NETWAYS, profile picture
Uploaded byNETWAYS
17 views

OSMC 2025: Making the Kernel Speak Kubernetes: Unlocking eBPF’s Power for Observability by Burak Ok.pdf

The Linux kernel reveals detailed observability data, but context is often missing. Imagine debugging a slow service in Kubernetes. eBPF can trace the issue by linking kernel events to the affected container, providing clarity, though it introduces added complexity. This talk explores how Inspektor Gadget abstracts eBPF’s complexity, correlating events with Kubernetes resources. You’ll see how the provided gadgets can be used and learn to build your own troubleshooting gadgets with ease.

Embed presentation

Download to read offline
Agenda • Quick eBPF intro • Inspektor Gadget • Ready to go gadgets • Building your own gadgets • Questions
Getting into the Kernel: eBPF • Bytecode runtime in the Linux Kernel • Guaranteed to not crash • Verifier runs before the program is loaded • Runs in a sandbox • Used for • Networking • Security • Tracing and Observability
Working with Kernel Userspace eBPF Network syscall Monitored Process
Working with eBPF programs Kernel Userspace eBPF Network eBPF programs syscall Monitored Process
Working with eBPF programs Kernel eBPF map Userspace Event eBPF Network eBPF programs syscall Monitored Process
Working with eBPF programs Kernel eBPF map Userspace Event - New language to learn - Deep Linux insights eBPF Network - Need to develop a userspace program - Link these events to Kubernetes
Working with eBPF programs Kernel eBPF map Userspace Event eBPF Network
Kernel Userspace CNCF Sandbox Project Working with Inspektor Gadget Gadgets (eBPF programs) eBPF map Event Network
Kernel Userspace Working with Inspektor Gadget Kubernetes API Server Container Runtime Others… DNS answer for inspektor-gadget.io From: Service kube-dns in NS kube-system To: curl in Pod Frontend in NS default Addr: 172.67.164.52 Event -mnt namespace -ns namespace -process ID -IP addr Event Gadgets (eBPF programs) eBPF map Event Network
Inspektor Gadget – A set of tools • Managing eBPF programs • Enrichment • Filtering • Data export • Many modes of use • Sharing & distribution
Official gadgets • Advise: Recommend system configurations based on collected information • seccomp-profile, network-policies • Audit: Audit a subsystem • seccomp • Profile: Profile different subsystems • block-io, cpu • Snapshot: Take a snapshot of a subsystem and print it • process, socket • Top: Gather, sort and periodically report events according to a given criteria • blockio, file, tcp • Trace: Trace and print system events • bind, dns, exec, mount, oomkill, tcp{drop, retrans}, open, few more…
Demo of an official gadget
IG – A framework for eBPF devs • Allow everyone to easily build eBPF gadgets • Same enrichment, filtering and helpers • No additional userspace program needed • Package gadgets in OCI artifacts
Gadgets as OCI artifacts • An OCI image that contains • Metadata for the gadget • Basic information (author, license, etc.) • Supported export options (Prometheus, API, logging, etc.) • etc. • eBPF program(s) as object file • Optional user-space modules for post- processing of data • A deployable unit • A sharable unit Gadget (OCI) Metadata YAML eBPF program ELF Userspace processing WASM
Brief insight into writing a gadget struct key_t { gadget_comm comm[TASK_COMM_LEN]; gadget_mntns_id mntns_id; }; struct value_t { __u64 packets; }; struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1024); __type(key, struct key_t); __type(value, struct value_t); } stats SEC(".maps"); GADGET_MAPITER(packetcounter, stats);
Brief insight into writing a gadget SEC("kprobe/udp_sendmsg") int BPF_KPROBE(probe_udp_sendmsg, struct sock *sk) { struct key_t key = {}; struct value_t *value; /* Filter by container and more using gadget helpers */ if (gadget_should_discard_data_current()) return 0; key.mntns_id = gadget_get_current_mntns_id(); /* SNIP */ return 0; }
Brief insight into writing a gadget ~/mygadget $ sudo ig image build –t ghcr.io/burak-ok/mygadget:test . Pulling builder image ghcr.io/inspektor-gadget/gadget-builder:v0.46.0 ... Successfully built ghcr.io/burak-ok/mygadget:test@sha256:5a1b86c... ~/mygadget $ sudo ig image push ghcr.io/burak-ok/mygadget:test Pushing ghcr.io/burak-ok/mygadget:test... Successfully pushed ghcr.io/burak-ok/mygadget:test@sha256:5a1b86c... ~/mygadget $ kubectl gadget run ghcr.io/burak-ok/mygadget:test --verify-image=false K8S.NODE K8S.NAMESPACE K8S.PODNAME COMM PACKETS minikube-doc… kube-system coredns-7db…hwl coredns 14 minikube-doc… default test-pod nslookup 2
Thanks – Any questions? • https://inspektor-gadget.io • https://github.com/inspektor-gadget/Contribfest-KubeCon- Europe2025/blob/main/ to learn how to create your own Gadget • https://github.com/burak-ok • https://de.linkedin.com/in/burak-ok

