Ebpf, Service Mesh And Sidecar

Cover Image for eBPF, Service Mesh and Sidecar
Background

Animesh Pathak

Table of Contents
Table of Contents

The operating system is like the boss of your computer, handling security, networking, and keeping an eye on what’s happening. But tweaking or improving the core part of the operating system, called the kernel, is a bit tricky because it’s mainly focused on keeping things stable and secure.

Most cool new stuff usually happens outside the core system, in what we call the user space. That’s where people add extra features or functions. However, thanks to "eBPF", we now have a way to make big improvements right at the core level of the operating system. This has opened the door for some really exciting changes in how our computers handle networking, security, and keeping track of what’s going on.
There are many use cases of eBPF, such as:

  • High-Performance Networking for Cloud-Native Apps.

  • More efficient authorization of network traffic at the third (L3) and fourth (L4) layers of the OSI model.

  • Fine-Grained Observability Data Insights with Low Overhead.

  • Insights for Troubleshooting Application Performance.

  • Enforcing security policies at the kernel level

  • and more….

We have many frameworks that allows you to get started with eBPF programming, some of them are:

  • libbpf: This is a C library that provides a portable and efficient way to work with eBPF programs. It is maintained by the Linux kernel community and is widely used in many eBPF applications.

  • bpftrace: This is a a high-level eBPF tracing language for Linux that uses LLVM compilers and BCC framework for interacting with the Linux eBPF subsystem.

  • Cilium/ebpf-go: It is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and is intended to be used in long running processes.

  • BCC: This is a collection of tools and libraries for working with eBPF programs. It includes a set of scripts and examples that demonstrate how to use eBPF for various use cases, such as network monitoring, performance analysis, and system profiling.

  • ebpf-tiny: This is a lightweight eBPF framework that provides a simple and efficient way to develop and deploy eBPF programs. It is designed for embedded systems and resource-constrained environments.

What is Service Mesh?

Many service mesh products aim to make it easier for microservices in applications to connect with each other. They offer benefits like secure connections, observability, and traffic management. However, the enthusiasm for service mesh is often dampened by worries about added complexity and overhead. Let’s delve into how eBPF (extended Berkeley Packet Filter) can help simplify the service mesh. By leveraging eBPF, we can make the data plane of the service mesh more efficient and simpler to set up.
servicemesh intro

Sidecars & eBPF – Service Mesh Model

Sidecar proxy model

The sidecar proxy model is the most common way of implementing service mesh today. Sidecars are like extra helpers for your pods, working right alongside them. They act as tiny traffic managers, dealing with the incoming and outgoing data of the pods. Think of them as traffic cops for your applications.
eBPF-based model
These sidecars handle important tasks, like directing the flow of data, making sure things are evenly balanced, keeping information secure with encryption, and deciding who gets access. They also keep track of how much traffic is going in and out, gathering data about what’s happening.
Sidecar-based service mesh model
In simple terms, sidecars are like guardians for your pods, making sure everything runs smoothly and safely. However, the sidecar proxy model also has some disadvantages like:

  • Increase resources whose consumption as the load to your pod increases, plus they add latency.

  • The proxy may not always reflect the true state of the application or the network.

  • Each additional component, like a sidecar proxy, increases the attack surface by providing more entry points for potential threats.

  • Introduces additional points of interaction, and if not properly secured, these communication channels can become targets for attackers.

eBPF based model

Unlike sidecar method, where each container needs a small companion proxy container running alongside it in the same pod, eBPF operates at the host operating system’s kernel level. This means that it runs only once on each host, regardless of the number of containers or pods scheduled to run on that host.
In the eBPF-based service mesh model, the system operates by attaching eBPF programs to different network events, essentially intercepting and managing the communication between services. For instance, a specific eBPF program can be linked to a "socket connect() call", redirecting the traffic to a local port where another eBPF program is actively listening.
eBPF Service Mesh Architecture
As a result, the application believes it’s connecting to a remote service, but in reality, it’s connecting to a local eBPF program responsible for managing the service mesh logic. This approach allows for effective control and processing of the communication flow between different services in the system.
eBPF-based model
Additionally, Since the eBPF program’s can communicate with other eBPF programs that are operating on separate nodes or pods. They can exchange some necessary information, including data related to service discovery, configuration details, policies, and more. This inter-program communication enables coordination and information sharing across the distributed environment, contributing to the effective functioning of the eBPF-based service mesh.

Can eBPF and sidecar be used together?

In short answer, "yes", when and how?
Choosing between eBPF and the sidecar model depends on the specific requirements and priorities of the system architecture. For examples, in scenarios where low-level network optimization and efficiency are important, there eBPF may be the preferred choice. Vice-a-versa, when the focus is on managing application-level concerns, the sidecar approach may offer a more practical solution. It’s not necessarily an "either-or" situation; in some cases, a combination of both approaches might be employed to leverage their respective strengths in different parts of the system.

