Blog
Thoughts on engineering, design, and building great products.
The eBPF Virtual Machine: Registers, Instruction Set, and Bytecode
Last article we saw an eBPF program with 'xlated 512B' (verified bytecode) and 'jited 333B' (machine code). This article goes inside that bytecode: eBPF is a RISC-style virtual machine with 11 64-bit registers and a small instruction set, designed to translate quickly to native code and be verifiable for safety. We read a running Cilium program's bytecode directly, see how each instruction maps to registers and its class, then why this design lets the verifier prove safety.
Migrating to kube-proxy-less Cilium
Theory's done, now for real: replace Part I's kube-proxy + bridge with eBPF-based Cilium 1.19, remove kube-proxy entirely, enable Hubble. This article traces each migration step on a live cluster — install Cilium, disable kube-proxy, confirm Services still work with not a single kube-proxy iptables rule left — plus four real traps a self-built cluster hits (providerID, topology labels, IMDS hop limit, hostNetwork) and how to clear them.
Cilium and eBPF: why replace kube-proxy
In Part I we built pod networking with kube-proxy iptables and a hand-rolled bridge — enough to run, but iptables grows linearly with the number of Services. Part X upgrades: replace both kube-proxy and the bridge with eBPF-based Cilium. This article is the theory — what eBPF is, why it's faster than iptables, what Cilium does differently at the datapath — looking straight at the 74 iptables rules currently running to see what we're about to drop.