More Related Content

PDF
DEF CON 27 - JEFF DILEO - evil e bpf in depth
byFelipe Prado
 
PDF
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
PDF
Security Monitoring with eBPF
byAlex Maestretti
 
PDF
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
PDF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
byseo18
 
PPTX
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
byFelipe Prado
 
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
Security Monitoring with eBPF
byAlex Maestretti
 
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
eBPF — Divulging The Hidden Super Power.pdf
byseo18
 
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 

Similar to OSMC 2025: Making the Kernel Speak Kubernetes: Unlocking eBPF’s Power for Observability by Burak Ok.pdf

PPTX
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
PDF
Kernel bug hunting
byAndrea Righi
 
PPTX
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
byoholiab
 
PDF
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
PDF
DCSF 19 eBPF Superpowers
byDocker, Inc.
 
PPTX
Understanding eBPF in a Hurry!
byRay Jenkins
 
PDF
eBPF Tooling and Debugging Infrastructure
byNetronome
 
PDF
Introduction to eBPF and XDP
bylcplcp1
 
PPTX
Berkeley Packet Filters
byKernel TLV
 
PDF
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
XDP in Practice: DDoS Mitigation @Cloudflare
byC4Media
 
PDF
story_of_bpf-1.pdf
byhegikip775
 
PDF
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
byNETWAYS
 
PDF
Automating Complex Setups with Puppet
byKris Buytaert
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
PDF
Prometheus as exposition format for eBPF programs running on Kubernetes
byLeonardo Di Donato
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PDF
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
PPTX
Powering a live escape game with ecf and efxclipse
byChristoph Keimel
 
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
Kernel bug hunting
byAndrea Righi
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
byoholiab
 
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
DCSF 19 eBPF Superpowers
byDocker, Inc.
 
Understanding eBPF in a Hurry!
byRay Jenkins
 
eBPF Tooling and Debugging Infrastructure
byNetronome
 
Introduction to eBPF and XDP
bylcplcp1
 
Berkeley Packet Filters
byKernel TLV
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
XDP in Practice: DDoS Mitigation @Cloudflare
byC4Media
 
story_of_bpf-1.pdf
byhegikip775
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
byNETWAYS
 
Automating Complex Setups with Puppet
byKris Buytaert
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
Prometheus as exposition format for eBPF programs running on Kubernetes
byLeonardo Di Donato
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
Powering a live escape game with ecf and efxclipse
byChristoph Keimel
 

Recently uploaded

PDF
DevFest Baku 2025 Speaker Presentations ( Software, AI, Workshop tracks)
bynigarasadova555
 
PDF
OSMC 2025: Monitoring a small world by Mattias Schlenker.pdf
byNETWAYS
 
PDF
OSMC 2025: Auto Discovery with Icinga by Lennart Betz.pdf
byNETWAYS
 
PDF
OSMC 2025: Agentic Incident Response by Birol Yildiz.pdf
byNETWAYS
 
PDF
AWS Solutions Architect Professional (SAP-C02) Exam Questions 2025
byMinniePfeiffer
 
PDF
OSMC 2025: It’s always DNS: Monitoring dynamic DNS environments with Checkmk ...
byNETWAYS
 
