Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[RivieraDev] An Intro to eBPF with Go: The Foun...

[RivieraDev] An Intro to eBPF with Go: The Foundation of Modern Kubernetes Networking

eBPF is revolutionizing how we secure, observe, and scale Kubernetes networking, but its complexity can be daunting. This session demystifies eBPF by exploring how Go makes it accessible, focusing on its integration with Kubernetes through the open-source project Cilium. Attendees will learn the basics of eBPF, how Go simplifies working with it, and practical use cases that demonstrate Cilium’s ability to enforce secure, scalable network policies. This talk is perfect for Kubernetes practitioners curious about eBPF and Go but unsure where to begin.

Avatar for Donia Chaiehloudj

Donia Chaiehloudj

July 10, 2025
Tweet

More Decks by Donia Chaiehloudj

Other Decks in Technology

Transcript

  1. An intro to eBPF with Go: The Foundation of Modern

    Kubernetes Networking Donia Chaiehloudj | @doniacld Software Engineer, Isovalent at Cisco Co-author of the book “Learn Go with Pocket-Sized Projectsˮ Jul 8, 2025
  2. Why for Kubernetes? @doniacld Program pod Linux Kernel Userspace event

    pod pods One kernel for all the containers syscalls
  3. @doniacld Go is the 💎 in Cloud-native ecosystem • eBPF

    is kernel-level magic → But hard to interact with directly C, bytecode). • Most cloud-native projects are written in Go → Kubernetes, Docker, Prometheus, Cilium, etc. • Go offers simplicity + performance → Ideal for distributed systems and networking. • Go + eBPF = productive + powerful → SDKs like cilium/ebpf let you write networking/security tooling
  4. @doniacld C Code App Code Maps Linux Kernel Userspace load()

    read() write() syscalls ELF Object clang Write programs in userspace loading BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH BPF_MAP_TYPE_PERCPU_ARRAY BPF_MAP_TYPE_QUEUE BPF_MAP_TYPE_STACK
  5. @doniacld 1 Write eBPF C program 2 Generate Go Objects

    & Methods 3 Write Go main program 4 Run your program Development cycle
  6. 1. Write C program: Trace when files are open #include

    <linux/bpf.h> // BPF header for definitions. #include <bpf/bpf_helpers.h> // BPF helper functions. // Attach to sys_enter_openat tracepoint. SEC("tracepoint/syscalls/sys_enter_openat") int trace_openat(void *ctx) { char msg[] = "File opening..."; // Message to log. bpf_trace_printk(msg, sizeof(msg)); // Log message to trace pipe. return 0; } char LICENSE[] SEC("license") = "GPL"; @doniacld
  7. 1. Write C program: Trace when files are open #include

    <linux/bpf.h> // BPF header for definitions. #include <bpf/bpf_helpers.h> // BPF helper functions. // Attach to sys_enter_openat tracepoint. SEC("tracepoint/syscalls/sys_enter_openat") int trace_openat(void *ctx) { char msg[] = "File opening..."; // Message to log. bpf_trace_printk(msg, sizeof(msg)); // Log message to trace pipe. return 0; } char LICENSE[] SEC("license") = "GPL"; @doniacld
  8. 1. Write C program: Trace when files are open #include

    <linux/bpf.h> // BPF header for definitions. #include <bpf/bpf_helpers.h> // BPF helper functions. // Attach to sys_enter_openat tracepoint. SEC("tracepoint/syscalls/sys_enter_openat") int trace_openat(void *ctx) { char msg[] = "File opening..."; // Message to log. bpf_trace_printk(msg, sizeof(msg)); // Log message to trace pipe. return 0; } char LICENSE[] SEC("license") = "GPL"; @doniacld $ sudo cat /sys/kernel/debug/tracing/trace_pipe systemd-journal-326 [000] ...21 53765.037027: bpf_trace_printk: File opening... systemd-journal-326 [000] ...21 53765.037048: bpf_trace_printk: File opening... cat-35252 [000] ...21 53765.037948: bpf_trace_printk: File opening... cat-35252 [000] ...21 53765.037966: bpf_trace_printk: File opening... cat-35252 [000] ...21 53765.038107: bpf_trace_printk: File opening... process id
  9. 2. Compile & Generate Go Objects: bpf2go @doniacld //go:generate go

