Home Explore Blog CI



kubernetes
7th chunk of `content/en/blog/_posts/2017-12-00-Using-Ebpf-In-Kubernetes.md`
b99ad619548af6883a850c55d9bbc3b074026023cce3fabb0000000100000c88
In Kubernetes, the unit of deployment is a pod. Pods and containers are the main unit of isolation. In serverless frameworks, however, the main unit of deployment is a function. Ideally, the unit of deployment equals the unit of isolation. This puts serverless frameworks like [Kubeless](https://github.com/kubeless/kubeless) or [OpenFaaS](https://github.com/openfaas/faas) into a predicament: optimize for unit of isolation or deployment?  

To achieve the best possible isolation, each function call would have to happen in its own container—ut what's good for isolation is not always good for performance. Inversely, if we run function calls within the same container, we increase the likelihood of collisions.  

By using Landlock, we could isolate function calls from each other within the same container, making a temporary file created by one function call inaccessible to the next function call, for example. Integration between Landlock and technologies like Kubernetes-based serverless frameworks would be a ripe area for further exploration.  

## Auditing kubectl-exec with eBPF
In Kubernetes 1.7 the [audit proposal](/docs/tasks/debug/debug-cluster/audit/) started making its way in. It's currently pre-stable with plans to be stable in the 1.10 release. As the name implies, it allows administrators to log and audit events that take place in a Kubernetes cluster.   

While these events log Kubernetes events, they don't currently provide the level of visibility that some may require. For example, while we can see that someone has used `kubectl exec` to enter a container, we are not able to see what commands were executed in that session. With eBPF one can attach a BPF program that would record any commands executed in the `kubectl exec` session and pass those commands to a user-space program that logs those events. We could then play that session back and know the exact sequence of events that took place.
## Learn more about eBPF
If you're interested in learning more about eBPF, here are some resources:
- A comprehensive [reading list about eBPF](https://qmonnet.github.io/whirl-offload/2016/09/01/dive-into-bpf/) for doing just that
- [BCC](https://github.com/iovisor/bcc) (BPF Compiler Collection) provides tools for working with eBPF as well as many example tools making use of BCC.
- Some videos

  - [BPF: Tracing and More](https://www.youtube.com/watch?v=JRFNIKUROPE) by Brendan Gregg
  - [Cilium - Container Security and Networking Using BPF and XDP](https://www.youtube.com/watch?v=CcGtDMm1SJA) by Thomas Graf
  - [Using BPF in Kubernetes](https://www.youtube.com/watch?v=T3Wcuj8fy5o) by Alban Crequy

## Conclusion
We are just starting to see the Linux superpowers of eBPF being put to use in Kubernetes tools and technologies. We will undoubtedly see increased use of eBPF. What we have highlighted here is just a taste of what you might expect in the future. What will be really exciting is seeing how these technologies will be used in ways that we have not yet thought about. Stay tuned!  

The Kinvolk team will be hanging out at the Kinvolk booth at KubeCon in Austin. Come by to talk to us about all things, Kubernetes, Linux, container runtimes and yeah, eBPF.
Title: Landlock in Serverless Frameworks, Auditing kubectl-exec with eBPF, and eBPF Resources
Summary
This passage discusses the use of Landlock in Kubernetes-based serverless frameworks to isolate function calls within the same container. It also explores auditing kubectl exec sessions with eBPF to record commands executed within a container. Finally, it provides resources for learning more about eBPF, including reading materials, tools like BCC, and video presentations.