PDF
OSMC 2025: Onotify: A scalable, flexible Alertmanager by Colin Douch.pdf
byNETWAYS
 
PDF
AI-CENTIVE Final Results - Final Stakeholder Meeting
bygabrielafilipovadio
 
PPTX
Latest Cyber Security Trends and updates in 2025
byfathimarasla02
 
PDF
Design Thinking
byDr. Salem Baidas
 
DOCX
Core committee - Smooth functioning of our society - Structure of the Committee
byguruprasathit
 
PPTX
HK_TEMPLATE12211212121112112567890976.pptx
bymimiii22022022
 
PDF
Metaphors
byDr. Salem Baidas
 
PDF
Image Story
byDr. Salem Baidas
 
PDF
SIHMA Scalabrini Institute for Human Mobility in Africa(SIHMA) - Annual Repor...
byScalabrini Institute for Human Mobility in Africa
 
PDF
jean-piaget.pdf detail theory of psychologist piaget
byturabk622
 
PPTX
Human Rights Rally by Slidesgo presentation
bythub2306144
 
PPTX
Third Quarter Grade 9 Arts Lesson 1 pptx.
byRoniePaltad
 
PPTX
Toastmasters Updated Contest Season 25 26.pptx
bypaulbartalpmp
 
PPTX
Group-6-presentation-Philippine-Politics-and-Governance-Vico-Sotto.pptx
bylhoidardhensalamanca
 
DevFest Baku 2025 Speaker Presentations ( Software, AI, Workshop tracks)
bynigarasadova555
 
OSMC 2025: Monitoring a small world by Mattias Schlenker.pdf
byNETWAYS
 
OSMC 2025: Auto Discovery with Icinga by Lennart Betz.pdf
byNETWAYS
 
OSMC 2025: Agentic Incident Response by Birol Yildiz.pdf
byNETWAYS
 
AWS Solutions Architect Professional (SAP-C02) Exam Questions 2025
byMinniePfeiffer
 
OSMC 2025: It’s always DNS: Monitoring dynamic DNS environments with Checkmk ...
byNETWAYS
 
OSMC 2025: Onotify: A scalable, flexible Alertmanager by Colin Douch.pdf
byNETWAYS
 
AI-CENTIVE Final Results - Final Stakeholder Meeting
bygabrielafilipovadio
 
Latest Cyber Security Trends and updates in 2025
byfathimarasla02
 
Design Thinking
byDr. Salem Baidas
 
Core committee - Smooth functioning of our society - Structure of the Committee
byguruprasathit
 
HK_TEMPLATE12211212121112112567890976.pptx
bymimiii22022022
 
Metaphors
byDr. Salem Baidas
 
Image Story
byDr. Salem Baidas
 
SIHMA Scalabrini Institute for Human Mobility in Africa(SIHMA) - Annual Repor...
byScalabrini Institute for Human Mobility in Africa
 
jean-piaget.pdf detail theory of psychologist piaget
byturabk622
 
Human Rights Rally by Slidesgo presentation
bythub2306144
 
Third Quarter Grade 9 Arts Lesson 1 pptx.
byRoniePaltad
 
Toastmasters Updated Contest Season 25 26.pptx
bypaulbartalpmp
 
Group-6-presentation-Philippine-Politics-and-Governance-Vico-Sotto.pptx
bylhoidardhensalamanca
 

OSMC 2025: Making the Kernel Speak Kubernetes: Unlocking eBPF’s Power for Observability by Burak Ok.pdf