    run github.com/cilium/ebpf/cmd/bpf2go openfile openfile.c call clang under the hood
  10. @doniacld 2. Generated Go Objects // openfilePrograms contains all programs

    after they have been loaded into the kernel. //type openfilePrograms struct { TraceOpenat *ebpf.Program `ebpf:"trace_openat"` } Objects to manipulate // openfileObjects contains all objects after they have been loaded into the kernel. type openfileObjects struct { openfilePrograms openfileMaps openfileVariables } //go:generate go run github.com/cilium/ebpf/cmd/bpf2go openfile openfile.c eBPF program bytecodes
  11. @doniacld 3. Main Go Program: Load the eBPF program func

    main() { // Allow the current process to lock memory for eBPF resources. if err := rlimit.RemoveMemlock(); err != nil { log.Fatalf("failed to remove memlock: %v", err) } var objs openfileObjects err := loadOpenfileObjects(&objs, nil) if err != nil { log.Fatalf("failed to load objects: %v", err) } // Attach the eBPF program to the tracepoint. tp, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TraceOpenat, nil) if err != nil { log.Fatalf("failed to attach tracepoint: %v", err) } defer tp.Close() log.Println("eBPF program attached. Waiting for events...") // ... // Log “/sys/kernel/debug/tracing/trace_pipe" output // ... }
  12. @doniacld 3. Main Go Program: Attach the eBPF program to

    tracepoint func main() { // Allow the current process to lock memory for eBPF resources. if err := rlimit.RemoveMemlock(); err != nil { log.Fatalf("failed to remove memlock: %v", err) } var objs openfileObjects err := loadOpenfileObjects(&objs, nil) if err != nil { log.Fatalf("failed to load objects: %v", err) } // Attach the eBPF program to the tracepoint tp, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TraceOpenat, nil) if err != nil { log.Fatalf("failed to attach tracepoint: %v", err) } defer tp.Close() log.Println("eBPF program attached. Waiting for events...") // ... // Log “/sys/kernel/debug/tracing/trace_pipe" output // ... }
  13. 1. Write C Program: Define a Map to store the

    counter #include <linux/bpf.h> #include <bpf/bpf_helpers.h> struct { __uint(type, BPF_MAP_TYPE_ARRAY); __type(key, __u32); __type(value, __u64); __uint(max_entries, 1); } pkt_count SEC(".maps"); // count_packets atomically increases a packet counter on every invocation. SEC("xdp") int count_packets() { __u32 key = 0; __u64 *count = bpf_map_lookup_elem(&pkt_count, &key); if (count) { __sync_fetch_and_add(count, 1); } return XDP_PASS; } char __license[] SEC("license") = "Dual MIT/GPL";
  14. 1. Write C Program: Increment packet counter #include <linux/bpf.h> #include

    <bpf/bpf_helpers.h> struct { __uint(type, BPF_MAP_TYPE_ARRAY); __type(key, __u32); __type(value, __u64); __uint(max_entries, 1); } pkt_count SEC(".maps"); // count_packets atomically increases a packet counter on every invocation. SEC("xdp") int count_packets() { __u32 key = 0; __u64 *count = bpf_map_lookup_elem(&pkt_count, &key); if (count) { __sync_fetch_and_add(count, 1); } return XDP_PASS; } char __license[] SEC("license") = "Dual MIT/GPL";
  15. 2. Compile & Generate Go Objects: bpf2go //go:generate go run

    github.com/cilium/ebpf/cmd/bpf2go counter counter.c call clang under the hood
  16. 2. Generated Go Objects Objects to manipulate //go:generate go run

    github.com/cilium/ebpf/cmd/bpf2go counter counter.c // counterObjects contains all objects after they have been // loaded into the kernel. type counterObjects struct { counterPrograms counterMaps counterVariables }
  17. 2. Generated Go Objects // counterPrograms contains all programs after

