►
Description
eBPF is the behind-the-scenes subsystem of the Linux kernel that enables new and simpler methods of profiling, networking, and security for Kubernetes without compromising speed and safety.
Join our Office Hours to get your eBPF questions answered. We'll start with an overview of the capabilities that eBPF provides.
Our experts talk about:
- How eBPF programs are written
- The benefits of eBPF based cloud-native tools
- How to debug performance issues using eBPF tracing
A
Hey
everyone
thanks
for
joining
our
stackrocks
office
hours.
My
name
is
andy
clemenco.
I
am
now
a
principal
specialist
solutions,
architect
at
red
hat
and
I'll
be
moderating
today's
office
hours
with
me.
We've
got
robbie
cochran
joining
us
today.
He
is
a
senior
software
engineer,
red
hat,
formerly
stackrocks
like
myself.
A
I
just
want
to
say
before
we
start.
I
want
to
go
over
some
ground
rules
of
engagement.
Some
ground
rules
right
lines
are
muted,
as
the
session
is
being
recorded,
on-demand
recording
will
be
emailed
to
everyone.
Post-Event,
we
will
be
answering.
Questions
live
throughout
the
session.
Make
sure
you
ask
your
questions
in
the
qa
module
in
the
says,
right,
hand,
side,
but
left
or
right
doesn't
matter
if
you
have
any
trouble
with
the
webinar
console.
Please
refresh
your
browser
with
that.
Welcome
robbie,
and
what
are
we
talking
about
today?.
B
The
system
in
the
linux
kernel
that
lets
us
run
all
sorts
of
cool
stuff,
and
the
goal
today
is
to
give
us
to
kind
of
go
over
an
overview
and
give
people
a
handle
about
what
ebpf
is
how
it
can
be
used
and
then
answer
any
questions,
and
so,
from
my
perspective,
I've
been
working
with
ebpf
for
a
while.
It's
it's
a
massive.
B
You
know,
there's
a
huge
surface
area
of
use
cases,
technical
details,
and
so
I'm
excited
to
hear
questions
from
the
audience
and
you
know
help
people
get
a
better
handle
that.
I
think
that
would
be
the
goal.
If
you
don't
know
anything
about
ebf,
to
come
away
with
a
better
handle
on
what
what
exactly
we're
talking
about
here.
A
B
B
Hopefully,
everyone
can
see
that
so
to
begin
with
we're
going
to
talk
about
bpf,
candy
corn.
We
need
to
talk
about
what
it
is.
That's
so
sweet
about
this
subsystem
in
the
linux
kernel
and
to
do
that.
Let's
take
a
step
back
and
remind
ourselves
what
is
the
linux
kernel
and
how
is
it
different
from
processes
running
in
the
user
space?
B
So
when
you
run
an
application
in
the
cloud
usually
you're
running
on
a
linux,
vm
and
and
the
processes
that
need
processes
that
are
running
in
user,
space
have
to
do
different.
Things
like
write
to
the
network,
create
a
file,
execute
a
program
and
user
space
processes
are
able
to
do
this
by
making
system
calls
to
linux
kernel
and
the
linux
kernel
runs
at
a
higher
privilege
in
ring
zero
and
has
access
to
hardware
interrupts
things
like
that.
B
So
that's
all
great
and
the
historically
linux
kernel
is
obviously
open
source,
and
if
you
wanted
to
extend
the
linux
kernel,
you
could
just
download
the
source
code
write
a
patch
submit
it
to
the
kernel
maintainers,
and
you
know,
eventually,
your
code
may
make
it
into
the
mainline
kernel.
And
then
you
can
use
it
in
your
infrastructure.
B
A
easier
and
alternative
method
to
extend
the
linux
kernel
is
to
write
a
kernel
module
now.
Kernel
module
is
a
way
to
essentially
inject
code
into
the
linux
kernel
and
have
a
a
way
to
extend
whatever
feature
you
want
within
the
kernel.
You
can
pretty
much
do
whatever
you
want
with
a
for
the
kernel
module,
but
in
order
to
do
that,
you
have
to
tie
it
directly
to
the
version
of
the
kernel
and
the
kernel
is
changing
constantly,
so
kernel
modules
have
their
own
overhead
and
issues.
B
So
what
bpf
allows
us
to
do
is
essentially
extend
the
linux
kernel
without
submitting
patches
without
writing
a
kernel
module
and
do
extend
the
linux
kernel
with
ways
that
are
it's
more
safe
and
it's
easier
to
do.
Continuous
delivery
as
the
kernel
changes
and
ultimately
opens
up
a
whole
world
of
applications
from
security
monitoring
to
debugging
production
issues
to
just
building
whole
new
networking
stacks
that
are
more
extensible.
B
B
So
writing
a
running
bpf
is
you
can
think
of
bpf
as
the
low-level
assembly,
language
for
extending
the
linux
kernel
and
what
it
allows
us
to
do
is
see
it
allows
us
to
get
whatever
data
we
want
out
of
the
kernel
by
writing
small
scripts.
These
small
scripts
are
then
compiled
into
a
byte
code
and
then
run
within
the
kernel,
and
so
before
we
get
into
the
technical
details,
I
just
want
to
give
you
a
flavor
of
of
what
we
can
do
so
here
I
have
a
kubernetes
cluster.
