Contributed"> eBPF or Not, Sidecars are the Future of the Service Mesh - The New Stack
Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by
Where Does Trace-Based Testing Fit in the Testing Pyramid?
Jun 5th 2023 7:52am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Meta-Semi Is an AI Algorithm That 'Learns How to Learn Better'
Jun 6th 2023 3:00am, by
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by
Google’s Generative AI Stack: An In-Depth Analysis
May 31st 2023 7:59am, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
How to Host Your Own Platform as a Product Workshop
May 31st 2023 9:09am, by Jennifer Riggins
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by B. Cameron Gain
The Cedar Programming Language: Authorization Simplified
Jun 2nd 2023 6:07am, by Alex Williams
How to Improve Operational Maturity in an Economic Downturn
May 31st 2023 8:30am, by Jonathan Rende
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by Joao Pedro Voltani and Joao Granzotti
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by David Cassel
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Open Source Jira Alternative, Plane, Lands
Jun 2nd 2023 9:00am, by Darryl K. Taft
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
My Further Adventures (and More Success) with Rancher
Jun 3rd 2023 7:00am, by Jack Wallen
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Microservices / Networking / Service Mesh

eBPF or Not, Sidecars are the Future of the Service Mesh

eBPF and sidecars are not an either-or choice, and the assertion that eBPF needs to replace sidecars is a marketing construct, not an actual requirement.
Aug 12th, 2022 10:00am by
Featued image for: eBPF or Not, Sidecars are the Future of the Service Mesh
Feature image via Shutterstock.

William Morgan
William is the co-founder and CEO of Buoyant, the creator of the open source service mesh projects Linkerd. Prior to Buoyant, he was an infrastructure engineer at Twitter, where he helped move Twitter from a failing monolithic Ruby on Rails app to a highly distributed, fault-tolerant microservice architecture. He was a software engineer at Powerset, Microsoft, and Adap.tv, a research scientist at MITRE, and holds an MS in computer science from Stanford University.

eBPF is a hot topic in the Kubernetes world, and the idea of using it to build a “sidecar-free service mesh” has generated recent buzz. Proponents of this idea claim that eBPF lets them reduce service mesh complexity by removing sidecars. What’s left unsaid is that this model simply replaces sidecar proxies with multitenant per-host proxies — a significant step backward for both security and operability that increases, not decreases, complexity.

The sidecar model represents a tremendous advancement for the industry. Sidecars allow the dynamic injection of functionality into the application at runtime, while — critically — retaining all the isolation guarantees achieved by containers. Moving from sidecars back to multitenant, shared proxies loses this critical isolation and results in significant regressions in security and operability.

In fact, the service mesh market has seen this first-hand: the first service mesh, Linkerd 1.0 offered a “sidecar-free” service mesh circa 2017 using the same per-host proxy model, and the resulting challenges in operations, management, and security led directly to Linkerd 2.0 based on sidecars.

eBPF and sidecars are not an either-or choice, and the assertion that eBPF needs to replace sidecars is a marketing construct, not an actual requirement. eBPF has a future in the service meshwork, but it will be as eBPF and sidecars, not eBPF or sidecars.

eBPF in a Nutshell

To understand why we first need to understand eBPF. eBPF is a powerful Linux kernel feature that allows applications to dynamically load and execute code directly within the kernel. This can provide a substantial performance boost: rather than continually moving data between kernel and application space for processing, we can do the processing within the kernel itself. This boost in performance means that eBPF opens up an entire class of applications that were previously infeasible, especially in areas like network observability.

But eBPF is not a magic bullet. eBPF programs are very limited, and for good reason: running code in the kernel is dangerous. To prevent bad actors, the kernel must impose significant constraints on eBPF code, not the least of which is the “verifier.” Before an eBPF program is allowed to execute, the verifier performs a series of rigorous static analysis checks on the program.

Automatic verification of arbitrary code is hard, and the consequences of errors are asymmetric: rejecting a perfectly safe program may be an annoyance to developers, but allowing an unsafe program to run would be a major kernel security vulnerability. Because of this, eBPF programs are highly constrained. They can’t block, or have unbounded loops, or even exceed a predefined size. The verifier must evaluate all possible execution paths, which means the overall complexity of an eBPF program is limited.

Thus, eBPF is suitable for only certain types of work. For example, functions that require limited state, e.g., “count the number of network packets that match an IP address and port,” are relatively straightforward to implement in eBPF. Programs that require accumulating state in non-trivial ways, e.g., “parse this HTTP/2 stream and do a regular expression match against a user-supplied configuration”, or even “negotiate this TLS handshake,” are either outright impossible to implement or require Rube Goldberg levels of contortions to make use of eBPF.

eBPF and the Service Mesh

Let’s turn now to service meshes. Can we replace our sidecars with eBPF?

