar,
but,
like
John
said
these
are
orthogonal.
You
know
concerns
evpf
is
not.
You
know
a
replacement
for
the
Sidecar.
A
C
Just
the
one
thing
I
would
add
is
that,
even
eventually,
if
we
are
able
to
get
rid
of
the
proxy
by
pushing
all
of
the
concerns
to
the
kernel
with
evpf
I,
think
one
I
think
that
still
lays
off.
But
I
do
think
that
it
just
if
we
just
because
we
can,
if
we
can
doesn't
mean
we
should
because
there's
a
lot
of
so.
C
A
Yeah
we're
not
talking
about
a
little
bit
of
time,
at
least
many
years
more
than
a
few
years
right,
because
even
when
the
official
landed
in
the
kernel,
it
puts
up
your
gifts
to
get
you
a
particular
Linux.
This
show
yeah.
Thank
you
so
much
for
that
question
and
answer.
So
the
next
question
is:
what
role
do
you
think
evpf
can
play
in
service
mesh?
Do
you
guys
want
to
add
anything
I
feel
like
some
of
you
already
touch
on
that
topic
already.
If
not,
we
can
skip
to
the
next
question.
F
F
Said
about
potential
is
really
true
to
me.
Ebpf
today
can
be
really
useful
for
certain
things
that
are
very
restricted
use.
Cases
like
if
you
only
care
about
getting
Telemetry
for
your
information,
sure
do
everything
in
ebtf.
You
don't
have
to
copy
everything
up
to
user
space.
It's
very
fast!
You
get
what
you
want,
but.
F
Have
to
copy
everything
to
user
space
anyways
you
might
as
well
have
just
done
the
Telemetry
in
the
new
space
as
well
right.
So
as
the
functionality
expands
more
and
more
and
can
cover
more
use
cases,
it
starts
to
make
more
sense
today.
I
think
it's
mostly
Niche
cases
and
small
optimizations
right
I
think
someone
may
have
talked
about
kind
of
optimizing.
Some,
like
the
redirection
logic
of
the
bbpf,
for
example.
F
G
I,
have
one
more
I
think
there's
an
interesting
that
we've
been
talking
a
lot
about
ambient
and
there's
a
lot
of
interesting
questions
about.
You
know
something
that
was
brought
up.
Some
questions
that
have
been
brought
up
to
me
about
even
going
back
to
previous
coupons
about
the
security.
The
encryption
data
over
the
wire
just
within
the
node
itself,
which
is
another
as
I
mentioned,
I
view
eppf
as
a
potential
security
name,
so
use
potentially
leveraging
evpf
on
the
Node
itself
to
make
sure
that
the
traffic
is
always
encrypted.
C
Think
the
performance
benefits
you
know,
they're,
not
mind-blowing,
but
they
are
there.
I
think,
more
importantly,
at
least
in
my
opinion
is
the
fact
that
it
makes
the
current
setup
for
the
network
configuration
much
much
easier.
C
And
as
as
an
end
user,
that
might
not
be
the
biggest
thing,
because
you
know
it's
more
of
an
implementation
detail,
but
just
from
the
what
was
needed
to
get
the
current
setup
working
pvpf
can
kind
of
simplify
that
in
a
lot
of
ways,
because
you
know
we
talked
about
it
before
you,
you
really
are
expressing
it
in.
You
know
basically
code
like
you're
saying
with
logic.
This
is
what
I
want
to
do
with
the
network
versus
trying
to
you
know
piece
together.
All
of
these
different
pieces
of.
A
That's
great
all
right,
yeah
I
have
I,
think
I
have
I.
Guess
I'd
like
to
open
up
for
questions
actually
will
be
cool
because
you
know
our
question
took
along
for
a
while.
So
if
you
guys
have
questions,
I
would
encourage
you
to
walk
up
here,
because
we
only
have
a
cup
of
microphone
so
yeah.