B
B
So,
let's
see
what
we
have
here,
we
have
four
nodes
in
this
kubernetes
cluster
and
I'm
going
to
take
this
first
node
and
run
a
an
ebpf
program
that
will
print
every
process
execution.
So
what's
going
to
happen,
is
we'll
attach
a
small
snippet
of
code
that
will
be
injected
into
the
kernel
validated
and
run
in
a
safe,
sandbox
manner
within
the
kernel
and
will
send
back
to
user
space
every
process
execution.
So,
let's,
let's
look
at
what
this
looks
like
cuddle
trace?
B
Here
we
go
got
this
set
up,
so
I
have
a
set
of
programs
that
are
provided
by
the
bpf
trace
utility,
so
you
can
think
of
bpf
trace
as
a
higher
level
abstraction
on
top
of
bpf.
So
if
bpf
is
assembly
code,
you
don't
want
to
have
to
actually
write
bp
of
bytecode.
We
want
to
have
a
higher
level
of
scripting
language
that
makes
this
much
easier
to
do
so.
This
is
pretty
simple.
B
I'm
just
going
to
attach
a
exec
snoop
function
here,
that's
created,
and
now
what
we
can
do
is
just
tail
the
logs
of
this
pod.
Let
me
get
the
pod
that
was
just
created,
so
what
what
coupe
cuddle
trace
did
was
launch
a
pod
in
the
kubernetes
cluster
in
with
the
appropriate
capabilities
and
admin
privileges
it
in
use.
B
The
bpf
system
call
to
run
the
exec
snoop
bpf,
trace
program,
and
now,
when
we
tail
this
pod
we're
going
to
see
all
of
the
process-
executions
that
are
happening
on
this
node
and
like
yeah,
you
know
I
don't
actually
even
know
what
we're
going
to
find
here.
It
looks
like
we've
got
some
health
checks
that
are
happening
via
curl.
B
B
B
A
B
It's
super
easy:
if
you
go
to
it's
essentially
just
a
command,
it's
a
coupe
cuddle
plug-in
and
I
think
there's
several
ways
you
can
just
put
it
in
the
right
directory
in
your
in
your
on
your
system
on
your
local
system.
You
can
also
install
it
using
crew
krew,
which
is
a
extend
cuddle,
and
then
you
can
essentially
just
like.
I
said
I
think
this
is
the
easiest
way
to
get
started
with
bpf
if
you're,
especially
if
you're
familiar
with
kubernetes.
A
B
So
if
we
look
at
what
this
script
does
it's
very
simple?
It's
just
attaching
to
the
syscall
exec
ve
grabbing
the
arguments
that
were
passed
to
exec
ve,
and
this
is
going
to
be
sent
via
the
evpf
subsystem
in
the
kernel
to
a
buffer
and
in
the
user
space
program
that
created
and
attached.
This
can
read
the
output,
so
essentially
it's
going
to
stream
out
exactly
the
data
that's
being
attached
here
now
you
can
imagine
that
these
programs
can
get
really
complicated.
B
A
Yeah
well,
while
you're
doing
that,
one
of
the
one
of
the
interesting
questions
was
around
some
of
the
use
cases
and
really
and
there's
another
question
that
was
kind
of
along
the
same
lines.
Really
kind
of
thing
about
eppf
is
this
is
the
underlying
technology
that
allows
observability
into
the
the
kernel
space
right.
So
it's
not
a
kernel
module
which
is
slightly
different
in
the
way
and
functional,
but
in
terms
of
use
cases
you're
going
to
be
interacting
with
monitoring
or
security
applications.
A
B
Yeah
yeah
yeah
this,
and
this
is,
I
think,
what
I'm
kind
of
showing
now
is
a
great
tool.
That's
useful
for
debugging
production
issues.
Essentially,
if
you
have
any
you,
okay,
you
know
that
the
file
system
file
activity
is
using
too
much
cpu.
It's
like
where
exactly
is
the
time
being
spent?
Essentially,
you
can
think
about
this
as
a
javascript
or
a
debugger
that
allows
you
to
attach
to
different
events
and
then
extract
that,
and
you
don't
have
to
change
anything
about
the
kernel.
B
B
Yeah,
it
does
so
what
the
pod,
what
the
pod
does
is.
Essentially
just
it
runs
on
the
node
that
you
attached
it
to,
and
it
runs
as
long
as
you
know,
as
long
as
you're
using
the
bpf
trace
script.
So
if
the
script
needs
to
get
some,
you
know
what
I
was
showing
now
are
streaming
scripts,
where
we're
actually
printing
out
the
events
as
they
occur.
You
could
also
have
a
bpf
program
that
aggregates
data.
B
You
know
we
look
at
a
create
a
histogram
of
latency
for
connections
or
histogram
for
how
much
time
is
spent
within
a
particular
region
of
the
kernel,
and
so
it
really
depends
on
the
use
case.
You
know
how
how
long
you
want
to
leave
your
couple
trays
pot
up
so
now
that
I've,
given
a
semi
in
my
mind,
high
level,
but,
like
you
know
this
is
this-
is
I'm
feeling
like?
B
Maybe
I
need
to
even
take
a
step
further
back
without
going
into
so
I'm
going
to
skip
over
a
little
bit
of
this
here.