As we might expect, given the limitations of eBPF, the answer is no — what the service mesh does is well beyond what pure eBPF is capable of. Service meshes handle all the complexities of modern cloud native networking. Linkerd, for example, initiates and terminates mutual TLS; retries requests in the event of transient failures; transparently upgrades connections from HTTP/1.x to HTTP/2; enforces authorization policies based on cryptographic workload identity; and much more.

eBPF and sidecars are not an either-or choice, and the assertion that eBPF needs to replace sidecars is a marketing construct, not an actual requirement.

Like most service meshes, Linkerd does this by inserting a proxy into each application pod — the proverbial sidecar. In Linkerd’s case, this is the ultralight Linkerd2-proxy “micro proxy,” written in Rust and designed to consume the least amount of system resources possible. This proxy intercepts and augments all TCP communication to and from the pod and is ultimately responsible for implementing the service mesh’s full feature set.

Some of the functionality in this proxy can be accomplished with eBPF. For example, occasionally, the sidecar’s job is simply to proxy a TCP connection to a destination, without L7 analysis or logic. This could be offloaded to the kernel using eBPF. But the majority of what the sidecar does requires significant state and is impossible or at best infeasible to implement in eBPF.

Thus, even with eBPF, the service mesh still needs user-space proxies.

The Case for the Sidecar

If we’re designing a service mesh, where we place the proxies is up to us. From an architectural level, we could place them at the sidecar level, at the host level, or even at the cluster level, or even elsewhere. But from the operational and security perspective, there’s really only one answer: compared to any of the alternatives, sidecars provide substantial and concrete benefits to security, maintainability, and operability.

A sidecar proxy handles all the traffic to a single application instance. In effect, it acts as part of the application. This results in some significant advantages:

  • Sidecar proxy resource consumption scales with the traffic load to the application, so Kubernetes resource limits and requests are directly applicable.
  • The “blast radius” of sidecar failure is limited to the pod so that Kubernetes’s pod lifecycle controls are directly applicable.
  • Upgrading sidecar proxies are handled the same way as upgrading application code is, e.g. via rolling deployments.
  • The security boundary of a sidecar proxy is clearly delineated and tightly scoped: the sidecar proxy contains only the secret material pertaining to that pod, and acts as the enforcement point for the pod. This is granular enforcement is central to zero trust approaches to network security.

By contrast, per-host proxies (and other forms of multitenancy, e.g. cluster-wide proxies) handle traffic to whichever arbitrary set of pods Kubernetes are scheduled on the host. This means all of the operational and security advantages of sidecars are lost:

  • Per-host proxy resource consumption is unpredictable. It is a function of Kubernetes’s dynamic scheduling decisions, meaning that resource limits and requests are no longer useful—you cannot tell ahead of time how much of the system the proxy requires.
  • Per-host proxies must ensure fairness and QoS, or the application risks starvation. This is a non-trivial requirement and no popular proxy is designed to handle this form of “contended multitenancy”.
  • The blast radius for per-host proxies is large and continuously changing. A failure in a per-host proxy will affect whichever arbitrary sets of pods from arbitrary applications were scheduled on the host. Similarly, upgrading a per-host proxy will impact arbitrary applications to arbitrary degrees depending on which pods were scheduled on the machine.
  • The security story is… messy. A per-host proxy must contain the key material for all pods scheduled on that host and must perform enforcement on behalf of all applications scheduled on this host. This turns the proxy into a new attack vector vulnerable to the confused deputy problem, and any CVE or flaw in the proxy now has a dramatically larger security impact.

In short, sidecar proxies built on top of the isolation guarantees gained through containers, allowing Kubernetes and the kernel to enforce security and fairness. Per-host proxies step outside of those guarantees entirely, introducing significant complexities to operations, security, and maintenance.

So Where Do We Go from Here?

eBPF is a big advancement for networking, and can optimize some work from the service mesh by moving it to the kernel. But eBPF will always require userspace proxies. Given that, the right approach is to combine eBPF and sidecars, not to avoid sidecars.

Proposing a sidecar-free service mesh with eBPF is putting the marketing cart before the engineering horse. Of course, “incrementally improving sidecars with eBPF” doesn’t have quite the same buzz factor of “goodbye sidecars,” but from the user perspective, it’s the right decision.

The sidecar model is a tremendous advancement for the industry. It is not without challenges, but it is the best approach we have, by far, to handle the full scope of cloud native networking while keeping the isolation guarantees achieved by adopting containers in the first place. eBPF can augment this model, but it cannot replace it.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Saga Without the Headaches Spring Cloud Gateway: The Swiss Army Knife of Cloud Development Return of the Monolith: Amazon Dumps Microservices for Video Monitoring Why Enterprises Need a Management Plane What Is Microservices Architecture?
RELATED STORIES
Java's History Could Point the Way for WebAssembly Kubernetes Evolution: From Microservices to Batch Processing Powerhouse Event Streaming and Event Sourcing: The Key Differences Saga Without the Headaches AmeriSave Moved Its Microservices to the Cloud with Traefik's Dynamic Reverse Proxy
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.