eBPF for Granular Network Policy & Observability in Kubernetes

September 28, 2025

14 min read

Goh Ling Yong

Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The `iptables` Bottleneck: Why Kubernetes Networking Struggles at Scale

For any senior engineer who has managed a large-scale Kubernetes cluster, the limitations of the default kube-proxy implementation in iptables mode are painfully familiar. While functional for smaller deployments, its design principles do not scale gracefully. The core issue lies in its reliance on iptables chains for service discovery and network policy enforcement.

When a Service is created, kube-proxy adds a set of iptables rules to the KUBE-SERVICES chain. For a ClusterIP service, this typically involves a rule that matches the destination IP and port, then jumps to a per-service chain (e.g., KUBE-SVC-XXXXXXXXXXXXXXXX). This chain contains rules for each backing Endpoint, using the statistic module for probabilistic load balancing. For NetworkPolicy, kube-proxy (or more accurately, the CNI plugin) creates further chains to filter traffic based on IP addresses and ports.

This architecture presents several critical performance bottlenecks:

Linear Traversal Complexity: iptables processes rules in a chain sequentially. In a cluster with thousands of services and pods, the KUBE-SERVICES chain and associated policy chains can grow to tens of thousands of rules. Every single packet destined for a service must traverse a portion of this list, leading to O(n) complexity where 'n' is the number of services. This directly translates to increased packet latency and CPU consumption on every node.

Lack of Incremental Updates: Modifying a single iptables rule is not an atomic operation. To update service endpoints, kube-proxy often resorts to rebuilding and swapping entire rule chains, which can cause network disruption and is inefficient.

Connection Tracking (conntrack) Exhaustion: The iptables-based NAT logic heavily relies on the kernel's connection tracking system. In high-throughput scenarios, especially with many short-lived connections, the conntrack table can become a major point of contention, leading to dropped packets and performance degradation. Race conditions during conntrack table updates under heavy load are a known production issue.

Observability Black Hole: iptables rules operate at L3/L4 and are fundamentally IP-centric. Debugging network policy issues involves deciphering complex, machine-generated rule chains. There is no native understanding of Kubernetes concepts like pods, services, or namespaces, nor any visibility into L7 protocols like HTTP, gRPC, or Kafka without resorting to cumbersome sidecar proxies.

These limitations are not theoretical. They manifest as tangible problems in production: unpredictable latency spikes, CPU saturation on worker nodes, and hours spent debugging network connectivity issues. The solution requires a fundamental shift away from these legacy mechanisms to a more modern, kernel-native approach: eBPF.

eBPF: Programmable Datapaths in the Linux Kernel

eBPF (extended Berkeley Packet Filter) allows sandboxed programs to run directly within the Linux kernel, triggered by specific events. For our purposes, the most relevant events are network-related hooks. Instead of chaining static rules, we can attach dynamic, highly efficient eBPF programs to key points in the kernel's networking stack.

For senior engineers, it's crucial to move past the "eBPF is a kernel VM" analogy and understand the specific hooks and data structures that enable its power in Kubernetes.

Key eBPF Concepts for Kubernetes Networking

Hook Points: TC vs. XDP

- Traffic Control (TC) Ingress/Egress: eBPF programs can be attached to the cls_bpf classifier on a network interface's TC hook. This point is after the initial packet processing by the NIC driver but before the IP stack (for ingress) and after the IP stack but before queuing for transmission (for egress). It's a highly versatile hook point because the packet is associated with a sk_buff (socket buffer), a rich kernel data structure containing metadata, including socket information. This is where most CNI plugins like Cilium perform their magic for pod-to-pod traffic.