D
A
E
F
Question
was
how
many
releases
of
Easter
per
year,
I
think
with
the
cncf
adoption
there.
There's
no
currently
plan
changes
for
the
release
cycle,
so
they'll
continue
to
be
four
releases
per
year.
E
A
From
cnci.
A
How
slack
user
increased
dramatically
to
I've
also
seen
different
vendors
participate
in
the
issue,
particularly
in
ambient,
which
I
haven't
seen
in
other
before
the
istio
cncf
donation?
So
that
was
very
positive
for
any
other
questions.
D
C
So
the
answer
is
yes,
you
know,
there's
there
are
a
couple
ways
of
doing
that.
It's
it's
kind
of
gets
more
tricky
when
you're
talking
about
like
HP
one
versus
HTTP
2,
but
in
both
cases
technically
it's
possible
they're.
Also,
you
know
techniques
like
you
can
use
user
probes,
so
you're,
technically
using
ebpf,
but
you're
hooking
into
user
space
code.
That's
how
some
of
the
libraries
do.
Things
like
this
is
like
I
want
to
use
edpf
to
see
traffic.
That
is
being
you
know,
TLS
encrypted
right
and.
C
B
C
B
Was
going
to
say
in
in
glue
mesh,
that
is
exactly
what
what
we're
doing,
because
of
the
workloads
that
run,
for
example,
for
ambient
the
workloads
that
run
that
you
know
have
the
Z
tunnel
deployed
with
them.
They're
missing
out
on
some
of
the
layer,
7
Telemetry
and
being
able
to
capture
that
using
evpf
or
some
mechanism,
so
that
you
don't
have
to
rely
on
sidecars
is
a
is
a
really
important
way.
The
second
thing
I'll
say
is
that
I
think
it's
EVP
update
tomorrow.
D
B
Us
today,
all
right
well
go
go
catch.
Hopefully
it
was
recorded.
One
of
our
Engineers
Aiden
right
presented
exactly
on
that
topic.
So,
but
short
answer
is
yes,
you
can
do
it.
D
J
Taylor
did
a
whole
talk
on
signing
ebtf
programs
to
facility
adoption,
and
is
that
a
significant
roadblock
in
the
testing
production
systems.
D
G
G
Okay,
so
the
question
in
essence:
I'm:
sorry,
if
I,
don't
repeat
the
whole
thing,
but
basically
right
now,
so
Dave
Haylor
brought
up
the
signing
of
eppm
programs
right.
G
So
in
this
talk,
Jason
just
mentioned
in
the
previous
talk
about
signing
containers
and
about
that
being
a
pretty
standard,
open
source
security
standard,
and
so
essentially,
how
do
we
do
the
same
thing
for
a
program
running
in
the
kernel
and
it's
a
great
question
and
it's
not
the
first
time,
I've
heard
that
question
and
I
think
in
fact
it's
actually
something
that
I
don't
know
if
anyone
here
has
heard
of
or
played
with
Bumblebee,
which
is
a
tool
that
we
created,
and
actually
that
is,
is
and
has
a
way
to
sign,
evpf
probes,
so
package
package
and
sign
package
exactly
package
and
sign
evpf
probes.
G
So
that
is
certainly
one
way
to
go
about
it
right.
It
just
uses
the
entire
existing
infrastructure
right
that
has
been
built
around
packaging
and
signing
oci
distributed
bundles
oci,
standing
for
I'm,
not
open
container
initiative
and
so
yeah.
So
I
think
that
you
know
it's
a
very
interesting
problem.
G
You're
right
and
no
vendors
right
now
are
running
their
BPF
programs
with
that,
so
from
a
security
perspective
right,
how
do
you
verify
and
I
think
that
you
know
bumblebee
is
definitely
one
way
of
doing
that
and
it
would
be
I'm
definitely
interested
to
see
going
forward,
how
more
people
and
more
vendors-
just
you
know,
go
into
that
because
it's
going
to
be,
you
know
as
more
and
more
people
run
more
and
more
evpf
and,
as
you
know,
potentially
customers
allow
their
internal
right
as
users
allow
their
internal
users
to
run
various
evpf
programs
like
how
do
you
know
right
if
this
is
coming
from
the
internet?