I
think
one
thing
I
want
to
get
across
is
this:
this
idea
of
the
virtual
machine
within
the
kernel,
which
is
what
bpf
is,
has
been
around
for
a
long
time
if
you've
ever
used
tcp
dunk
that
actually
is
a
command
that
will
compile
your
your
query
into
a
bytecode.
That's
run
within
the
kernel.
B
This
has
been
around
since
the
90s,
but
more
recently,
edpf
has
been
created
and
it's
a
redesigned
via
model
where
the
bpf
system
call
allows
for
you
to
inject
these
programs
within
the
kernel.
The
workflow
is,
essentially,
you
write
an
ebpf
program
or
use
a
tool
that
has
written
the
programs
for
you,
like
coop
cuddle
trace
there.
I
wasn't
actually
even
writing
evpf.
I
was
writing
bpf
trace,
which
is
a
scripting
language
and,
as
I
said,
the
pros
are
that
no
kernel
module
is
required.
You
can
construct
much
more
sophisticated
analysis
with
the
kernel.
B
The
only
drawback
is
no
support
on
very
old
kernels,
but
there
are
a
lot
of
backboards
and
I
would
say
if
you,
if
you
have
seen
ebpf,
you
know,
mentioned
a
lot
and
like
why
exactly
it's
particularly
useful.
I
think,
like
the
a
lot
of
the
same
develop,
of
course
the
linux
kernel
has
been
around
for
a
while.
B
B
It
restricts
the
things
that
you
can
actually
do,
so
it
actually
imposes
limitations
which
enable
additional
safety
checks
and
also
allows
for
by
by
making
sure
that
you're
not
gonna.
You
know
step
on
your
own
toes
and
do
something
that's
going
to
cause
a
crash,
because,
usually,
when
the
kernel
crashes,
that's
going
to
cause
your
system
to
reboot.
B
So
how
do
you
write
an
ebf
program,
so
I
showed
you
one
way
to
do
that
using
bpf
trace,
ultimately
at
the
low
level,
it's
the
bpf
system
call,
and
you
can
do
this
by
either
writing
evpf
assembly
by
hand.
I
don't
think
most
people
are
going
to
do
that,
though,
but
for
performance
tuning,
and
things
like
that,
you
may
want
to
do
that
or
you
write
in
c
and
use
a
suite
of
helper
libraries
to
help
you
insert
these
programs.
B
Essentially
it's
you
know,
you
have
a
one
size
fits
all
where
you
have
different
types
of
commands
that
can
be
run
via
the
system
call,
and
this
gives
you
a
little
bit
of
a
flavor
of
the
different
types
of
programs
that
can
be
run
with
bpf.
This
isn't
just
like
network
or
process
executions.
You
can
attach
to
really
anywhere
in
the
kernel
that
you're
you're
interested
in
and
if
you've
heard,
of
trace
points
or
k
probes.
These
are
these
are
attachment
points
within
the
kernel
and
trace
points.
B
B
Here's
an
example
of
a
really
simple
evpf
program
that
gathers
the
last
pid
that
called
a
particular
system
call
but
really
you're
not
going
to
want
to
write
such
low-level
stuff
you're
going
to
want
to
use
compiler
collection
like
bcc
or
bpf,
trace
and
bpf
trace
is
most
useful
for
debugging
and
profiling,
but
there's
also
security,
utilities,
networking
and
monitoring
that's
built
on
top
of
bpf.
That
includes
the
whole
platform
and
user
space
as
well
so
you're
not
actually
triggering
and
running
the
bpf
program.
B
Their
aqua
security
has
a
tool
called
tracy
staccrocks
we
use
ebpf
and,
as
part
of
our
acquisition,
we're
in
the
process
of
open
sourcing.
Part
of
our
tools
stay
tuned
for
that's
right.
That's
right,
stay
tuned
for
announcements
at
kubecon,
eu
there's
a
whole
world
of
really
cool
stuff.
That's
happening
at
psyllium
to
extend
the
networking
stack,
os
query
debugging,
as
I
showed
in
demo,
with
coop
cuddle
trace
and
then
some
really
leading
edge
access
control
functionality.
That's
been
added
to
the
kernel
recently
called
the
kernel
runtime
security
instrument.
A
B
B
You
know
that
that's
the
kind
of
thing
that
is
really
slow
moving
but
javascript.
You
know
open
up
all
these
opportunities
for
new
platforms
and
new
things
that
you
could
build
on
top
of
the
browser
and
because
every
or
the
majority
of
kubernetes
clusters
and
cloud
native
tools
run
on
linux.
Linux
is
kind
of
the
lingua
franca,
the
one
kind
of
like
lowest
common
denominator
for
all
of
these
tools,
and
so,
if
you
have
a
way
to
extend
the
linux
kernel
well,
that
means
that
you
can,
you
know,
support
anything.
A
B
So,
for
example,
so
iptables
is
doing
some
of
that
routing
in
user
space.
So
you
create,
you
know
a
round
trip
from
user
space
to
kernel
and
back
in
order
to
validate
whether
a
packet
should
be
dropped,
or
you
know
whether
we
should
allow
a
particular
connection
to
be
established
and
by
putting
the
logic
and
the
filtering
and
things
like
I
mean,
of
course,
some
of
this
already
existed,
but
ebpf
allows
us,
allows
the
linux
kernel
to
extend
that.
B
From
the
other
angle,
you,
you
might
think,
like.