- eXpress Data Path (XDP): XDP programs are attached at the earliest possible point: directly within the network driver. They operate on raw packet data before the sk_buff is even allocated. This provides the ultimate performance for tasks like DDoS mitigation or high-speed load balancing, as packets can be dropped or redirected with minimal overhead. However, its early execution point makes it less suitable for complex Kubernetes policy enforcement that relies on higher-level context.

eBPF Maps: The High-Speed Kernel Datastore

eBPF maps are the cornerstone of stateful eBPF applications. They are highly efficient key-value stores that reside in kernel memory. User-space applications (like a CNI agent) can read from and write to these maps, while eBPF programs attached to kernel hooks can perform near-instantaneous lookups.

Common map types used in networking include:

- BPF_MAP_TYPE_HASH: A generic hash map.

- BPF_MAP_TYPE_LPM_TRIE: Longest Prefix Match Trie, perfect for efficient IP CIDR lookups.

- BPF_MAP_TYPE_SOCKMAP/BPF_MAP_TYPE_SOCKHASH: Maps that hold references to sockets, enabling advanced socket-level redirection and load balancing.

By combining these hooks and maps, we can build a networking dataplane that completely bypasses iptables and kube-proxy.

Production Implementation with Cilium: An Architectural Deep Dive

Cilium is a CNI plugin that leverages eBPF to implement a highly scalable and secure Kubernetes networking fabric. Let's dissect its architecture.

When installed, Cilium runs a daemonset, the cilium-agent, on every node. This agent is responsible for:

Watching the Kubernetes API: It monitors changes to pods, services, endpoints, and network policies.

Compiling and Loading eBPF Programs: It dynamically generates and loads eBPF bytecode onto the node's network interfaces (typically at the TC hook).

Managing eBPF Maps: It populates and updates eBPF maps with the necessary state, such as service-to-backend mappings and policy rules.

Replacing `kube-proxy`

Instead of iptables chains, Cilium's service routing works as follows:

The cilium-agent watches Service and EndpointSlice objects.

It populates an eBPF map (e.g., cilium_lb4_services_v2) with ServiceIP:Port as the key and a struct containing backend information (backend IPs, count, etc.) as the value.

An eBPF program attached to the TC hook on the network interface intercepts every packet.
For an outgoing packet, the eBPF program performs a hash map lookup using the destination IP and port. This is an O(1) operation, regardless of the number of services.
If a match is found, the program selects a backend endpoint (using various algorithms like random or Maglev hashing), performs the destination NAT (DNAT) directly on the packet, and forwards it.

This entire process happens in the kernel, at the TC hook, without traversing a single iptables rule. The performance difference is staggering.

Advanced Policy Enforcement with `CiliumNetworkPolicy`

While Cilium supports standard NetworkPolicy objects, its true power is unlocked with the CiliumNetworkPolicy CRD, which enables L7-aware rules.

Consider this scenario: A payments-api service needs to allow POST /charge requests from the checkout-service but deny all other requests, including GET requests to the same endpoint.

yaml

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "l7-aware-payments-policy"
  namespace: "payments"
spec:
  endpointSelector:
    matchLabels:
      app: payments-api
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: checkout-service
        io.kubernetes.pod.namespace: frontend
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: "POST"
          path: "/charge"

How does this work without a sidecar?

The cilium-agent sees this policy and enables an eBPF-based proxy parser for HTTP on port 8080 for pods matching app: payments-api.

An eBPF program at the socket level (cgroup/connect or cgroup/sock_ops hook) intercepts the sendmsg and recvmsg syscalls for these pods.

When the checkout-service makes a request, the initial TCP handshake is allowed by the L3/L4 eBPF program.

As the HTTP data packets arrive, the eBPF program buffers just enough data to parse the HTTP request line (POST /charge HTTP/1.1).

It compares the parsed method and path against the allowed rules stored in another eBPF map.
If the request matches, the data is passed up the stack to the application. If not, the connection is terminated at the kernel level.

This provides L7 security with a fraction of the overhead of a full user-space proxy like Envoy or Nginx, as there's no context switching for allowed requests and minimal data copying.

Advanced Pattern: High-Performance Identity-Based Security

The most significant architectural innovation in Cilium is its use of identity-based security, which completely decouples policy from pod IP addresses.