G
How
do
you
know
what
this
is
or
how
do
you
verify
it's
running?
It's
you
know
root
in
the
kernel
like.
Are
you
kidding
me?
You
know
so
yeah,
it's
a
very
interesting
question.
I,
don't
have
a
perfect
answer.
A
A
That
week,
that's
how
you
know
a
team
Rose,
sometimes
most
of
the
time
I
should
say,
I
think
that
gentleman
with
the
black
mask
had
a
question:
go
ahead.
D
C
Is
kind
of
like
a
much
broader
technology
right
and
it's
an
implementation
detail
of
psyllium
and
that's
kind
of
what
allows
them
to
have.
You
know
there's
performance
gains
and
everything
by
using
sewing
because
it's
implemented
in
pvpf.
As
far
as
like
the
overlap
goes,
you
can,
you
can
definitely
write.
You
know
networking
modules
in
EDP,
apps
and
load
those
alongside
psyllium,
the
the
hard
part
about
that.
Is
you
just
even
not
depending.
A
Anyone
else
wants
to
add
anything
good
all
right.
Any
other
questions.
I
I
So
basically
the
thing
that
people
were
very
excited
about
us
gaming
is
first
of
all.
You
know
we
get
rid
of
the
proxy
right,
so
it's
cost
less
number
two.
We
did
a
lot
of
gaming
in
terms
of
oh
we're,
hoping
to
do
a
lot
of
gaming
in
terms
of
the
performance
and
the
last
and
not
least,
is
the
operational.
So
I
wanted
to
say
something
as
something
that
we
learned
in
itself
and
it's
something
that
I
don't
know
that
we
heard
before
we
talked
about
it
enough
before
so.
I
I
wanted
to
highlight
that
what
we
learned
from
our
customers,
here's
what
we
see
even
we
have-
can
give
you
some
performance.
But
honestly,
it's
really
really
tiny
bits
related
to
what
you
really
care
of.
So
here's
what
we
see
from
a
customer
there
is
a
budget
of
those
latency
and
as
long
as
you
are
kind
of
like
in
that
budget,
you
know
what
else
customer
wants
future.
That's
why
they
really
care.
They
don't
really
care
to
get
the
micro
unless
it's
a
very
specific
system.
I
What
they
really
want
is
that
there
are
several
features
and
other
stuff,
so
I
just
wanted
to
mention
that,
and
we
are,
you
know
very
bullish
about
ebpf
and
I
think
that
we
can
get
a
lot
of
stuff
in
terms
of
the
operation
and
I
think
that
it's
very
important
for
us
to
get
a
lot
of
the
observability,
which
could
be
really
really
interesting.
I
just
want
you
to
know
that
I,
never
I.
F
A
lot
of
hype
around
evdf-
that's
not
very
true
I,
think
you
know,
there's
a
lot
of
value,
but
it's
not
going
to
fully
replace
Envoy.
It's
the
full
L7
proxy
anytime
and
our
lifetime
problems.
A
Yeah
I
think
that's
a
part
of
the
reason.
I'm
personally
really
excited
about
ambient,
because
I
think
NBA
really
brings
a
lot
of
clarity
on
evpf
and
psychi.
You
know
and
how
this
should
interact
and
without
the
icon
any
questions
from
the
audience.
Oh
go
ahead.
G
Envoy
has
something
called
a
tap
filter
where
you
can
record
requests
going
into
it.
It's
not
exposed
directly,
but.
H
F
I
I
I
I
A
F
Don't
see
people
talking
about
at
kubecon
about
deploying
kubernetes
for
the
first
time
anymore,
right,
that's
just
what
everyone
here
has
already
done.
You
know
a
few
years
ago
you
saw
that
about
istio.
