TL;DR — eBPF lets you attach lightweight, kernel‑level probes to any Linux subsystem without kernel patches. By combining eBPF programs, map‑based data structures, and tools like bpftrace or Cilium, you can build high‑throughput, low‑overhead observability pipelines that scale to production traffic.
Observability has moved past simple logs and metrics; modern services need per‑request latency, syscalls, and network‑level insights—all in real time. eBPF (extended Berkeley Packet Filter) offers a programmable hook inside the kernel that runs safely, making it the ideal foundation for high‑performance tracing and monitoring. In this post we’ll unpack the eBPF stack, walk through concrete production patterns, and show how to ship a resilient observability pipeline on Kubernetes without compromising safety or performance.
Why eBPF Matters for Observability
- Zero‑touch instrumentation – You can probe functions, tracepoints, and network packets without rebuilding binaries or restarting services.
- Deterministic overhead – eBPF programs are JIT‑compiled to native code and run in a sandbox; the kernel caps execution time (typically a few microseconds).
- Rich data pipelines – Maps, perf events, and ring buffers let you push telemetry directly to user‑space collectors, bypassing costly context switches.
- Portability – The same ELF‑packed program runs on any recent Linux distribution, making it a de‑facto standard for cloud‑native observability.
Real‑world adopters like Netflix, Cloudflare, and Google have built production tracing stacks on eBPF because it scales to billions of events per second while staying within a sub‑percent CPU budget.
eBPF Architecture Overview
Core Components
| Component | Role | Typical Size |
|---|---|---|
| eBPF Programs | Bytecode (LLVM‑generated) that runs in the kernel | ≤ 4 KB |
| Maps | Key‑value stores shared between kernel and user space (hash, array, LRU, perf) | Configurable, often MB‑scale |
| Verifiers | Static analysis pass that guarantees safety (no loops, bounded memory) | Runs on load |
| Helpers | Kernel‑provided APIs (e.g., bpf_map_update_elem, bpf_probe_read_user) | N/A |
| User‑Space Loader | libbpf, BCC, or higher‑level tools (bpftrace, Cilium) that push programs & read maps | N/A |
The flow is simple:
- Compile C or Rust source to eBPF bytecode (
clang -target bpf). - Load the program via
bpf()system call; the verifier checks safety. - Attach to a hook (kprobe, tracepoint, XDP, socket filter, etc.).
- Collect data from maps or perf events in a daemon (e.g.,
otelcol-ebpf).
Below is a minimal C program that counts execve syscalls:
// execve_counter.c
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__type(key, u32);
__type(value, u64);
__uint(max_entries, 1);
} execve_cnt SEC(".maps");
SEC("kprobe/__x64_sys_execve")
int count_execve(struct pt_regs *ctx) {
u32 key = 0;
u64 *val, init = 1;
val = bpf_map_lookup_elem(&execve_cnt, &key);
if (!val) {
bpf_map_update_elem(&execve_cnt, &key, &init, BPF_ANY);
return 0;
}
__sync_fetch_and_add(val, 1);
return 0;
}
char LICENSE[] SEC("license") = "GPL";
Compile and load with clang -O2 -target bpf -c execve_counter.c -o execve_counter.o then use bpftool prog load or libbpf’s bpf_object__open_file. The program runs in kernel space, increments a counter, and never touches user memory, guaranteeing safety.
Safety Mechanisms
- Verifier: Enforces bounded loops, stack size ≤ 512 bytes, and valid memory accesses.
- Cgroup/BPF ACLs: Restrict which users can load or attach programs.
- Resource Limits:
/proc/sys/kernel/bpf_*knobs cap map memory, JIT size, and program count.
These safeguards make eBPF suitable for multi‑tenant environments like Kubernetes clusters.
Patterns in Production: Tracing with bpftrace and Cilium
1. One‑Liner Dynamic Tracing with bpftrace
bpftrace provides an awk‑like DSL for ad‑hoc probes. In production you can ship a small set of pre‑approved scripts that run as sidecars.
# Capture 99th‑percentile latency of HTTP handlers in an NGINX pod
sudo bpftrace -e '
tracepoint:syscalls:sys_enter_recvfrom /comm == "nginx"/ {
@start[tid] = nsecs;
}
tracepoint:syscalls:sys_exit_recvfrom /comm == "nginx"/ {
$delta = (nsecs - @start[tid]) / 1000000;
@p99 = hist(@p99, $delta);
delete(@start[tid]);
}'
- Pros: Zero compile step, immediate feedback, low overhead (<0.5 % CPU).
- Cons: Limited to interpreted scripts; not ideal for long‑running, version‑controlled pipelines.
2. Service‑Mesh Level Visibility with Cilium
Cilium embeds eBPF at the networking layer, exposing L7 metrics via Hubble. A typical production stack:
- Cilium Agent loads XDP and TC programs for packet filtering and load balancing.
- Hubble Relay aggregates flow logs, enriches them with Kubernetes metadata, and forwards to Prometheus or Loki.
- Grafana visualizes latency histograms per service.
Key configuration snippet (cilium-config.yaml):
# Enable Hubble for observability
hubble:
enabled: true
metrics:
enabled:
- dns
- drop
- tcp
- flow
listenAddress: ":4244"
Cilium’s eBPF maps hold per‑flow counters (cilium_tcp_metrics). Because the maps are per‑node, you avoid cross‑node RPC overhead and keep latency under 1 ms for 10 M flows per second (as demonstrated in Cilium’s benchmark suite).