    they have been loaded into the kernel. type counterPrograms struct { CountPackets *ebpf.Program `ebpf:"count_packets"` } Objects to manipulate // counterObjects contains all objects after they have been // loaded into the kernel. type counterObjects struct { counterPrograms counterMaps counterVariables } //go:generate go run github.com/cilium/ebpf/cmd/bpf2go counter counter.c eBPF program bytecodes
  18. 2. Generated Go Objects // counterPrograms contains all programs after

    they have been loaded into the kernel. type counterPrograms struct { CountPackets *ebpf.Program `ebpf:"count_packets"` } Objects to manipulate // counterObjects contains all objects after they have been // loaded into the kernel. type counterObjects struct { counterPrograms counterMaps counterVariables } //go:generate go run github.com/cilium/ebpf/cmd/bpf2go counter counter.c // counterMaps contains all maps after they have been loaded // into the kernel. type counterMaps struct { PktCount *ebpf.Map `ebpf:"pkt_count"` } eBPF program bytecodes Maps to read/write
  19. 3. Main Go Program: Load the eBPF program package main

    import ( // … "github.com/cilium/ebpf/link" "github.com/cilium/ebpf/rlimit" ) func main() { err := rlimit.RemoveMemlock() var objs counterObjects err := loadCounterObjects(&objs, nil) if err != nil { //… } defer objs.Close() ifname := "eth0" iface, err := net.InterfaceByName(ifname) if err != nil {//…} link, err := link.AttachXDP(link.XDPOptions{ Program: objs.CountPackets, Interface: iface.Index, }) defer link.Close()
  20. 3. Main Go Program: Choose an interface package main import

    ( // … "github.com/cilium/ebpf/link" "github.com/cilium/ebpf/rlimit" ) func main() { err := rlimit.RemoveMemlock() var objs counterObjects err := loadCounterObjects(&objs, nil) if err != nil { //… } defer objs.Close() ifname := "eth0" iface, err := net.InterfaceByName(ifname) if err != nil {//…} link, err := link.AttachXDP(link.XDPOptions{ Program: objs.CountPackets, Interface: iface.Index, }) defer link.Close()
  21. 3. Main Go Program: Attach the program to a hook

    package main import ( // … "github.com/cilium/ebpf/link" "github.com/cilium/ebpf/rlimit" ) func main() { err := rlimit.RemoveMemlock() var objs counterObjects err := loadCounterObjects(&objs, nil) if err != nil { //… } defer objs.Close() ifname := "eth0" iface, err := net.InterfaceByName(ifname) if err != nil {//…} link, err := link.AttachXDP(link.XDPOptions{ Program: objs.CountPackets, Interface: iface.Index, }) defer link.Close() ...
  22. 3. Main Go Program: Read from the map // Periodically

    fetch the packet counter from PktCount tick := time.Tick(time.Second) stop := make(chan os.Signal, 5) signal.Notify(stop, os.Interrupt) for { select { case <-tick: var count uint64 err := objs.PktCount.Lookup(uint32(0), &count) if err != nil { log.Fatal("Map lookup:", err) } log.Printf("Received %d packets", count) case <-stop: log.Print("Received signal, exiting..") return } } }
  23. 3. Main Go Program: Log // Periodically fetch the packet

    counter from PktCount tick := time.Tick(time.Second) stop := make(chan os.Signal, 5) signal.Notify(stop, os.Interrupt) for { select { case <-tick: var count uint64 err := objs.PktCount.Lookup(uint32(0), &count) if err != nil { log.Fatal("Map lookup:", err) } log.Printf("Received %d packets", count) case <-stop: log.Print("Received signal, exiting..") return } }
  24. Example: XDP Drop packets SEC("xdp") int xdp_drop(struct xdp_md *ctx) {

    char msg[] = "Hello, World!"; bpf_trace_printk(msg, sizeof(msg)); // Print to trace pipe void *data = (void *)(long)ctx->data; void *data_end = (void *)(long)ctx->data_end; // Check if the packet's destination IP is blocked if (isBlockedIP(data, data_end)) { char msg[] = "Got ping packet"; bpf_trace_printk(msg, sizeof(msg)); // Print to trace pipe return XDP_DROP; } return XDP_PASS; // Allow the packet to pass } // License declaration char _license[] SEC("license") = "GPL"; @doniacld
  25. Example: XDP Drop packets SEC("xdp") int xdp_drop(struct xdp_md *ctx) {