Everything
was
about
like
we
just
deployed
istio
like
how
do
the
police
do
all
that
type
of
things
so
we're
starting
to
get
to
where
Eastview
is
more
prevalent,
but
it's
still
very,
very
visible
when
you're
using
it
right,
that's
kind
of
where
the
name
for
ambient
mesh
came
from.
F
We
want
to
make
it
kind
of
ambient
in
the
cluster
right.
It's
just
there.
You
just
have
a
kubernetes
cluster
and
you
have
mtls
right
and
then
you
add
the
functionality
on
top
of
it
right.
You
know
if
I
want
to
do
traffic
splitting
and
send
five
percent
of
traffic.
To
my
my
new
version.
I
should
just
be
able
to
use
an
API
to
clear
that
I
want
that
and
go
about
my
day.
I
shouldn't
have
to
worry
about
deploying
sidecars
or
a
control
plane,
or
you
know
all
these
other
things.
F
So
I
think
that
you
know
that's
where
we're
heading
is
that
it's
really
just
API
driven.
You
shouldn't
have
to
think
much
about
installing
operating
managing
part
of
that's
by
simplified
architecture,
part
of
that's
by
product
offerings
that
kind
of
automate
things
away,
but
we're
definitely
moving
in
that
direction.
B
Yeah
I
I
mean
I
fully
agree
with
what
John
said.
Basically,
this
that
stuff's
going
to
become
boring,
but
it's
going
to
enable
opportunities
on
top
of
it.
For
example
like
like
something
you
were
just
asking
about:
the
debug
ability
right,
various
ways
to
plug
in
new
policy
engines
and
so,
but
that
that's
going
to
lay
the
groundwork
for
more
of
the
Innovation
for
the
problems
that
we're
going
to
need
to
solve.
On
top
of
it,
foreign.
C
C
A
standard
part
of
your
kubernetes
cluster
going
forward
and
with
things
like
ambient,
you
know
it
it's
going
to
just
be
there
and
you
will
not,
hopefully
have
to
interact
with
it
pretty
much
at
all
and
get
all
the
features
that
you
need
for
deploying
microservices
and
kubernetes.
Basically,
yeah
I
agree.
A
G
Day,
let's
just
hear
it.
Finally,
all
right,
so
I
don't
know
about
y'all,
but
my
least
favorite
type
of
bug
is
a
bug
that
only
shows
up
in
prod
and
only
after
a
month,
and
so
we
had
a
we
there.
There
was
someone
running
Ico
in
prod
for
a
month
and
after
a
month,
all
the
DNS
requests
would
start
failing
from
from
the
sidecar.
This
was
a
new
steel.
H
G
So
this
one
turned
out
that,
after
about
a
month
the
there
was
a
bug
in
Envoy
that
would
essentially
all
of
the
UDP
DNS
traffic
would
just
fail
for
no
good
reason.
Right,
Wireshark
didn't
show
anything
like
there
was
so
much
kernel,
debugging
and
then
eventually
it
just
turned
out
that
there
was
a
bug
in
the
in
the
UDP
code
in
Envoy
and
if
you
switch
it
to
TCP
just
work
so
that
one
was.
G
G
That
took
like
all
of
Engineers
and
a
whole
bunch
of
field
Engineers
a
couple
of
weeks.
Oh.
I
D
C
D
B
Educational
things
workshops
and
the
the
documentation
from
the
seo.io
website.
You
know
that'll
that'll
really
help
tremendously,
but
that's
that's
probably
what
Alex
again.
F
Yeah
I
would
say
the
same,
but
just
to
at
least
clarify.
Why
I
think
that
is
not
that
you
know
in
a
year
or
two
from
now,
I'd
probably
give
a
different
answer
and
say
just
go:
deploy
the
Z
tunnel
everywhere,
get
mtls
and
then
add
on
your
proxies.