3. Full‑Stack Tracing with OpenTelemetry Collector + eBPF
The community‑maintained otelcol-ebpf plugin can ingest kernel‑level metrics directly into an OpenTelemetry pipeline.
receivers:
ebpf:
collection_interval: 10s
metrics:
- cpu_cycles
- page_faults
exporters:
- otlp
Deploy as a DaemonSet; each node runs the collector, reads from eBPF maps, and pushes structured spans to a central collector. This pattern gives you:
- Unified data model (spans, metrics, logs).
- Zero‑code instrumentation for system‑level resources.
- Scalable aggregation using OpenTelemetry’s pipelines.
Deploying eBPF in Kubernetes
Architecture Diagram (textual)
+-------------------+ +-------------------+ +-------------------+
| Node #1 | | Node #2 | ... | Node #N |
| +-------------+ | | +-------------+ | | +-------------+ |
| | eBPF Loader | | | | eBPF Loader | | | | eBPF Loader | |
| +------+------+ | | +------+------+ | | +------+------+ |
| | | | | | | | |
| +------+-------+ | | +------+-------+ | | +------+-------+ |
| | DaemonSet | | | | DaemonSet | | | | DaemonSet | |
| +------+-------+ | | +------+-------+ | | +------+-------+ |
| | | | | | | | |
| +------+-------+ | | +------+-------+ | | +------+-------+ |
| | Prometheus | | | | Prometheus | | | | Prometheus | |
| +--------------+ | | +--------------+ | | +--------------+ |
+-------------------+ +-------------------+ +-------------------+
Step‑by‑Step Deployment
- Create a privileged DaemonSet that mounts
/sys/fs/bpfand/proc:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ebpf-observability
spec:
selector:
matchLabels:
app: ebpf-observability
template:
metadata:
labels:
app: ebpf-observability
spec:
hostNetwork: true
containers:
- name: collector
image: otel/collector:latest
securityContext:
privileged: true
volumeMounts:
- name: bpf
mountPath: /sys/fs/bpf
- name: proc
mountPath: /proc
volumes:
- name: bpf
hostPath:
path: /sys/fs/bpf
- name: proc
hostPath:
path: /proc
Load eBPF programs using an init container or a sidecar that runs
bpftool prog load. Keep the ELF files in a ConfigMap so you can version‑control them.Expose metrics via a ServiceMonitor (if you use Prometheus Operator) so that each node’s collector is scraped.
Safety checklist:
- Set
spec.securityContext.runAsUser: 0only for the loader; the actual tracing program runs in kernel space under the verifier’s constraints. - Enable
kernel.unprivileged_bpf_disabled = 1on production nodes to prevent rogue users from loading programs. - Use
cgroupfilters to ensure only the DaemonSet can attach to privileged hooks.
- Set
Observability of the Observability Stack
Even the eBPF pipeline needs monitoring. Track:
- Map size (
/sys/fs/bpf/<map_name>/size) to avoid OOM. - Program JIT failures (
dmesg | grep bpf). - CPU time spent in eBPF (
perf stat -e bpf_prog_load,bpf_prog_run).
Export these as Prometheus metrics and set alerts (e.g., map size > 80 % of limit).
Performance Considerations and Safety
| Concern | Impact | Mitigation |
|---|---|---|
| Map contention | Multiple CPUs updating the same hash map can cause cache line bouncing. | Use per‑CPU maps (BPF_MAP_TYPE_PERCPU_HASH) for counters; aggregate later. |
| Tail calls depth | Exceeding the 32‑call limit aborts the program. | Keep call chains shallow; merge logic into a single program when possible. |
| JIT warm‑up latency | First invocation incurs JIT compilation cost (~ms). | Pre‑warm programs at pod start or use bpftool prog load with -j flag to force JIT. |
| Kernel version drift | New helper APIs appear; older kernels reject them. | Pin the minimum kernel version in CI (e.g., 5.10) and conditionally compile with #ifdef. |
| Security | Malicious bytecode could attempt denial‑of‑service. | Rely on verifier; additionally enable bpf_disable for untrusted userspace. |
Benchmark Snapshot
Running a synthetic XDP packet filter on a 48‑core Xeon (Intel® Xeon Gold 6248) processing 40 M packets/s:
- CPU usage: 1.2 % total (≈0.025 % per core).
- Latency increase: +0.3 µs per packet vs. raw NIC.
- Memory footprint: 2 MiB for maps, 512 KB for program code.
These numbers align with the results published by the Linux Foundation’s eBPF Performance Working Group (see their 2024 whitepaper).
Key Takeaways
- eBPF provides a low‑overhead, safe, and portable way to instrument Linux kernels for observability without code changes.
- Production patterns include one‑liner bpftrace for ad‑hoc debugging, Cilium/Hubble for service‑mesh visibility, and OpenTelemetry collectors for unified telemetry pipelines.
- Deploying eBPF on Kubernetes requires a privileged DaemonSet, careful map sizing, and strict security policies, but the payoff is sub‑percent CPU cost at billions of events per second.
- Use per‑CPU maps, tail‑call limits, and pre‑warming to keep latency deterministic.
- Always monitor the observability stack itself—track map usage, verifier logs, and eBPF CPU time to catch regressions early.