This is the first in a new series of spotlights on eBPF Foundation members. We kick off the series with a discussion with Liz Rice, Chief Open Source Officer at Isovalent, about how Isovalent is using eBPF and why she feels the eBPF Foundation is so important.
Please tell us a little about your organization:
Isovalent, now a part of Cisco, specializes in building open source software and enterprise solutions that solve the needs of modern cloud native infrastructure. Isovalent was founded by the creators of Cilium and eBPF, and has evolved to become the leader in cloud native networking, observability, and security.
How is your organization using eBPF? And what benefits are you seeing?
Isovalent is recognized for its excellence in networking, observability, and security, with eBPF as the cornerstone of this innovation. We’re co-creators of eBPF itself, and creators of Cilium, which stands out as one of the most significant and widely-adopted projects in the eBPF landscape. Leveraging the capabilities of eBPF, Cilium functions as the Kubernetes networking data plane, offering cloud native insight and control that surpass traditional methods like iptables and sidecars. Cilium uses eBPF to implement advanced networking features directly within the kernel. For example, software load balancing in Cilium is achieved incredibly efficiently by modifying packet headers and redirecting traffic to different backends based on custom logic.
Isovalent provides innovative eBPF-based solutions for platform teams managing Kubernetes environments across various clouds, clusters, and on-premises infrastructures. As a testament to Cilium’s performance, scalability, and rich feature set, we have seen widespread adoption from diverse users, ranging from hyperscalers to startups to traditional enterprises. All major cloud providers, numerous Kubernetes distributions, and many end-user organizations now depend on Cilium for their cloud native networking, observability, and security needs. As of this writing, there are over 130 documented public end users of Cilium. There are also over 66 public case studies demonstrating how companies are leveraging Cilium to navigate the challenges of cloud native networking, observability, and security. As a graduated CNCF project, the community has widely accepted Cilium and we have seen continuous growth in contributors, external blog posts, and talks about Cilium.
Also leveraging the capabilities of eBPF, Isovalent founded Tetragon (a sub-project under Cilium) – a highly performant security observability and real-time runtime enforcement tool. Tetragon provides deep visibility without requiring application changes, and operates with low overhead thanks to smart in-kernel filtering and aggregation logic integrated directly into the eBPF-based kernel-level collector. The capabilities of Tetragon in Isovalent’s enterprise distributions have attracted a community of early adopters, including technology leaders such as Bell, GitHub, GResearch, Nationwide, Palantir, and Ripple, who have adopted Tetragon for sophisticated runtime security and observability use cases.
Isovalent’s strategic use of eBPF made Cilium one of the most significant projects in the cloud native ecosystem, just behind Kubernetes. This has fostered a thriving community of users and established a customer base of enterprise users that spans companies of all sizes. The robust ecosystem around Cilium and Tetragon highlights the broad industry confidence and support in our eBPF-based solutions.
What eBPF landscape projects are you also making use of, and how?
Under the hood, the Linux Kernel is the foundation for cloud native development. It houses the eBPF runtime, which executes eBPF programs to serve our various use cases. The Linux Kernel underpins everything: a container, Kubernetes, or a VM. We use the LLVM Compiler to translate eBPF programs written in a C-like language into eBPF instruction sets.
Another significant project in the eBPF landscape that we leverage and contribute to is the eBPF-Go library, an integral part of the Cilium project and extensively used at Isovalent. This library provides convenient functions for managing and loading eBPF programs and maps, including CO-RE (Compile Once–Run Everywhere) support, all implemented purely in Go. Using the eBPF-Go library, we can compile eBPF programs to bytecode and embed that bytecode into Go source code, utilizing a tool called bpf2go.
Building on these base projects, the Isovalent offering comprises three projects: Cilium, Hubble, and Tetragon. As mentioned earlier, Cilium provides cloud-native networking, observability, and security. Hubble is the observability component of Cilium, providings deep visibility into the communication and behavior of services, and Tetragon is a security observability and runtime enforcement tool. Cilium and Tetragon can be used independently of each other or combined to fit our customer’s specific use case and business needs.
Why did you join the eBPF Foundation?
Isovalent was a founding member of the eBPF Foundation because we believe in eBPF’s transformative potential and are deeply committed to its development, growth, and adoption. Our history with eBPF is rooted in our early contributions and leadership within the community, and joining the Foundation aligns with our core mission of driving technological innovation in eBPF around networking, security, and observability.
