Originally known as Berkley Packet Filter, now it hasn’t got anything to do with packets.
eBPF is a feature of the Linux kernel, and you’ll need the Linux kernel version 3.15 or above to benefit from it. It enables you to safely and efficiently extend the Linux kernel functions by using the bpf syscall. eBPF is implemented as an in-kernel virtual machine using a custom 64-bit RISC instruction set.
eBPF is a large and complex topic, and BPF Performance Tools (Book) is a recommended reading on the topic
eBPF is already used in a number of places and for use cases such as the following:
- As a CNI plug-in to enable pod networking in Kubernetes. For example, in Cilium and Project Calico. Also, for service scalability.
- For observability, for example with linux tracing, such as with bpftrace, as well as in a clustered setup with Hubble
- As a security control, for example to perform container runtime scanning as you can use with projects such as CNCF Falco.
- For network load balancing, such as in Facebook’s L4 katran library.