The Mechanics of Identity

Identity Allocation: The cilium-agent on each node observes the labels of all local pods. For each unique set of labels (e.g., app=api, env=prod, team=backend), it requests a unique, cluster-wide numeric identity from a central authority (either the Kubernetes CRDs or a dedicated etcd cluster).

Identity Propagation: This numeric identity (e.g., 12345) is stored in an eBPF map on the node, mapping the pod's IP to its identity. The identity is also embedded in the network packets themselves when using encapsulation protocols like VXLAN or Geneve, or stored in a per-node map for direct routing mode.

Policy as Identity Pairs: A CiliumNetworkPolicy like the one above is translated not into IP rules, but into a pair of allowed identities. For example, if checkout-service has identity 54321 and payments-api has identity 12345, the policy becomes "Allow traffic from identity 54321 to identity 12345."

Enforcement in eBPF: This allowed pair is written into a policy eBPF map on the destination node. When a packet arrives, the eBPF program extracts the source identity from the packet (or looks it up based on source IP) and performs a single O(1) hash map lookup: policy_map[source_identity][destination_identity]. The result is an immediate ALLOW or DENY.

Performance & Scalability Analysis

This model is profoundly scalable. The number of pods or their IP addresses becomes irrelevant for policy enforcement. A policy allowing communication between two sets of labels translates to a fixed number of entries in the policy map, regardless of whether there are 10 pods or 10,000 pods with those labels. This breaks the linear scaling problem of iptables entirely.

Edge Case: Pod Startup Latency and Identity Allocation

A critical production consideration is the time it takes for a new pod to be assigned an identity. When a pod starts, it cannot communicate until:

a. The cilium-agent observes the pod and its labels.

b. An identity is allocated/retrieved from the central store.

c. The relevant eBPF maps on the local node are updated with the new pod's IP and identity.

d. The policy affecting this new identity is propagated to all other nodes in the cluster.

In large clusters with high pod churn, the latency of this process can become noticeable. The identity allocation itself is fast, but the propagation of policy updates to potentially thousands of nodes can be a bottleneck. Cilium mitigates this with optimized CRD watchers and efficient agent-to-agent communication, but it's an architectural trade-off to be aware of. For latency-sensitive applications, pre-warming identities or using less specific label selectors can be a valid optimization strategy.

Granular Observability with Hubble: Sidecar-Free Telemetry

Because eBPF programs see every packet, they are a perfect source for observability data. Hubble is Cilium's observability layer that taps directly into this data stream.

Hubble doesn't require instrumenting applications or injecting sidecar proxies. The cilium-agent exposes a gRPC API that allows tools like the hubble CLI or the Hubble UI to query real-time flow data from a shared, memory-mapped buffer that is populated by the eBPF programs.

Real-World Debugging with Hubble CLI

Imagine a scenario where requests from a frontend pod to a backend-api are failing. With iptables, you'd start by SSH-ing into nodes and trying to parse iptables -L -v -n. With Hubble, the process is far more intuitive.

Code Example: Tracing Dropped Packets

To see exactly why packets from frontend-v1-abcde are being dropped when trying to reach backend-api, you can run:

bash

hubble observe --namespace my-app --pod frontend-v1-abcde --to-service backend-api --verdict DROPPED -o json

The output will be a stream of JSON objects, one for each dropped packet, with rich metadata:

json

{
  "flow": {
    "time": "2023-10-27T10:30:05.123456789Z",
    "verdict": "DROPPED",
    "drop_reason_desc": "POLICY_DENIED",
    "source": {
      "ID": 1234,
      "identity": 54321,
      "namespace": "my-app",
      "pod_name": "frontend-v1-abcde",
      "labels": ["app=frontend", "version=v1"]
    },
    "destination": {
      "ID": 5678,
      "identity": 12345,
      "namespace": "my-app",
      "pod_name": "backend-api-fghij",
      "labels": ["app=backend-api"]
    },
    "L4": {
      "TCP": {
        "destination_port": 80
      }
    },
    "Type": "L3_L4",
    "Summary": "TCP Flags: SYN"
  }
}

The drop_reason_desc: "POLICY_DENIED" field instantly tells you the root cause, eliminating guesswork. This level of immediate, context-aware feedback is impossible with iptables.