Oh
vm,
that's
going
to
be
slow
to
execute
the
byte
code
that
is
injected
into
the
kernel
is
actually
compiled
to
machine
code
after
it
passes
all
the
validation
checks
within
the
kernel,
and
so
the
the
the
logic
that
you
write
is
running
at
the
machine
level.
A
A
Okay
is
everyone
see.
Yep
looks
like
we
see
it
awesome.
So,
just
to
kind
of
give
you
a
highlight
right,
so
I
literally
just
spun
up
in
a
matter
of
like
six
minutes,
the
latest
version
of
stack
rocks,
but
what
I
kind
of
wanted
to
highlight
was
the
fact
that
I
have
three
nodes
and
I
can
actually
go
into
the
platform
configuration
and
look
at
the
clusters
themselves
and
I'm
going
to
drill
in
and
we
can
actually
see
to
prove
to
you.
A
I
am
using
an
ebpf
program
for
collection.
Now.
The
the
one
interesting
thing
about
our
platform
is
that
we
can.
We
can
use
kernel
modules
or
evpf.
It
depends
on
your
comfort
level
and
depends
on
your
access,
the
permissions
and
access
to
the
nodes
themselves,
but
but
ebpf
is
really
kind
of
the
the
new
hotness
right,
but
just
to
kind
of
show
you
just
kind
of
highlight
what
some
of
the
things
it
can
do
is
we
can
look
at
like
say,
network
graph
for
a
second,
so
we
can
understand
in
fact
here.
A
Let
me
go
ahead
and
deploy
a
bunch
of
fun
stuff
to
this
and
we'll
see
things
pop
up.
Actually,
we
can
actually
watch
the
violations.
This
also
is
a
good
window,
because
this
is
showing,
as
applications
come
up,
we're
able
to
assess
not
only
processes
that
are
running
from
a
runtime
standpoint
of
you.
There
is
one
right
for
network
management,
execution
right,
so
ebpf
is
giving
us
the
kubernetes
native.
A
You
know
kernel
observability
for
lack
of
a
better
term,
because
we've
written
those
ebpf
programs
that
robbie
was
talking
about
and
and
it
wouldn't
be
possible
without
an
ebpf
module
or
a
kernel
module
to
get
this
level
of
observability
right.
There
are
some
tools
out
there
that
write
their
own
agents
but
effectively
it's
doing
the
same
thing,
because
the
kernel
is
the
heart
of
every
host
os
for
lack
of
a
better
term.
A
A
A
B
So
there
is
a
lot
of
work
that
has
been
done
to
harden
the
ebpf
subsystem
it
the
you're,
not
allowed
to
write
certain
types
of
programs.
You
can't
have
loops,
actually
you
and
what?
What
the
reason
for
that
is
by
limiting
what
you're
able
to
do.
Verifier
that's
within
the
kernel
can
actually
check
all
possible
paths
within
within
the
the
program.
B
You're
limited
you
can't.
First,
the
regions
of
the
kernel
that
run
ebpf
are
read
only
and
you're
limited
to
what
you
can
access.
You
have
to
use
a
set
of
helper
functions
to
access
different
parts
of
the
kernel.
You
can't
read
kernel
memory
directly
from
within
your
your
ebps
program,
there's
additionally
specter
mitigations
for
edpf
and
from
the
pers
from
the
perspective
of
an
ebpf
program
versus
a
kernel.
Module
dpf
is
much
much
more
secure.
A
B
B
B
Now
there
are
other
ways
to
get
data
from
the
kernel.
You
know
if
you
want
to
go
real
old
school,
you
just
read
the
proc
file
system
right.
You
just
look
in
there
and
see
what
processes
are
running
you
don't.
Maybe
ebpf
is
too
much.
You
don't
need
all
the
features
of
it
and
so
that
that's
a
con
another
another
one
is
that
usually
you
need
to
stay
on,
make
sure
you're
running
like
the
latest
kernels.
A
A
B
Well,
if
you're,
if
you're
cur
so
the
kernel
can
certainly
make
breaking
changes,
but
there
are
certain
guarantees,
you
have
it
and
depends
on
what
memory
and
what
kind
of
structures
within
your
program
you're
accessing.
I
mentioned
trace
points
and
cape
robes.
These
are
just
examples
of
events
or
hooks
you
can
attach
to
and
they
have
varying
levels
of
stability
k.
Probes
could
change
at
any
minute.
B
Trace
points
are
much
more
stable
and
so
that
that's
one
angle,
you
know
like
what
what
data
are
you
getting
and
then
this
notion
of
building
a
a
current,
yes
you're,
absolutely
right
to
build
a
kernel
module.
You
need
the
kernel
headers
and
those
chains
you
need
to.
You
know
essentially
build
a
kernel
module
for
each
version
of
the
kernel,
and
there
are
you
know,
thousands
and
thousands
of
kernel
versions
that
are,
you
know,
appearing
with
patches
and
constantly.
So
you
need
to
recompile
every
time.
That's
a
big!
B
You
know
you
do
need
the
headers
to
write
an
edpf
program.
Actually,
the
coupe
cuddle
trace
tool
that
I
demoed
mounted
in
the
pod,
the
headers
on
the
node
and
then
used
those
headers
to
build
the
probe,
so
it
cheated
it
cheated
a
little
bit.
Thankfully,
there's
there's
some
people
working
on
things
that
allow
you
to
just
get
that
data
directly
from
the
kernel
itself.
