APabhishek pareekinabhishek-pareek.hashnode.dev·2d ago · 6 min readFrom The Vault: How SNAT Turned UDP Into a Stateful ProtocolMost of our K8s clusters use the open-source Cilium CNI, and for a subset of workloads we route outbound traffic through a dedicated Cilium Egress Gateway. The motivation is pretty common: some extern00
ITIngero Teaminingero.hashnode.dev·2d ago · 6 min readRead-Only Kernel Telemetry as MCP Tools: A Design NoteDesign constraints (left) and the seven existing tool calls (right) for a read-only MCP server over an eBPF kernel trace database. TL;DR An MCP server over kernel telemetry has a specific shape: read-00
RRitabritainto-cilium-from-scratch.hashnode.dev·6d ago · 2 min read30 Day Cilium Learning JourneyWhen it comes to observability in Azure, I've mostly worked with Azure Monitor, Log Analytics, Application Insights, KQL, Alerts, and Network Watcher. These tools have helped me monitor workloads, inv00
JSJayakumar Sakthivelincloudwithjk.hashnode.dev·6d ago · 13 min readHow Cilium Replaces iptables with eBPF — And Why It Makes Kubernetes Security SmarterIntroduction If you've been running Kubernetes in production for any length of time, you've probably stared at a NetworkPolicy YAML, applied it, and then asked yourself, "Is this actually working?" Th00
ITIngero Teaminingero.hashnode.dev·Jul 6 · 6 min readTop of Stack, Bottom of Stack: Where RUM Ends and eBPF BeginsThe five layers of the production observability stack. RUM observes user-visible events at the top. eBPF observes kernel events at the bottom. The middle three need different tools. TL;DR The producti00
ITIngero Teaminingero.hashnode.dev·Jun 29 · 7 min readThe Seventh Agent: Counting Privileged Processes on a Real GPU HostA real audit of host-level agents already running on a typical GPU host. Adding kernel-level GPU observability is a decision about whether to add a seventh privileged process or to put the instrumenta00
VNVũ Nhật Lâminblog.fiscybersec.com·Jun 29 · 7 min read"Atomic Arch": 400+ AUR Packages Hijacked to Deliver an eBPF Rootkit and InfostealerExecutive Summary An attacker spoofing a trusted maintainer on the Arch User Repository (AUR) adopted and trojanized more than 408 packages — and according to Sonatype, the figure may have reached rou00
RPRavidu Priyankarainravindu-priyankara.hashnode.dev·Jun 20 · 9 min readSqueezing Bytes: How I Optimised an eBPF Driver in Falco1. How I Found This Opportunity I wanted to make my first open source contribution, so I decided to fork a few eBPF projects — one of them being falcosecurity/libs. After compiling and running Falco, 00
SServers99inservers99.hashnode.dev·Jun 18 · 3 min readMoving Beyond CI/CD: Securing Kubernetes at Runtime with eBPFIf your container passes a CI/CD vulnerability scan, is it safe to run in production? Many engineering teams assume the answer is yes. But a clean image scan is just a green light to deploy—it is not 10
RPRavidu Priyankarainravindu-priyankara.hashnode.dev·Jun 8 · 18 min readThe Case of the Disappearing eBPF Instruction: Inside Map FD Relocation and BPF_LD_IMM64While reading the disassembly of a compiled eBPF program I was working on, I noticed something strange — the 6th instruction was missing. Reading through the full disassembly again, I realized it wasn00