140 eBPF programs are running on one Kubernetes worker right now

On a single worker of my Kubernetes cluster, 140 eBPF programs are inside the Linux kernel—routing packets, controlling device access, collecting metrics. No kernel recompile. No module load. That's the reality of modern cloud-native networking and observability.

eBPF From Scratch is a free, 22-chapter series that starts from "what even is the eBPF virtual machine" and ends with writing your own eBPF programs in C with libbpf + CO-RE and in Go with cilium/ebpf. The entire series is tested on real hardware: a Kubernetes cluster running kernel 6.17 and Cilium 1.19 in kube-proxy-less mode, with hundreds of BPF programs live.

What makes this series different

No hand-wavy diagrams. The author dissects programs that are actually running. Every concept is grounded in official docs—ebpf.io, kernel.org, libbpf, Cilium—and claims are verified against real output.

For example, you can see an eBPF program on a real node:

sudo bpftool prog show id 2871

This shows:

  • xlated 4920B — bytecode after the verifier accepted it
  • jited 2778B — native machine code
  • map_ids 171,631 — how it keeps state
  • btf_id 758 — BTF type information

That's eBPF running, not on a slide.

What you'll learn (7 parts, 22 chapters)

Part I — Foundations

  • eBPF Virtual Machine: registers, instruction set, bytecode
  • The Verifier: why eBPF doesn't crash the kernel
  • Maps: memory and bridge to userspace
  • Program types and hooks: where you attach, what you see
  • BTF and CO-RE: compile once, run on every kernel

Part II — Tracing

  • bpftrace from one-liner to maps, counting, histograms
  • uprobe, USDT, inspecting a pod from the host

Part III — Writing real tools

  • libbpf + CO-RE: write an eBPF tool in C
  • cilium/ebpf: load eBPF from Go

Part IV — Networking

  • XDP: process packets at the earliest point, write a firewall
  • tc/sched_cls: dissect a live Cilium datapath
  • Write a tc program: __sk_buff and the tcx chain

Part V — Security

  • LSM BPF: enforce security inside the kernel
  • seccomp-bpf: filter syscalls in every container
  • Tetragon approach: observe to enforce with bpf_send_signal

Part VI — Observability

  • CPU profiling with perf_event (foundation of flame graphs)
  • Off-CPU and scheduler latency
  • Inside Hubble: from eBPF events to cluster-wide network flows

Part VII — Putting it together

  • Case study: a packet through Cilium's eBPF datapath
  • Capstone: write connmon, a node-wide TCP connection monitor

Who it's for

Backend, platform, SRE, and security engineers who keep hearing "Cilium does that with eBPF" and want to actually understand—and write—the thing. You need to be comfortable on the Linux command line; everything else is built from zero.

The series is bilingual (English and Vietnamese). Source code is on GitHub: github.com/nghiadaulau/ebpf-from-scratch.

Why this matters now

eBPF is the foundation of modern cloud-native infrastructure: Cilium, Falco, Tetragon, Hubble, and countless observability tools. Understanding eBPF at this level lets you debug performance issues, write custom security policies, and build tools that operate at kernel speed without kernel modifications.

Start here

Read the full series free: https://kkloudtarus.net/en/blog/series/ebpf-from-scratch

Give the repo a ⭐ if it's useful.