It's
more
that
ambient
is
not
yet
mature
right,
it's
very
experimental
right
now,
so
you
know
you
should
start
with
the
thing:
that's
production,
ready
and
then
once
Ambience
mature,
then
think
about
that
moving
forward.
F
Basically,
yes,
in
some
form,
I
think,
maybe
not
Eco.
You
know
there's
other
some
Cloud
providers
have
other
service
meshes
are
invested
in,
but
I
certainly
think
that
it
will
start
to
be
more
and
more
embedded
in
the
platform.
F
Seeing
that
in
many
cases,
ambient.
D
F
Think
helps
with
that
a
lot
because
it
makes
it
a
lot
easier
to
have
kind
of
the
Baseline
mesh
without
the
traffic
modification
right
with
sidecars
and
the
full
L7
processing
you
get,
for
example,
HTTP
load,
balancing
that's
great,
but
that
actually
changes
the
behavior
of
the
application.
So
maybe
users
don't
want
that
and
it
you
know,
breaks
the
application
with
ambient.
We
have
kind
of
a
split
where
this
is
a
safe
subset
that
everyone
can
kind
of
get
value
out
of,
and
then
they
can
kind
of
opt
into
a
more
full
mesh
experience.
D
I
I
didn't
but
those
they
used,
the
new
sporting
club
right
most
of
the
people
that
make
them
have
won
the
games
out
there
right.
The
question
is
how
bad
trying
to
get
there
and
where
is
right
so
I
think
that
they're
talking
about
the
problem
with
some
like
I,
know,
sister
back
on
the
day
before
after
marriages
end
of
life,
I
know
that
they
tried
release
yes,
serverless
together.
D
I
B
D
B
Patched
it
maybe
they
did
something
but
they're
they're.
You
know
ability
to
keep
up
with
what
the
rest
of
the
community
is
doing,
Falls
way
behind,
and
so
you
get
a
stale
versions
of
you
know
the
that
that
may
not
support
expanding
to
VMS
and
some
of
these
other
other
platforms
as
nicely
as
expert,
but
but.
E
B
I
mean
it
kind
of
makes
sense,
well,
I,
think,
overall,
what
what
we
see?
What
indeed
was
kind
of
alluding
to
is
that
we
see
organizations
that
will
take
kubernetes.
They
already
have
VMS,
they
might
be
on
premises,
they
might
be
in
public
cloud
and
they
will
they
will
build
they're
effectively,
building
their
Enterprise
developer
platforms
for
their
teams
service.
Much
as
part
of
that
now
how
that
gets
delivered,
you
know
it
might
be.
You
know
you
deploy
it
in
in
the
various
platforms
you
might
self-manage
it.
B
B
A
Yeah
awesome
anyone,
okay,
one
more
question:
maybe
the
last
question.
C
B
Not
at
the
moment,
but
that
is
on
the
on
the
roadmap
for
sure.
That's
really
important
to
you
know
the
community,
certainly
to
us
at
solo,
yep.
A
All
right
with
that
I
would
like
to
thank
all
the
panelists
and
also,
most
importantly,
thank
you,
everyone
for
staying
with
us.
You
know
this
music,
there's
water,
you
know
everything
out
there
so
nice.
So
thank
you
so
much
for
staying
with
us,
for
if
you
have
further
questions
about
istio
edps
service
smash,
the
solo
team
is
going
to
be
available
at
service
mesh
car
I
believe
John
is
going
to
also
be
there
too,
and
on
Wednesday
we'll
be
at
the
booth.
A
If
you
want
the
books,
we
will
be
handing
out
the
books
at
our
booth.
We're
going
to
have
a
signing
session
on
Wednesday
at
the
Boost
Club
I.
Believe
it's
six
to
eight
pm,
also
on
Wednesday
night,
we're
inviting
everybody
to
drinks,
I
think
right
in
this
venue
from
8
to
11,
so
free
drinks
on
my
bus
yeah.
So
thank
you.
Everyone
for
attending
and
joining
us
I
really
really
appreciate
your
attendance.
Thank
you
all.