We worked with the other founding members to create the foundation because we understand the importance of collective effort in pushing the boundaries of what eBPF can achieve, and we want to be at the forefront of this endeavor. We have worked with the Linux kernel community for years to create and develop eBPF as a platform, and the Foundation broadens the community so that these capabilities can be made available on other operating systems too, with a common vision of what eBPF does. Our involvement with the eBPF Foundation allows us to share our expertise, funding, and learnings with other leaders in the field, ultimately benefiting the entire community.
What impact do you think eBPF is having on application software?
eBPF is revolutionizing how we build, connect, observe, and secure applications by enabling infrastructure tools to dynamically modify the behavior of the Linux kernel without changing its source code and without loading kernel modules. Using eBPF, we can build custom features to meet specific application needs without imposing changes on all upstream kernel users. This flexibility that eBPF provides enables rapid experimentation and customization based on specific workloads.
Even more impactful, eBPF empowers the creation of entirely new abstractions on top of the kernel. We use this capability to design explicitly for the demands of cloud native environments and address the limitations of existing tools. While most application developers are unlikely to directly interact with eBPF, they will continue to reap the benefits of its capabilities through user-facing projects such as Cilium and Tetragon that leverage eBPF under the hood, making its power available to all by providing faster networking, deeper visibility and monitoring, and more efficient security solutions. Through projects like these, the impact of eBPF is already widely evident within the cloud native ecosystem, and becoming visible across the broader networking and security industries.
What are the top benefits of being part of the eBPF community?
Isovalent’s involvement in the eBPF community runs deep, starting with the Linux kernel and extending to several ecosystem projects. As active participants, we gain a significant advantage by being at the forefront of this rapidly evolving field. This translates to early access to new developments and the ability to influence the direction of eBPF through code contributions, discussions, and shaping the overall roadmap. Being part of the eBPF community ensures we play our part in steering the direction of eBPF to meet the needs of our projects, products, and customers.
What contributions has your team made (or plans to make) to the eBPF community()?
Isovalent has been a significant contributor to the eBPF community since its inception. Daniel Borkmann, one of the co-creators of eBPF, became a founding engineer at Isovalent. Thomas Graf, a co-founder of Isovalent, has also been involved with eBPF from its early days. eBPF underpins the technological innovation for which Isovalent is recognized. Isovalent actively participates in eBPF-related conferences, workshops, and forums, driving the direction of eBPF’s evolution and fostering collaboration with other contributors and users. We also bring new members into the community through educational material and labs.
Isovalent also founded the eBPF Summit, a virtual event that brings together eBPF experts, contributors, adopters, enthusiasts, and the community to explore the technology behind some of today’s most exciting infrastructure tools. Isovalent’s deep involvement in the eBPF community, through contributions, leadership, and community engagement, underscores our commitment to advancing the support and use of eBPF.
What sets the eBPF Foundation apart from other industry alliances?
The eBPF Foundation distinguishes itself from other industry alliances by focusing on the upstream eBPF bytecode and runtime implementations. This specialization allows the Foundation to concentrate on advancing eBPF capabilities, use cases, and the overall ecosystem. Unlike broader alliances, the eBPF Foundation’s narrow focus ensures that developments are highly relevant and impactful for eBPF as a technology.
The Foundation brings together leading experts and developers in eBPF, providing a concentration of knowledge and experience that drives high-quality, cutting-edge advancements. Members can work together to directly influence the direction and priorities of eBPF development directly, ensuring that their specific needs and use cases are addressed. This influence provides a competitive edge for member companies. The direction of eBPF ecosystem technology is driven by expert engineers through the Foundation’s BPF Steering Committee, with broader resources applied to address ecosystem development through initiatives such as security reviews, directed development, and academic research.
What advice would you give to someone considering joining the eBPF Foundation?
Joining the eBPF Foundation is about being part of a community that drives the adoption and evolution of eBPF. By sharing costs, resources, and expertise, members can collectively ensure that eBPF continues to thrive, benefiting the entire ecosystem. If you’re considering joining the eBPF Foundation, the long-term benefits of collaboration, innovation, and shared success of eBPF are worth the effort.