It's
called
compile
once
run
everywhere,
which
is
a
core,
and
so
that
is
kind
of
the
the
future.
A
It's
really
abstract
away.
The
kernel
version
got
it
so
yeah
we
got
to
stop.
There's
a
I
gotta
be
a
little
selfish
here.
There's
a
question
about
stackrocks.
Sorry,
I
gotta
I
gotta
take
this
one,
as
I
said,
does
stackrocks
integrate
with
other
open
source
cloud
native
security
products,
I.e,
falco
opa!
A
A
I
don't
know
if
you
remember
back
in
the
day
where
you
take
multiple
modems
and
you
pull
them
together
and
to
create
a
big
pool
and
that
way
you'd
have
much
more
bandwidth.
Think
of
stack
rocks
kind
of
like
that
next
layer
of
abstraction
from
a
tool
like
falco
right
where
falco
does.
This
is
using
the
same
epf
for
kernel,
module
and
doing
the
same
kernel.
Instrumentation
observation
right.
What
we're
doing
is
we're
taking
it
up
a
level
abstraction
we're
able
to
start
tying
together.
Kubernetes
native
constructs.
A
As
I
tell
my
customers,
we
can
traverse
the
kubernetes
logical
separation
tree
very
nicely
right
between
deployments
between
name
spaces
and
start
to
bring
up
that
observability
from
a
low
level
all
the
way
up,
and
so
that's
that's
one
of
the
big
differences.
I
can.
I
say
it
robbie.
I
got
to
say
it
so
part
of
the
announcement
for
kubecon.
A
Part
of
the
announcement
at
kubecon
is
that
we
will
be
actively
contributing
as
red
hat
to
the
falco
open
source
project
can't
go
any
further
than
that,
but
because
I
don't
want
to
ruin
the
surprise
but
yeah
the
stack
rocks
as
a
platform
is
an
abstraction
layer
above
and
we
like
falco
yep,
totally,
okay
cool.
What
are
your
thoughts
on
opa
robby,
just
I'm
kind
of
curious
on
this
one,
because
he
did
ask
opa.
B
My
so
opa
is
is
an
awesome
platform,
for
you
know
gluing
together
and
you
know,
building
policy
and
what
the
as
as
far
as
the
like
integration
points,
you
know,
there's
there's
a
lot
of
ways
that
I
think
stack
rocks
has
the
potential
to
work
with
opa.
One
issue
with
oppa
is
that
you
know
if
we,
if
we're
kind
of
taking
a
step
back,
oppa
rego.
A
Yeah,
it's
called
yaml.
Sorry
I
had
to
do
it
or
tommle.
That
was
my
favorite.
One
was
tomml,
okay,
another
great
question:
I
love
these
questions.
Keep
them
up
to
you.
Is
it
possible
to
integrate
using
open
api
stack,
rocks
with
other
kubernetes
as
a
service
sas
platforms,
if
you're
talking
like
xks
eks,
aks
digitalocean
has
one
the
nice
thing
about
our
platform
is
as
long
as
it's
kubernetes
right.
Big
air
quotes
there
as
long
as
it's
a
kubernetes
sas.
Yes,
we
should
be
able
to.
A
There
are
some
caveats
in
terms
of
them
of
having
privileged
access
to
the
nodes,
to
be
able
to
run
ebpf
or
run
the
kernel
module,
but
for
well
honestly,
most
use
cases.
You
should
be
good
to
go,
definitely
test
it
out
and
we
can
definitely
help
you
with
that.
If
there's
a
specific
platform
you're
curious
about
just
just
throw
it
in
the
questions
and
answer
and
I'll,
let
you
know
basic
thumbs
up
thumbs
down,
but
from
all
the
ones
that
I've
seen
in
terms
of
customers
using
not
an
issue.
B
A
I
think
that's
smartphone
from
where
we
talked
about
the
surface
area,
that's
incredibly
smart
to
kind
of
limit
the
the
the
blast
radius.
I
always
love
that
term
opa
or
caverno
mike
I'm
gonna
put
my
opinion
out.
I
hope
it's
okay,
I
think
opa
because
of
reggae
and
caverno
there's
a
certain
level
of
like
it's
it's
it's
like
no
offense
robbie,
the
ebpf
programs
themselves
right
where
there's
a
huge
bear
to
entry
and
once
you're
in
yeah
you
can.
A
You
can
rewrite
the
world
and
move
the
world
and
it's
great,
but
because
it's
such
a
huge
barrier
to
entry.
I
think
until
there's
a
tool
that
comes
along
that
abstracts
away.
Think
about
like
trying
docker
swarm,
I
used
to
work
at
docker,
so
I
I'll
take
on
them.
The
first
version
of
docker
storm
was
horrible.
You
had
to
install
like
15
different
things
and
it
just
didn't
work.
A
A
You're
going
to
see
it,
as
you
know,
an
extreme
edge
case
where
you
know
like
the
sas
model,
unless
it's
built
in
people
ain't
going
to
use
it,
because
it's
just
there's
a
there's
enough
of
a
learning
curve
that
we
should
abstract
away
all
these
things.
That's
just
my
opinion.
I
hope.
What's
your
opinion
on
opa
and
caverno
as
like
a
pro,
you
know,
as
as
types
of
instrumenting.
B
You
know
like
these:
any
all
of
these
tools
are
very
powerful,
but
they
have
to
be
maintained.
