Infrastructure
What eBPF is, why it changed Linux observability and security, and the production stacks (Cilium, Pixie, Falco) built on top of it.
eBPF (extended Berkeley Packet Filter) lets sandboxed programs run inside the Linux kernel at runtime, attached to system events: packet arrivals, syscalls, function entries. Programs are verified before they run — a static checker proves they terminate and stay within their permission envelope — so kernel safety is preserved.
Through the 2020s eBPF moved from a niche networking optimisation to the foundation of an entire observability and security ecosystem. Cilium reimplemented kube-proxy, Pixie made language-agnostic application introspection trivial, Falco delivered runtime security at scale, and Datadog/Dynatrace/New Relic agents started replacing kernel-module instrumentation with eBPF.
Infra
A CNCF blog post shares a real-world story about the 'integration tax' of cloud-native tools. An on-call engineer faced blank dashboards because Prometheus wasn't correctly configured to monitor Cilium, highlighting how complex integrations can cause serious production issues for engineering teams.
Ashish Kale ·
Infra
LinkedIn engineers faced recurring, short-lived outages where a key database would freeze and recover without leaving logs. Using advanced off-CPU profiling with eBPF, the team identified a subtle kernel lock contention issue as the root cause, resolving the mysterious system-wide freezes.
Ashish Kale ·
Inject custom logic into hot kernel paths (network packet processing, syscall dispatch, function entry/exit) without writing or loading kernel modules. The verifier guarantees the program is safe. This unlocks zero-instrumentation tracing, custom load balancers, and runtime security telemetry at near-zero overhead.
Yes for production. There's a Windows port (eBPF for Windows) but it's less mature. eBPF is one of the major reasons Linux remains the default server kernel.
For networking: Cilium (Kubernetes CNI with eBPF dataplane). For runtime security: Falco, Tetragon, Tracee. For observability: Pixie (k8s), bpftrace (general-purpose), the OpenTelemetry eBPF profiler.
Less than kernel modules — the verifier blocks unsafe programs. But eBPF programs CAN be malicious if a privileged user loads them. CAP_BPF (introduced in 5.8) lets administrators delegate eBPF loading without granting full root. Most production threats are misconfiguration, not eBPF itself.