Conclusion

There’s no universal solution for service mesh architecture, and the choice between eBPF and the sidecar model mostly depends on the specific requirements and characteristics of the given use case and environment. Combining both models, is a pragmatic approach that allows leveraging the strengths of each in different layers of the system.
Using eBPF for L4 (transport layer) traffic management and security addresses lower-level network concerns efficiently. Meanwhile, employing a sidecar proxy for L7 (application layer) traffic management and observability enhances the handling of application-specific logic and monitoring.
This hybrid approach acknowledges the diversity of challenges within a service mesh and tailors the solution accordingly. It’s a flexible strategy that recognizes the nuances of different layers in the networking stack and adapts the technology stack to provide optimal solutions for each layer’s unique demands.
Resources & References: –

  1. Home – Aya (aya-rs.dev)

  2. Cilium Service Mesh – Everything You Need to Know (isovalent.com)

  3. How eBPF will solve Service Mesh – Goodbye Sidecars – Isovalent

  4. eBPF for Service Mesh? Yes, But Envoy is Here to Stay (solo.io)

  5. eBPF Applications Landscape

Author

Author Avatar
Author Details
Author Name: Animesh pathak
Author Description:

  • More Stories

    Cover Image for Canary Testing: A Comprehensive Guide for Developers

    Canary Testing: A Comprehensive Guide for Developers

    Animesh Pathak

    Table of Contents What’s Canary Testing, Anyway? Imagine you’re a miner with a canary in a cage. If the air...

    Cover Image for Mock vs Stub vs Fake: Understand the difference

    Mock vs Stub vs Fake: Understand the difference

    Arindam

    Table of Contents Introduction Testing software is like putting it through a series of challenges to make sure it’s tough...

    Cover Image for Writing test cases for Cron Job Testing

    Writing test cases for Cron Job Testing

    Animesh Pathak

    Table of Contents Understanding Cron Jobs: A Quick Recap Cron is a time-based job scheduler in Unix-like operating systems. It...

    Cover Image for Improving Code Quality and Accelerating Development: The Continuous Testing Way

    Improving Code Quality and Accelerating Development: The Continuous Testing Way

    Prajwal

    Table of Contents Introduction In the fast-changing world of software development, teams struggle to maintain good code quality while shortening...

    Cover Image for Understanding Testing in production

    Understanding Testing in production

    Arindam

    Table of Contents Introduction Testing in production was previously ignored by Product Developers, But recently it gaining Popularity Again! Even,...

    Cover Image for 5 Unit Testing Tools You Must Know in 2024

    5 Unit Testing Tools You Must Know in 2024

    Arindam

    Table of Contents Introduction: Unit testing is one of the most important areas to ensure code coverage and basic testing...

    Cover Image for Exploring Various Protocols : HTTP to Databases

    Exploring Various Protocols : HTTP to Databases

    Shivam

    Table of Contents Table of Contents Unraveling the Mystery of various Protocols The Role of Protocols in Network Communication Examples:...

    Cover Image for Demystifying Cron Job Testing

    Demystifying Cron Job Testing

    Animesh Pathak

    Table of Contents What is Cron Job? Before we dive into the world of testing Cron jobs, let’s first know...

    Cover Image for Building Custom YAML-DSL in Python

    Building Custom YAML-DSL in Python

    Animesh Pathak

    Table of Contents In this blog post, I will guide you through the process of building a custom DSL in...

    Cover Image for eBPF, Service Mesh and Sidecar

    eBPF, Service Mesh and Sidecar

    Animesh Pathak

    Table of Contents The operating system is like the boss of your computer, handling security, networking, and keeping an eye...

    Cover Image for MongoDB in Mock Mode: Acting the Server Part

    MongoDB in Mock Mode: Acting the Server Part

    Ritik

    Table of Contents In the contemporary software development landscape, unit tests have become paramount for ensuring software quality. A prevalent...

    Cover Image for Capture gRPC Traffic going out from a Server

    Capture gRPC Traffic going out from a Server

    Mehfooz

    Table of Contents How does gRPC work? A quick Google search would tell you that it uses HTTP/2.0 under the...

    Cover Image for Integration vs E2E Testing: What worked for me as a charm

    Integration vs E2E Testing: What worked for me as a charm

    Sarthak Shyngle

    Table of Contents When it comes to testing software applications, various testing techniques can be employed. Three common testing methods...

    Cover Image for Automated E2E tests using Property Based Testing  | Part II

    Automated E2E tests using Property Based Testing | Part II

    charan

    Table of Contents If you haven’t visited Part I, I highly recommend you go through it for a better understanding...

    Cover Image for Automated End to End tests using Property Based Testing  | Part I

    Automated End to End tests using Property Based Testing | Part I

    charan

    Table of Contents " Engineers call them edge cases. I call them: what our users do " – Noah Sussman...

    Cover Image for Go Mocks and Stubs generator Made Easy

    Go Mocks and Stubs generator Made Easy

    Jain

    Table of Contents Testing network stuff like APIs and database calls can be a real pain: I find myself burning...