Chapter 5. eBPF in Cloud Native Environments
The cloud native approach to computing has taken off exponentially in recent years. In this chapter, I’ll discuss why eBPF is so well-suited to tooling for cloud native environments. To keep things concrete, I’ll refer to Kubernetes, but the same concepts apply to any platform that uses containers.
One Kernel per Host
To understand why eBPF is so powerful in the cloud native world, you’ll need to be very clear on one concept: there is only one kernel per machine (or virtual machine), and all the containers running on that machine share the same kernel,1 as shown in Figure 5-1. The same kernel is involved with and aware of all the application code running on any given host machine.
By instrumenting the kernel, as we do when using eBPF, we can simultaneously instrument all the application code running on that machine. When we load an eBPF program into the kernel and attach it to an event, it gets triggered irrespective of which process is involved with the event.
Figure 5-1. All the containers on the same host share a single kernel
eBPF Versus the Sidecar Model
Prior to eBPF, most observability and security tooling for Kubernetes used the sidecar model. This model allows you to deploy the instrumentation in a separate container but within the same pod as the application. When this approach was invented, it was a step forward because ...
Get What Is eBPF? now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