    char msg[] = "Hello, World!"; bpf_trace_printk(msg, sizeof(msg)); // Print to trace pipe void *data = (void *)(long)ctx->data; void *data_end = (void *)(long)ctx->data_end; // Check if the packet's destination IP is blocked if (isBlockedIP(data, data_end)) { char msg[] = "Got ping packet"; bpf_trace_printk(msg, sizeof(msg)); // Print to trace pipe return XDP_DROP; } return XDP_PASS; // Allow the packet to pass } // License declaration char _license[] SEC("license") = "GPL"; @doniacld
  26. Cilium Network Policy YAML @doniacld apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata:

    name: "deny-external" spec: endpointSelector: matchLabels: app: "backend" ingress: - fromEndpoints: - matchLabels: app: "frontend" frontend pod backend pod frontend pod frontend pods backend pod backend pods external pod external pods 💡 Endpoint = Pod
  27. From Endpoint to Identity Go @doniacld type Endpoint struct {

    ID int Labels map[string]string Identity int } 💡 Endpoint = Pod Endpoints 1: {“app”:”frontend”} 2: {“app”:”backend”} type Policy struct { SourceIdentity int DestinationIdentity int Allowed bool } Policy src: 1 dst: 2 true
  28. Store Policies @doniacld struct bpf_map_def SEC("maps") policy_map = { .type

    = BPF_MAP_TYPE_HASH, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 1024, }; eBPF map to store policies
  29. Store Policies @doniacld func loadPoliciesToMap(policies []Policy, policyMap *ebpf.Map) error {

    for _, policy := range policies { err := policyMap.Put(policy.SourceIdentity, policy.DestinationIdentity) if err != nil { return err } } return nil } struct bpf_map_def SEC("maps") policy_map = { .type = BPF_MAP_TYPE_HASH, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 1024, }; eBPF map to store policies Function to load policies into the eBPF map
  30. eBPF program to enforce policies @doniacld // eBPF map to

    store policies. struct bpf_map_def SEC("maps") policy_map = { .type = BPF_MAP_TYPE_HASH, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 1024, }; // eBPF program to enforce policies. SEC("xdp") int enforce_policy(struct xdp_md *ctx) { int src_identity = get_source_identity(ctx); int dst_identity = get_destination_identity(ctx); int *allowed = bpf_map_lookup_elem(&policy_map, &src_identity); if (allowed && *allowed == dst_identity) { // Allow the packet. return XDP_PASS; } // Drop the packet. return XDP_DROP; }
  31. 📝 Key Takeaways @doniacld • eBPF lets you run safe,

    fast programs in the Linux kernel • You can use it for: ◦ 🔍 Tracing (e.g. file open events) ◦ 📊 Observability (e.g. counting packets by IP ◦ 🛡 Security (e.g. dropping packets with XDP ◦ 🌐 Networking (e.g. packets routing with Cilium)
  32. 📝 Key Takeaways @doniacld • eBPF lets you run safe,

    fast programs in the Linux kernel • You can use it for: ◦ 🔍 Tracing (e.g. file open events) ◦ 📊 Observability (e.g. counting packets by IP ◦ 🛡 Security (e.g. dropping packets with XDP ◦ 🌐 Networking (e.g. packets routing with Cilium) • Go is the language of the cloud-native ecosystem
  33. 📝 Key Takeaways @doniacld • eBPF lets you run safe,

    fast programs in the Linux kernel • You can use it for: ◦ 🔍 Tracing (e.g. file open events) ◦ 📊 Observability (e.g. counting packets by IP ◦ 🛡 Security (e.g. dropping packets with XDP ◦ 🌐 Networking (e.g. packets routing with Cilium) • Go is the language of the cloud-native ecosystem • With libraries like cilium/ebpf, you can use Go to: ◦ Load eBPF programs & Interact with kernel data safely • Perfect fit for building Kubernetes CNI, agents, operators, and tools, etc