wu-sheng commented on code in PR #693: URL: https://github.com/apache/skywalking-website/pull/693#discussion_r1529763664
########## content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-list.md: ########## @@ -0,0 +1,199 @@ +--- +title: "Monitoring Kubernetes network traffic by using eBPF" +date: 2024-03-18 +author: Han Liu +description: This article demonstrates how SkyWalking uses eBPF technology to monitor network traffic on Kubernetes. +--- + +## Background + + +[Apache SkyWalking](https://skywalking.apache.org/) is an open-source Application Performance Management system that helps users gather logs, traces, metrics, and events from various platforms and display them on the UI. +With version 9.7.0, SkyWalking can collect access logs from probes in multiple languages and from Kubernetes, generating corresponding topologies, links, and other data. However, it could not initially collect and map access logs from applications in Kubernetes environments. This article explores how the 10.0.0 version of Apache SkyWalking employs eBPF technology to collect and store application access logs, addressing this limitation. + +## Why eBPF? + +To monitor the network traffic in Kubernetes, the following features support be support: + +1. **Cross Language**: Applications deployed in Kubernetes may be written in any programming language, making support for diverse languages important. +2. **Non-Intrusiveness**: It's imperative to monitor network traffic without making any modifications to the applications, as direct intervention with applications in Kubernetes is not feasible. +3. **Kernel Metrics Monitoring**: Often, diagnosing network issues by analyzing traffic performance at the user-space level is insufficient. A deeper analysis incorporating kernel-space network traffic metrics is frequently necessary. +4. **Support for Various Network Protocols**: Applications may communicate using different transport protocols, necessitating support for a range of protocols. + +Given these requirements, eBPF emerges as a capable solution. In the next section, we will delve into detailed explanations of how Apache SkyWalking Rover resolves these aspects. + +## Kernel Monitoring and Protocol Analysis + +In previous articles, we've discussed how to monitor network traffic from programs written in various languages. +This technique remains essential for network traffic monitoring, allowing for the collection of traffic data without language limitations. +However, due to the unique aspects of our monitoring trigger mechanism and the specific features of kernel monitoring, these two areas warrant separate explanations. + +### Kernel Monitoring + +Kernel monitoring allows users to gain insights into network traffic performance based on the execution at the kernel level, +specifically from Layer 2 (Data Link) to Layer 4 (Transport) of the OSI model. + +Network monitoring at the kernel layer is deference from the syscall (user-space) layer in terms of the metrics and identifiers used. +While the syscalls layer can utilize file descriptors to correlate various operations, kernel layer network operations primarily use packets as unique identifiers. +This discrepancy necessitates a mapping relationship that SkyWalking Rover can use to bind these two layers together for comprehensive monitoring. + +Let's dive into the details of how data is monitored in both sending and receiving modes. + +#### Sending traffic Review Comment: ```suggestion #### Traffic Observation ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@skywalking.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org