Beyond the Buzzword: BPF’s unexpected role in Kubernetes November 19, 2020 Andrew Randall Alban Crequy

What is (e)BPF? custom programs that run in the Linux kernel hooks and data structures (maps) restricted virtual machine sandbox + code verifier (extended) Berkeley Packet Filter

Why do you care? fast, customizable networking debugging / performance analysis application monitoring & security

Evolution of (e)BPF 2.1.75 first BPF support Dec 1997 3.15 new JIT compiler → eBPF Jun 2014 IO Visor project established Aug 2015 4.8 eXpress Data Path (XDP) Oct 2016 4.11 BPF datastructures for improved packet filtering May 2017 May 2018 Katran announced by Facebook Nov 2017 4.14 fast intra- host networks (sockmap) 4.18 bpf filter by cgroups (containers) Aug 2018 Aug 2020 5.8 BPF ring buffers

An eBPF OSS Landscape Low-level tools Security & Networking Visibility bcc bpftrace cilium falco katran llvm API Libraries gobpf ebpf libbpf libbpf-rs red-bpf calico polycube skydive hubble weave scope kubectl- trace kubectl- gadget kernel tools e.g. bpftool tcptracer-bpf Other ply pyebpf

Hubble

Hubble

Weave Scope

IOvisor BPF Compiler Collection (bcc)

bpftrace

No content

Enter: Inspektor Gadget a “swiss army knife” collection of various bpf tools (gadgets) some from bcc + some new ones developed by kinvolk

What do we need for Kubernetes? granularity: “pod, not pid” aggregation by label selectors kubectl-like experience

K8s integration My laptop $ kubectl gadget... kubectl-gadget Kubernetes Control Plane (API Server, scheduler, ...) exec client plugin worker node “gadget” pod exec traceloop & bcc kernel Install BPF program Deploy gadget pods Kubernetes cluster Create DaemonSet kubectl-exec

Gadgets available today profile network policy advisor traceloop tcptop tcptracer opensnoop execsnoop bindsnoop capabilities kubectl-gadget

Demo kubectl demo

No content