You
know,
and
you
wanna
you
wanna,
be
able
to
allow
your
developers
to
you
know,
develop
quickly
and
also
have
some
guardrails,
but
if
you're
constantly
going
in
and
tweaking
the
the
rule
sets
or
the
policies-
and
you
don't
have
an
easy
way
to
update
them,
then
that's
gonna,
that's
gonna,
slow!
You
down.
Now
I
yeah
oppa
and
komero
they're
they're
all
very
powerful,
but
it
all
comes
down
to
ease
of
use.
A
Cool,
so
chando
is
gonna
gonna
rephrase
that
question,
but
there
was
one
about
porka
and
some
of
our
competitors.
I
know
we'll
give
you
a
little
backstory
on
stackrocks
about
two
plus
years
ago,
actually
about
four
three
and
a
half.
Four
years
ago
we
were
kind
of
an
age.
We
were
kind
of
like
a
typical
agent
install
with
some
of
the
other
tooling,
that's
out
there
and
decided
to
pivot
and
go
kubernetes
native,
and
what
that
really
means
is
we
need
kubernetes
to
deploy.
A
We
have
deployments
daemon
sets
all
of
the
kubernetes
object,
land
landscape.
That
is
just
sometimes
frustrating,
but
it
also
means
that
we
hook
directly
into
the
kuba
api.
We've
got
service
accounts
that
can
do
that
with
our
back,
so
we're
using
kubernetes
built-in
structure
to
talk
to
it,
as
well
as
an
ebpf
to
pull
that
information
out
and
draw
it
together,
and
it
gives
us
a
really
interesting
opportunity,
like
I
said,
to
navigate
the
kubernetes
logical
separation
landscape
and
make
some
really
interesting
connections
in
terms
of
data.
A
One
of
my
favorites
is
a
violation
happened
because
something
happened
in
a
running
container.
Well
within
two
clicks.
I
can
see
the
docker
file
that
the
image
was
built
with.
I
can
look
at
the
cvs
and
being
able
to
pull
those
data
points
together,
means
that,
from
if
you're
in
a
dev
environment
you'll
be
able
to
troubleshoot
the
issue
much
quicker
or
if
you're
in
production,
you
can
isolate
the
problem
and
even
turn
on
policy
enforcement
to
kind
of
affect
that
at
an
insane
velocity
that
I
think
trying
to
connect
it
with
different
tools
out.
B
Yeah
to
like
kind
of
extend
that
the
the
demo
where
I
showed
all
the
processes
that
were
executing
all
we
had
there,
that
was
on
the
node.
All
we
had
was
the
process
executions
we
didn't
know
which
container,
which
deployment
what
image
was
running
that
process
and
if
you
tie
all
of
that
stuff
together,
then
the
stuff,
that's
an
anomaly
or
something
malicious
really
stands
out,
so
see.
There's
something
running
on
the
node
that
shouldn't
be
there
or
you
know
it's
like.
A
Yeah
so
so
chando
followed
up
on
his
question
his
or
hers.
I
apologize
their
question.
Is
it
possible
to
integrate
stack
rocks
using
stack,
rocks,
rock's,
open
api
with
kate's
as
a
service
products
like
oh
platform,
nine
or
git
lab
or
shippa?
So
there's
a
or
argo
argo's,
one
of
the
fun
ones
or
weave
works.
A
There's
a
lot
of
landscape
there,
yes,
being
kubernetes
native,
we
can
integrate
with
all
of
those
tools.
I've
personally
written
argo
pipelines,
you
know
helm
effectively.
Argo
can
translate
helm
with
customize
and
all
that
we
can
definitely
deploy
stack
rocks
as
a
service
aka.
You
know,
like
argo
cd
kind
of
methodology,
we
also
have
helm.
My
favorite
personal
install
is
the
whole
kiss
principle
or
where
we
can
install
is
just
kubernetes
gives
a
lot
of
control
over
how
it's
deployed.
A
I
think,
having
the
choice,
though
of
the
let's
say,
helm
and
then
well
we're
red
hat
now
right,
so
we
got
to
have
an
operator
so
between
those
three
install
paradigms
gives
a
lot
of
control
over
how
you
install
where
you
install
and
what
you
install
from
our
platform.
It's
it's
a
good
time
to
be
alive.
Let's
face
it
in
the
in
the
stack
rocks
world.
A
Is
there
here's
another
good
one?
What
significant
differences
between
cystic
enterprise
version
of
container
security
by
enterprise
falco
and
stack
rocks
I'm
gonna?
First
off,
I
don't
like
talking
negative,
it's
a
waste
of
time.
I
think
in
terms
of
talking
positive
right,
I
can
tell
you
our
benefits.
I
think
it's
like
it's
the
kubernetes
approach
native
approach,
right,
we're
looking
at
everything
and
one
of
the
things
that
I
think
we
do
maybe
even
to
a
disservice,
but
cystic
will
grab
everything.
A
A
B
Yeah
I
have,
and
I
would
say
stack
rocks-
is
really
easy
to
deploy.
You
know
it's
up
and
running
really
quickly,
because
it's
all
integrated
with
helm
and
kubernetes
native
it
just
it
just
kind
of
works.
You
know
you,
you
lay
it
out
over
all
your
clusters
and
and
there
you
go
you're
immediately,
seeing
kind
of
in
insightful
data.