Performance Considerations for L7 Observability

While powerful, enabling L7 protocol parsing for observability is not free. The eBPF programs become more complex, and the cilium-agent consumes more CPU to parse and expose the data. For high-throughput services, this overhead can be significant. A best practice is to enable L7 visibility selectively:

Enable it globally for common, low-volume protocols like DNS.
Enable it for specific services during debugging or for critical APIs where deep visibility is required.
Avoid enabling it for high-bandwidth, internal traffic like database connections unless absolutely necessary.

Cilium's configuration allows for this granularity, letting you balance the depth of observability with performance overhead.

Pushing the Envelope: Bypassing the Kernel Network Stack

eBPF's capabilities extend beyond just replacing iptables. Advanced Cilium features can bypass even more of the kernel's traditional network stack for further performance gains.

BPF-based Masquerading

When a pod makes a request to an external service, the packet's source IP must be masqueraded (SNAT) to the node's IP. The standard implementation uses iptables' MASQUERADE target, which relies on the conntrack table.

Cilium can implement this entirely in eBPF. By enabling bpf-masquerade, an eBPF program at the egress point directly performs the NAT, storing the original source/destination mapping in a dedicated eBPF map. This avoids conntrack contention and is significantly faster.

Code Example: Enabling eBPF Masquerading

This is typically enabled in the Cilium Helm chart values or ConfigMap:

yaml

# In your Helm values.yaml
masquerade: true
# Use eBPF-based masquerading instead of iptables
bpf:
  masquerade: true
# Required for bpf.masquerade=true
enable-ipv4-masquerade: true

Socket-level Load Balancing with `sockmap`

For pod-to-pod communication on the same node, Cilium can perform an incredible optimization. Using an eBPF program attached to the cgroup/sock_ops hook, it can detect when a pod tries to connect to a service IP that is backed by another pod on the same node.

Instead of sending the packet through the node's full TCP/IP stack (veth pair -> tc -> IP stack -> tc -> destination veth), the eBPF program can directly connect the two sockets together using an eBPF sockmap. The data is then short-circuited from one socket's send buffer to the other's receive buffer, completely bypassing the network stack. This can reduce latency and CPU overhead for intra-node communication by a significant margin.

Edge Case: Protocol Compatibility

These advanced optimizations come with a caveat. Bypassing conntrack can break protocols that rely on conntrack helpers, such as FTP. While increasingly rare in modern cloud-native architectures, it's a critical consideration during migration. Thorough testing is required to ensure that all application traffic patterns are compatible with a conntrack-free dataplane.

Conclusion: eBPF as the Future of Cloud-Native Infrastructure

Migrating from an iptables-based CNI to an eBPF-powered one like Cilium is not merely an incremental improvement; it is an architectural evolution. It addresses the fundamental scaling limitations of legacy kernel networking abstractions by providing a programmable, high-performance, and API-aware dataplane.

For senior engineers and architects, the key takeaways are:

Performance: eBPF offers O(1) complexity for service routing and policy enforcement, eliminating the linear scaling bottlenecks of iptables.

Security: Identity-based security decouples policy from transient IP addresses, providing a more robust and scalable security model. L7-aware policies can be enforced with minimal overhead.

Observability: Direct kernel-level visibility provides deep, actionable insights into network flows without the complexity and resource consumption of sidecar proxies.

While the learning curve for eBPF is steeper than for iptables, the operational benefits for large-scale Kubernetes clusters are undeniable. As eBPF continues to mature, its applications will expand beyond networking into security auditing (Tetragon), performance profiling, and system monitoring, solidifying its role as a foundational technology for the future of cloud-native infrastructure.