“It makes sense to have a transition period where both virtual devices are supported on existing clusters until the veth-based containers/pods gradually phase out,” says Daniel Borkmann, co-creator of both eBPF and Cilium, founding engineer at Isovalent, and active Linux kernel contributor. To support netkit on Cilium-managed Kubernetes clusters, he recommends applying a per-node configuration. Newly joined nodes can use netkit while older nodes continue using veth until they are fully phased out, he says.
Applying eBPF in observability and security
In addition to networking, eBPF is being tapped for security, observability, and other purposes. Since most of these use cases involve data retrieval, not state changes, they are arguably simpler and easier to enact than networking, says Utt. “It has been a game changer and truly inspiring to witness the growth of eBPF in these kinds of use cases,” says Utt, who contributes to Bpfman, a universal loader for all eBPF programs on a given system.
Others also anticipate great future momentum in this area. “I see eBPF playing an important role in observability, security, and compliance, probably more than networking,” says Sun, who notes the many observability and security or compliance-related eBPF projects populating the CNCF landscape, like Kepler, Pixie, and KubeArmor. Most are at the “sandbox” level, meaning they’re in the early stages and not yet widely adopted, signaling room for growth.
