eBPF: From Kernel to Cloud
An 18-episode series on eBPF — from kernel internals to production observability and security enforcement. Covers how eBPF programs actually work, how tools like Cilium, Falco, and Tetragon use them, and how to apply them in Kubernetes environments.
Written for: SREs, platform engineers, and security practitioners who want to understand what’s actually running on their nodes — and build or evaluate eBPF-based observability and security tooling.
Format: Each episode includes architecture diagrams, bpftool output, production tool examples, and operational context. No C code. Focus on operational understanding, not kernel development.
Episode Guide
| # | Title | Status |
|---|---|---|
| 1 | What Is eBPF? A Plain-English Guide for Linux and Kubernetes | ✓ Published |
| 2 | BPF Verifier Explained: Why eBPF Is Safe for Production | ✓ Published |
| 3 | eBPF vs Kernel Modules: An Honest Comparison for K8s Engineers | ✓ Published |
| 4 | eBPF Program Types — What’s Actually Running on Your Nodes | ✓ Published |
| 5 | eBPF Maps — The Persistent Data Layer Between Kernel and Userspace | ✓ Published |
| 6 | CO-RE and libbpf — Write Once, Run on Any Kernel | Coming soon |
| 7 | XDP — Packets Processed Before the Kernel Knows They Arrived | Coming soon |
| 8 | TC eBPF — Pod-Level Network Policy Without iptables | Coming soon |
| 9 | bpftrace — Kernel Answers in One Line | Coming soon |
| 10 | Network Flow Observability — What Every Connection Tells You | Coming soon |
| 11 | DNS at the Kernel Level — What Your Pods Are Actually Querying | Coming soon |
| 12 | LSM and Tetragon — When the Kernel Says No | Coming soon |
| 13 | Process Lineage — Reconstructing What Happened After an Incident | Coming soon |
| 14 | The Audit Playbook — Four Commands to See Any Cluster Clearly | Coming soon |
| 15 | Cilium Deep Dive — Verifying the Policy You Think Is Enforced | Coming soon |
| 16 | Continuous Profiling — Finding Bottlenecks Without APM | Coming soon |
| 17 | The Platform Pattern — How Every eBPF Tool Is Built | Coming soon |
| 18 | Infrastructure That Can See Itself | Coming soon |
Cadence: Weekly, Tuesdays 07:30 IST.
What You’ll Be Able to Do
After completing this series you’ll be able to:
- Explain how eBPF programs are loaded, verified, and attached to kernel hooks — and why this is safe for production
- Read and interpret
bpftooloutput to understand what’s actually running on a node - Understand how Cilium enforces NetworkPolicy, how Falco detects suspicious syscalls, and how Tetragon enforces security policy at the kernel level
- Build operational intuition for XDP and TC-based network processing in Kubernetes pod networking
- Use
bpftraceone-liners to answer production questions without modifying application code - Design eBPF-based observability that covers network flows, DNS queries, and process execution with minimal overhead
Start Here
Start with What Is eBPF? for the foundational model, then BPF Verifier Explained for why it’s production-safe.
If you’re evaluating Cilium or Tetragon for a Kubernetes environment, jump to EP04 (eBPF Program Types) for context on what type of eBPF program each tool uses.
Get new episodes in your inbox → linuxcent.com/subscribe