A
Yeah,
this
is
a
good
one
from
waleed.
It
says:
do
you
advise
psyllium
as
a
cni
for
openshift
question
mark
or
how
do
you
how
you?
How
do
you
do
network
segmentation
and
network
policies?
I'm
going
to
give
you
the
real,
simple
answer?
We
don't
care
what
cni
you
use
we're
working
at
the
kubernetes
level.
In
other
words,
we
deal
with
network
policy
objects
and
and
I'll
give
you
I
got
to
do
the
demo,
because
it's
just
a
fun
little
demo.
A
A
Let's
pick
on
key
cloak,
I
haven't
picked
on
that
one
in
a
wire
while,
okay,
so
we're
looking
at
the
metadata
of
all
the
network
connections
and
what
we
can
do
is
actually
really
interesting
because
of
the
behavior
analysis
engine
we've
got
built
in
and
that
and
the
network
metadata
is
we
can
go
and
scope
in
by
namespace.
We
can
scope
in
by
time,
but
we
can
do
a
network
policy
simulator
and
what
this
is
going
to
allow
us
to
do
and
here's
a
great
example.
A
This
is
going
to
allow
us
to
create
a
kubernetes
native
network
policy
object.
This
is
independent
of
the
cni.
Actually,
this
is
one
quarter,
layer,
half
layer
up
from
the
cni,
so
we
don't
care
what
cni's
doing
behind
the
scenes.
This
is
saying:
hey,
kubernetes,
don't
let
those
two
talk
and
what
this
also
means
is
we're
underneath
the
service
mesh.
A
This
gives
us
the
opportunity
to
work
kind
of
in
between
those
two
layers,
so
any
cni
any
cloud
provider,
because
I
know
some
of
them
use
different
things,
any
any
service
mesh
and
here's
the
fun
part.
This
is
what
I
love
is
downloading
the
ammo,
because
now
you
can
actually
save
that
with
your
application,
whether
it's
helm
kubernetes,
is
how
you
deploy
it
and
that
way
when
you
go
to
deploy
it
in
production
or
you
go
to
play
in
another
place.
A
Yeah,
there's
a
there's,
a
good
question
in
from
sadiq.
It
says
how
does
stack
rocks
compare
with
public
cloud
security
offerings
like
azure
security
center?
Please
one
major
way.
You
can't
run
as
your
security
center
on
google
or
aws
right
it.
It's
it's!
I
honestly.
I
don't.
I
don't
know
that
tool.
Maybe
you
know
robbie,
but
I
don't
I'm
not
familiar
with
the
yeah.
I'm
not
either.
But
what's
kind
of
interesting
is
this
idea
of
cloud
agnostic,
agnosticism
agnostic
and
really
it's
around
deploy
anywhere
right?
A
Any
kubernetes
or
this
question
actually
came
up
in
one
of
my
customer
meetings,
any
cncf
based
kubernetes,
so
I've
actually
successfully
installed
stackrocks
I
mean
my
demo
uses
k3s.
I
don't
know
what
you
were
running
robbie
in
your
cluster,
but
I've
seen
it
on.
I
haven't
not
nomad,
but
convoy
from
d2iq.
A
I've
seen
it
on
many
different
versions
of
openshift
and
rancher
and
aw
aks
eks
digitaloceans,
like
sivo,
has
a
managed
hosting
I've
just
seen
it
work
on
everyone,
because
it's
kubernetes,
so
that's
kind
of
a
an
interesting
differentiator
from
the
public
security
stuff
cool.
Another
question:
it
would
be
more
interesting
if
the
net
pool
can
have
specifics
for
calico
celium,
where
it
has
more
host
mesh.
Okay,
I
think
we're
going
with
this
right,
so
you
want
you
want
to
drill
from
the
kubernetes
object
down
into
the
cni
object,
and
you
know
it.
A
I
actually
had
a
conversation
with
a
government
entity
earlier
about
knowing
or
swimlane
right
and-
and
I
always
joke
about
the
the
seven
layer
burrito
right
where,
where
robbie
was
down
underneath
the
tortilla
and
some
of
the
epf
stuff,
but
but
if
you
think
about
the
host
and
then
you
know
the
host
with
this
operating
system
and
then
the
kubernetes
and
that's
got
obviously
cni
and
all
that
like
where
we
are
in
our
swim
lane,
I
think,
is
really
interesting
and
and
there's
so
much
information
full
stack.
That.
A
You'd
lose
it.
Unfortunately,
I
think
oh
I'm
still
screen
sharing.
Look
at
me
yeah.
I
think
I
think
you
lose.
You
lose
a
lot
of
value
just
getting
dumped
with
all
that
information,
and
I
think
so,
for
us,
concentrating
on
our
swim
lane
is,
is
actually
better
because
then
we
can
make
our
product
better
within
those
kind
of
guardrails.
B
A
B
Well,
you
know,
I
think,
that
the
question
about
you
know
ingesting
more
information
into
the
network.
Policies
is
somewhere.
We
we
want
to
go.
You
know,
service
messages
are
opening
up
a
lot
of
new
kind
of
again
that's
kind
of
extensibility
of
the
network,
where
you're
putting
application
logic
into
the
network
and
ebbs
will
let
us
do
that
another.
I
would
say
another
area,
that's
really
exciting
and
maybe
a
little
further
off
is
enforcement
via
ebpf.
