Unleashing the kernel with eBPF

Slide 1

Slide 1 text

Unleashing the kernel with eBPF Liz Rice | @lizrice Chief Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards

Slide 2

Slide 2 text

@lizrice What is ? extended Berkeley Packet Filter

Slide 3

Slide 3 text

@lizrice What is ? eBPF is a kernel technology enabling high-performance, low overhead tools for networking, security and observability

Slide 4

Slide 4 text

@lizrice What is ? Makes the kernel programmable

Slide 5

Slide 5 text

@lizrice userspace kernel app event system calls eBPF program Run custom code in the kernel

Slide 6

Slide 6 text

@lizrice SEC("kprobe/sys_execve") int hello(void *ctx) { bpf_printk("Hello!"); return 0; } $ sudo ./hello bash-20241 [004] d... 84210.752785: 0: I'm alive! bash-20242 [004] d... 84216.321993: 0: I'm alive! bash-20243 [004] d... 84225.858880: 0: I'm alive! Info about process that called execve syscall + userspace code to load eBPF program eBPF Hello World

Slide 7

Slide 7 text

@lizrice Packet of Death mitigation

Slide 8

Slide 8 text

@lizrice host eth0 Packet of Death

Slide 9

Slide 9 text

@lizrice host eth0 Packet of Death Discard?

Slide 10

Slide 10 text

@lizrice SEC("xdp/bye") int goodbye_ping(struct xdp_md *ctx) { ... if (iph->protocol == IPPROTO_ICMP) return XDP_DROP; return XDP_PASS; } eBPF Packet Drop

Slide 11

Slide 11 text

@lizrice Dynamically change kernel behaviour

Slide 12

Slide 12 text

@lizrice

Slide 13

Slide 13 text

@lizrice

Slide 14

Slide 14 text

@lizrice eBPF code has to be safe userspace kernel app event system calls eBPF program 🔍 verifier

Slide 15

Slide 15 text

@lizrice eBPF code runs as native instructions userspace kernel app event system calls eBPF program ✍ JIT compiler

Slide 16

Slide 16 text

@lizrice Custom behaviour without transitions

Slide 17

Slide 17 text

@lizrice userspace kernel app XDP event system calls eBPF program eXpress Data path - ingress, before network stack network packet XDP_DROP network stack XDP_TX XDP_PASS

Slide 18

Slide 18 text

@lizrice userspace kernel app event system calls eBPF program Run custom code on network packets network packet Program triggered by packet No polling from user space Packet in kernel memory Per CPU eBPF maps

Slide 19

Slide 19 text

@lizrice Improved network performance (eBPF) (eBPF) (eBPF) (not eBPF) Miano et al: A Framework for eBPF-Based Network Functions in an Era of Microservices

Slide 20

Slide 20 text

@lizrice cilium.io/blog/2022/04/12/cilium-standalone-L4LB-XDP/ - Seznam case study Improved network performance

Slide 21

Slide 21 text

@lizrice Improved performance for container networking

Slide 22

Slide 22 text

@lizrice host pod app socket veth veth eth0 iptables conntrack iptables INPUT Linux routing iptables PREROUTING mangle iptables conntrack iptables FORWARD Linux routing iptables PREROUTING nat iptables POSTROUTING mangle iptables PREROUTING mangle iptables POSTROUTING nat

Slide 23

Slide 23 text

@lizrice host pod app socket veth veth eth0 iptables conntrack iptables INPUT Linux routing iptables PREROUTING mangle Linux routing

Slide 24

Slide 24 text

@lizrice cilium.io/blog/2021/05/11/cni-benchmark TCP RR (higher is better) legacy host-routing

Slide 25

Slide 25 text

@lizrice cilium.io/blog/2020/06/22/cilium-18/#kubeproxy-removal

Slide 26

Slide 26 text

@lizrice Unleashing the Power of Cilium CNI to Propel Trendyol’s Performance Up to 40%! 20 July 2023

Slide 27

Slide 27 text

@lizrice eBPF for performance tracing

Slide 28

Slide 28 text

@lizrice Measure anything (?) with eBPF

Slide 29

Slide 29 text

@lizrice Brendan Gregg on performance improvements

Slide 30

Slide 30 text

@lizrice Brendan Gregg on performance improvements

Slide 31

Slide 31 text

@lizrice Brendan Gregg on performance improvements “eBPF is essential for such fast in-situ production analysis”

