DevConf.CZ

Orchestrating eBPF programs in Kubernetes
2024-06-13 , D105 (capacity 300)

eBPF, fully available since Linux 4.4, is a kernel technology enabling
programs to run without modifying the kernel source code or adding extra
modules. Acting as a lightweight, sandboxed virtual machine within the Linux
kernel, eBPF executes Berkeley Packet Filter (BPF) bytecode, utilizing kernel
resources efficiently. By eliminating the need for kernel source code
modifications, eBPF enhances software's ability to utilize existing layers,
potentially revolutionizing service delivery in observability, security, and
networking domains.

Bpfman, a system daemon falling under Extended Berkeley
Packet Filter, serves as a pivotal tool in this domain. It simplifies eBPF
application deployment and management, notably within Kubernetes clusters,
offering a Custom Resource (CR) operator for streamlined operations.

Our presentation will delve into Bpfman's evolution, stemming from the Rust
library Aya for eBPF development. We'll explore practical aspects like
leveraging the Kubernetes operator, deploying applications, and how Fedora
enhances user experience. Security concerns surrounding eBPF application
execution within Kubernetes pods will be addressed, along with insights into
integration challenges and ongoing collaborative efforts within the eBPF
and the rust sig-groups in Fedora.

Notably, eBPF's adoption by industry giants like
Google, Netflix, Shopify, and Cloudflare underscores its relevance,
prompting an insightful discussion on its orchestration in Kubernetes and
Fedora.

See also:

Daniel is a Principal Software Engineer at Red Hat. He’s been involved in several networking projects, such as Kuryr-Kubernetes (a CNI plugin which enables native Neutron-based networking in Kubernetes), MetalLB and recently he’s been tackling Edge, Telco NFV and Observability use cases. He’s been a PTL (Project Team Lead) at some projects in OpenStack, a member of the Kubernetes SIG Group and part of the panel for the Leveraging Containers and OpenStack.