  • 2.
    Agenda • Quick eBPFintro • Inspektor Gadget • Ready to go gadgets • Building your own gadgets • Questions
  • 3.
    Getting into theKernel: eBPF • Bytecode runtime in the Linux Kernel • Guaranteed to not crash • Verifier runs before the program is loaded • Runs in a sandbox • Used for • Networking • Security • Tracing and Observability
  • 4.
  • 5.
    Working with eBPF programs KernelUserspace eBPF Network eBPF programs syscall Monitored Process
  • 6.
    Working with eBPF programs Kernel eBPFmap Userspace Event eBPF Network eBPF programs syscall Monitored Process
  • 7.
    Working with eBPF programs Kernel eBPFmap Userspace Event - New language to learn - Deep Linux insights eBPF Network - Need to develop a userspace program - Link these events to Kubernetes
  • 8.
    Working with eBPF programs Kernel eBPFmap Userspace Event eBPF Network
  • 9.
    Kernel Userspace CNCF SandboxProject Working with Inspektor Gadget Gadgets (eBPF programs) eBPF map Event Network
  • 10.
    Kernel Userspace Working withInspektor Gadget Kubernetes API Server Container Runtime Others… DNS answer for inspektor-gadget.io From: Service kube-dns in NS kube-system To: curl in Pod Frontend in NS default Addr: 172.67.164.52 Event -mnt namespace -ns namespace -process ID -IP addr Event Gadgets (eBPF programs) eBPF map Event Network
  • 11.
    Inspektor Gadget –A set of tools • Managing eBPF programs • Enrichment • Filtering • Data export • Many modes of use • Sharing & distribution
  • 12.
    Official gadgets • Advise:Recommend system configurations based on collected information • seccomp-profile, network-policies • Audit: Audit a subsystem • seccomp • Profile: Profile different subsystems • block-io, cpu • Snapshot: Take a snapshot of a subsystem and print it • process, socket • Top: Gather, sort and periodically report events according to a given criteria • blockio, file, tcp • Trace: Trace and print system events • bind, dns, exec, mount, oomkill, tcp{drop, retrans}, open, few more…
  • 13.
    Demo of anofficial gadget
  • 14.
    IG – Aframework for eBPF devs • Allow everyone to easily build eBPF gadgets • Same enrichment, filtering and helpers • No additional userspace program needed • Package gadgets in OCI artifacts
  • 15.
    Gadgets as OCIartifacts • An OCI image that contains • Metadata for the gadget • Basic information (author, license, etc.) • Supported export options (Prometheus, API, logging, etc.) • etc. • eBPF program(s) as object file • Optional user-space modules for post- processing of data • A deployable unit • A sharable unit Gadget (OCI) Metadata YAML eBPF program ELF Userspace processing WASM
  • 16.
    Brief insight intowriting a gadget struct key_t { gadget_comm comm[TASK_COMM_LEN]; gadget_mntns_id mntns_id; }; struct value_t { __u64 packets; }; struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1024); __type(key, struct key_t); __type(value, struct value_t); } stats SEC(".maps"); GADGET_MAPITER(packetcounter, stats);
  • 17.
    Brief insight intowriting a gadget SEC("kprobe/udp_sendmsg") int BPF_KPROBE(probe_udp_sendmsg, struct sock *sk) { struct key_t key = {}; struct value_t *value; /* Filter by container and more using gadget helpers */ if (gadget_should_discard_data_current()) return 0; key.mntns_id = gadget_get_current_mntns_id(); /* SNIP */ return 0; }
  • 18.
    Brief insight intowriting a gadget ~/mygadget $ sudo ig image build –t ghcr.io/burak-ok/mygadget:test . Pulling builder image ghcr.io/inspektor-gadget/gadget-builder:v0.46.0 ... Successfully built ghcr.io/burak-ok/mygadget:test@sha256:5a1b86c... ~/mygadget $ sudo ig image push ghcr.io/burak-ok/mygadget:test Pushing ghcr.io/burak-ok/mygadget:test... Successfully pushed ghcr.io/burak-ok/mygadget:test@sha256:5a1b86c... ~/mygadget $ kubectl gadget run ghcr.io/burak-ok/mygadget:test --verify-image=false K8S.NODE K8S.NAMESPACE K8S.PODNAME COMM PACKETS minikube-doc… kube-system coredns-7db…hwl coredns 14 minikube-doc… default test-pod nslookup 2
  • 19.
    Thanks – Anyquestions? • https://inspektor-gadget.io • https://github.com/inspektor-gadget/Contribfest-KubeCon- Europe2025/blob/main/ to learn how to create your own Gadget • https://github.com/burak-ok • https://de.linkedin.com/in/burak-ok