Culture / Linux / Networking / Contributed

Liz Rice: Following the ‘Superpower’ Promise of eBPF

15 Mar 2021 6:00am, by

Liz Rice
Liz Rice, chair of the CNCF’s technical oversight committee

For lots of folks in software engineering, every now and again a technology comes along that really sparks the imagination. I’m sure that many readers of The New Stack will recall their first encounters with containers, very possibly through Docker, and the realization that this was a technology that could change everything. Containerization is arguably the lynchpin of the move to cloud native.

But every step forward creates new challenges, and new boundaries to push. For me, eBPF is another transformational technology and one that I’m excited to get more deeply involved in, as I join the leadership team at eBPF pioneers, Isovalent.

eBPF stands for “extended Berkeley Packet Filter,” but that’s not a tremendously useful phrase for describing the scope and potential of this technology. It allows you to run custom code in the kernel in response to practically any event — the arrival of a network packet, a syscall, the invocation of a function in userspace or in the kernel… the list is practically endless. Brendan Greggs from Netflix coined the phrase “superpowers for Linux,” and that’s no exaggeration.

In my role as chair of the Cloud Native Computing Foundation’s Technical Oversight Committee, I have the very privileged opportunity to hear a lot about cloud native adoption, technologies, and challenges, across the spectrum of different projects and at different levels of the stacks. Running Kubernetes in production has become a mainstream activity these days.

But as users scale their environments and roll out business-critical cloud native apps, they’re becoming aware of new challenges. How do they scale connectivity, troubleshoot issues, and ensure security across what is increasingly a shared service for the enterprise?

Many of today’s solutions for these challenges use a sidecar model to gain awareness of individual workloads. This is a model that works, but it comes with costs. Userspace networking stacks add overhead, as can observability and security functionality that’s replicated in every pod, and we’ve seen that as a result up to 50% CPU utilization can end up being used by the infrastructure, rather than the business applications!

Additionally, security events that span multiple workloads can’t be detected from within a sidecar or firewall but are visible to the Linux kernel. eBPF opens up the potential for high-performance networking, observability, and security solutions, by directly leveraging the Linux kernel and its awareness of everything that’s happening across a host. You can have the technical and process advantages of cloud native, independent microservices for business applications, while making the infrastructure that they run on both workload- and system-aware.

There are some fantastic cloud native projects leveraging eBPF already. The CNCF’s Falco project has support for an eBPF-based driver to detect security rule violations. My former team at Aqua is developing Tracee, which combines an eBPF event-detection engine with rules defined in Open Policy Agent’s rego language. But the most widely deployed eBPF project in production is Cilium, the eBPF-based Kubernetes networking plugin.

I recall first becoming aware of Cilium at DockerCon back in 2017, through Isovalent Chief Technology Editor Thomas Graf’s Star Wars-based demo. At the time, eBPF was a pretty new Linux kernel feature available — too new to find in many enterprise deployments, but I’ve been intrigued by its possibilities ever since seeing Graf’s talk.

Fast forward to 2021, and the kernel features that Cilium relies on are now widely available. This availability is why eBPF appears as one of the hot technologies to watch this year in my KubeCon keynote “Predictions from the TOC”, and why startups in the space — including Isovalent — are currently enjoying a ton of attention from investors and acquiring companies right now.

Graf and Isovalent CEO Dan Wendlandt have assembled many of the world’s top eBPF experts to work on the Cilium project, and it’s undoubtedly the leading networking solution in this space. I’ve been seeing big customer after big customer adopting Cilium, and at last year’s eBPF Summit, Datadog, Capital One, Adobe and many others spoke about how the project is enabling them to overcome so many of their greatest challenges to growing their Kubernetes environments. The high-performance networking it delivers, coupled with tools for troubleshooting connectivity issues and detecting security events, are only possible through the use of eBPF, and using Cilium gives teams the confidence to deploy sensitive workloads on their Kubernetes platform. I’m excited and delighted to be joining the Isovalent team to help bring the benefits of Cilium to every Kubernetes deployment.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Docker.

A newsletter digest of the week’s most important stories & analyses.