B
You
know,
let's
just
go
ahead
and
say
that
we're
going
to
have
a
rule
set
that's
embedded
in
the
kernel
that
doesn't
allow
certain
program
launches
or
you
just
block
the
system
call
at
a
particular
level,
and
it's
that
it's
blocked
based
on
the
fact
that
it's
determining
what
image
is
running
or
you
know
kind
of
putting
some
of
these
higher.
That's
what
ebv.
B
A
B
A
Cool
fantastic,
you
know
I
I
we
do
have
some
limited
swag.
I
apologize
that
we
weren't
as
forthcoming.
I
know
some
people
were
asking
for
stickers
and
stuff.
I
think,
if
here's
an
easy
one,
if
you
can
put
your
email
address
in
the
q
a
we
might
be
able
to
arrange
a
limited
number
of
stickers
and
stuff
to
go
out.
You
know,
unfortunately,
we're
we're
waiting
for
obviously
kubecon,
both
eu
and
u.s,
to
kind
of
come
back
alive.
A
So
big
big
hopes
for
that.
So
another
good
question.
Oh
some
more
questions!
Great,
do
you
have
a
plan
to
have
catacotta
coda
based
demo
environment,
for
deep
dive
on
all
the
stack
rock
features
from
the
sales
point
of
view?
No,
because
it's
relatively
easy
to
install
on
your
cluster.
So
there
really
isn't.
I
don't
think
there's
this
need,
because
I
think
a
lot
of
it
would
be
tire
kickers
and
just
let's
install
it
on
your
environment,
throw
so
you
can
throw
your
applications
at
it.
A
Actually
isn't
there
there's
play
with
kubernetes
play
with
play
dash
with
kate's
dot
com.
I
think
that
was
marco
did
one
for
docker
years
ago
and
you
should
be
able
to
spin,
I
don't
think
you'll
be
able
to
spin
kernel
modules
up
in
ebpf
up
there,
but
it's
relatively
easy
to
spin
up
a
single
node
cluster
with
k3s
on
a
vm
on
any
on
your
cloud
provider,
du
jour.
A
A
A
A
I've
hinted
at
this
and
I'm
going
to
leave
it
a
surprise.
This
is
a
teaser,
so
you've
got
to
follow
our
announcements
at
kubecon
eu.
I'm
not
giving
it
away
to
you
good
good,
try,
waleed!
Well,
that's
a
long!
Okay!
So
does
stackrocks
do
partner
programming.
If
a
sas
product
yeah
we
do
we
have
if
we
do
not
do
white
labeling.
So
I
like
it,
you
call
that
out
not
white
labeling
follow
traditional
red
hat's
traditional,
like
partnering
programs.
A
If
you're
interested
go
to
health.stackrocks.com
and
not
help
sorry
regular
stack
rocks
like
I'm
so
used
to
saying
help
but
go
to
the
website
and
fill
out
a
request
and
and
if
there's,
if
there's
a
valid
use
case,
we'll
absolutely
help
you
out.
I
mean,
I
think,
there's
the
more
people
that
have
this
kind
of
visibility
in
their
kubernetes
environments
means
like.
If
tesla
had
this,
they
wouldn't
have
gotten.
You
know
their
dashboard
wide,
open
and
there's
a
whole
other.
A
You
know
all
other
hacks
out
there
around
kubernetes
cool
and
we'll
lead
both
marcos
play
with
docker
and
play
with
it's
play
with
kubernetes.
I
guess
for
markups
cool
well,
if,
if
we
don't
have
any
great
questions
coming
up
or
any
more
questions,
like
I
said,
let
us
know,
I
see
a
couple
emails
in
the
q,
a
which
is
perfect,
any
final
thoughts
robbie.
What
do
you
think?
A
B
A
B
A
Well,
it's
also
kind
of
cool.
What's
also
kind
of
cool
is
being
able
to
understand
where
it
is
in
that
burrito
right.
I
hate
to
use
that
analogy
and
then
also
understand,
what's
on
top
and
what's
below
and
where
things
lie,
because
I
think
the
more
we
know
about
burritos
the
tastier.
They
are
right.
Let's
be
honest,.
A
Can't
argue
with
that
fact.
I
think
I
need
to
go
get
chipotle
tonight
and
for
those
that
don't
have
it
in
your
country,
I'm
sorry
it's
kind
of
good,
sometimes
or
if
you're
on
the
web.
I
think
robby
you're
on
the
west
coast.
You
can
get
the
real
thing
out
here
on
the
east.
It's
you
know,
hit
or
miss
cool
I'd
like
to
thank
everybody
for
joining.
I
think
it's
it's
been
a
blast.
A
Hopefully
we've
entertained,
at
least
for
a
little
while
and
and
answer
some
evp
and
inadvertently
stackrock's
questions,
which
I
absolutely
love,
because
I
think
it's
a
great
product,
I'm
not
going
anywhere.
If
you
have
any
additional
questions,
you
can
obviously
reach
out
to
the
team
at
stackrocks.
By
going
to
the
website,
I
think,
did
we
have
on
our
main,
we
didn't
have
email
addresses
but
I'll,
give
mine
out
there,
because
I'm
okay
with
that,
it's
c-l-e-m-e-n-k-o
at
redhat.com
yeah,
feel
free
to
reach
out
to
me,
I'm
I
answer
all
the
questions.