Dom Delnano
Pixie Core Maintainer
Actions
Dom is a core maintainer of the Pixie open source project and founder/CEO at Cosmic. He previously worked at Crowdstrike, focusing on the eBPF Linux sensor, and at New Relic, working on Pixie full-time. Dom first began building observability tooling at Twitter, where he scaled the internally developed time series database to 30B active time series. During his time at Twitter, he became an active contributor to Pixie, expanding its TLS tracing to support JVM-based services.
Multi-messenger security: Adaptive Kubernetes SOC from Disparate eBPF Tools
The linux kernel through eBPF offers to unify the disparate fields security and observability through shared data structures. We show how a K8s Security Operations Center, organically composed of established eBPF projects (CNCF Kubescape, Pixie and Tetragon) can see signals that the individuals cannot.
We explain how we achieve both a comprehensive baseline and use independent signals to dial up/down coverage as suspicious indicators surface. The mutual independence of signals from across processes, file system, and network activity achieves a high signal-to-noise, enabling manageable data volumes and facilitating selective forensic storage.
You will see a *live demo of the io_uring root-kit which is hard to detect for sys-call based security tools in their default configurations, however almost trivial to detect with our adaptive setup.
Additionally, our SOC architecture is node-local, and no data leaves the cluster meaning you remain sovereign and in control of your data.
Expanding eBPF’s Reach: From Batteries-Included Auto-Instrumentation to E2E Observability Pipelines
Traditional monitoring and o11y were defined by the painstaking process of manual instrumentation—an inconsistent and error-prone effort, especially with the rise of cloud environments. eBPF promised a breakthrough, introducing auto-instrumentation that could eliminate these challenges. When the magic of eBPF works, it’s transformative, but there are times where its auto instrumentation comes up empty. Rigid, black box tooling is frustrating—at its best it’s magical and at its worst it’s distrusted quickly.
What if eBPF provided a “batteries included but removable” experience, enabling engineers to customize o11y to their needs? In this talk, we’ll discuss how CNCF Pixie and Inspektor Gadget provide the right abstraction for unlocking eBPF’s full potential with their powerful post-processing and k8s enrichment capabilities. We’ll also explore how this vision transformed Pixie’s data collector into a universal agent that can power observability pipelines like Fluentbit and Vector.
Reliable User Space TLS tracing with eBPF
TLS adoption in today’s environments is growing rapidly and poses challenges for tracing tools that intercept microservices’ RPC messages. Normal traffic sniffing collects the encrypted data and has no means to access the original payload. This inhibits traditional tracing tools and complicates debugging systems when critical issues arise.
To address this, eBPF tools probe user space to regain access to the plaintext data. While these approaches are exciting, scaling this type of instrumentation presents a new set of difficulties due to the variety of library choices, possible versions of each library and type of linking.
We present the techniques developed to reliably trace TLS applications across a wide array of conditions found in real-life applications. This allows Pixie to trace both BoringSSL and OpenSSL and reduces the maintenance for supporting new library versions compared to the previous tracing. We conclude by noting the coverage challenges that remain and our future plans
Powering Automatic Authorization in Envoy through Live Traffic Inspection
The dynamic nature of today’s environments coupled with the importance of data privacy has made AuthN/Z crucial for safeguarding sensitive data. However, many large scale environments existed before these best practices and tooling were commonplace. Retrofitting systems requires a deep understanding of service to service access patterns and requires significant effort to achieve least privilege access.
While service dependencies are often difficult to track, the rise of zero instrumentation Observability tools has eased access to this data, providing a potential baseline for AuthZ rules. Projects such as CNCF Pixie and Hubble expose language agnostic protocol traces providing full visibility of their environments. Pixie even supplies access to the span payloads making L7 analysis possible.
In this talk, we present a case study of using Pixie to generate OPA policies for Envoy AuthZ using real traffic. This approach provides a starting point for scoping permissions on a L7 basis.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top