Slide 32

Slide 32 text

@lizrice Programmable kernel in Kubernetes

Slide 33

Slide 33 text

@lizrice userspace kernel networking access files create containers One kernel per host pod container pod container container

Slide 34

Slide 34 text

@lizrice userspace kernel app app pods networking access files create containers Kernel aware of everything on the host

Slide 35

Slide 35 text

@lizrice userspace app kernel app pods networking access files create containers eBPF programs can be aware of everything

Slide 36

Slide 36 text

@lizrice eBPF tools work without any app or config changes

Slide 37

Slide 37 text

@lizrice - Nathan LeClaire @dotpem

Slide 38

Slide 38 text

@lizrice A sidecar has a view across one pod userspace pod container sidecar container

Slide 39

Slide 39 text

@lizrice Sidecars need YAML userspace pod container sidecar container userspace pod container sidecar container my-app.yaml containers: - name: my-app ... - name: my-app-init … - name: my-sidecar ...

Slide 40

Slide 40 text

@lizrice eBPF does not need any app changes userspace pod container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel

Slide 41

Slide 41 text

@lizrice eBPF can see ALL activity on the node userspace pod container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel 👿

Slide 42

Slide 42 text

@lizrice Reduce resource usage of per-pod sidecar Avoid sidecar config in every pod Avoid updating sidecar config in every pod

Slide 43

Slide 43 text

@lizrice eBPF enables efficient sidecarless Service Mesh

Slide 44

Slide 44 text

@lizrice Network path with sidecar

Slide 45

Slide 45 text

@lizrice Network path for L3/4 traffic

Slide 46

Slide 46 text

@lizrice Envoy for Layer 7 terminations when needed

Slide 47

Slide 47 text

@lizrice “[Moving to a proxy-per-node model can] reduce costs up to 90% while simplifying operations and improving performance for applications” - Tetrate Sidecarless service mesh improves performance

Slide 48

Slide 48 text

@lizrice eBPF enables high performance security tools

Slide 49

Slide 49 text

@lizrice userspace kernel app event eBPF program Run custom code in the kernel Interesting for security system calls

Slide 50

Slide 50 text

@lizrice Security observability

Slide 51

Slide 51 text

@lizrice Security observability - Falco Event filtering in user space

Slide 52

Slide 52 text

@lizrice kernel userspace Security observability - Falco

Slide 53

Slide 53 text

@lizrice Security observability - Cilium Tetragon kernel userspace Tetragon

Slide 54

Slide 54 text

@lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi /etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1275 bytes 📪 close default/xwing /usr/bin/vi 💥 exit default/xwing /usr/bin/vi /etc/passwd 0 Cilium Tetragon observe security events Policy events Kubernetes info

Slide 55

Slide 55 text

@lizrice “Traditional solution” = eBPF event collection, filtered in user space In-kernel event filtering Tetragon

Slide 56

Slide 56 text

@lizrice Runtime security enforcement in eBPF

Slide 57

Slide 57 text

@lizrice Traditional preventative actions from user space

Slide 58

Slide 58 text

@lizrice Tetragon runtime security - synchronous Tetragon

Slide 59

Slide 59 text

@lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi /etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1269 bytes 💥 exit default/xwing /usr/bin/vi /etc/passwd SIGKILL Cilium Tetragon enforce sensitive file access Killed before write

Slide 60

Slide 60 text

@lizrice 🚀 process default/xwing /usr/bin/curl deathstar/v1 💥 exit default/xwing /usr/bin/curl deathstar/v1 0 🚀 process default/xwing /usr/bin/curl example.com 🔌 connect default/xwing /usr/bin/curl tcp 10.244.1.124:49874 -> 93.184.216.34:80 💥 exit default/xwing /usr/bin/curl example.com SIGKILL Cilium Tetragon enforce network access Killed before write Policy allows in-cluster traffic

Slide 61

Slide 61 text

@lizrice eBPF makes the kernel programmable enabling a new generation of powerful & efficient Cloud Native tools

Slide 62

Slide 62 text

@lizrice Thank you ebpf.io cilium.io @lizrice Download from isovalent.com isovalent.com/labs

Slide 63

Slide 63 text

Remember to vote and share feedback on the InfoQ App or online. Please vote and leave feedback! Any questions?