Vinay Kulkarni
Principal MTS & Director @ eBay Cloud
Seattle, Washington, United States
Actions
Vinay tinkers with eBPF and Kubernetes networking in large clusters with planet-scale traffic at eBay Cloud. He has also been responsible for inflicting the 'In-Place Pod Resize' feature to Kubernetes.
Before eBay, he worked on advanced research projects in Kubernetes compute & networking @ Huawei, networking features for systemd & PhotonOS @ VMware, routing protocols @ F5 Networks, and network devices (NDIS) @ Microsoft. Vinay holds a M.S degree from University of Southern California.
Area of Expertise
Topics
Resilient Pod Networking via Fast-Failover Using Bidirectional Forwarding Detection With eBPF
eBPF offers versatile, high-performance networking for Kubernetes. However, achieving high availability at scale requires using multiple traffic paths via protocols like Equal-Cost Multi-Path Routing (ECMP), along with the ability to swiftly detect path failures and rapidly switch to redundant paths. Bidirectional Forwarding Detection (BFD) is a lightweight protocol designed for quick detection and signaling of path failures.
In this talk, Sudhi will present eBay’s custom pod networking solution, built with eBPF, that addresses eBay’s scalability challenges and availability requirements. Vinay will explain how ECMP and BFD protocols function, focusing on BFD's capability for sub-second path failure detection. He will discuss extensions to BFD that enable eBPF pod networking programs to quickly detect and switch to alternate paths, ensuring high availability. He will present an analysis of the solution's performance and scalability metrics, and conclude with a demo.
Securing Cross-Cluster Kubernetes APIserver Access with Short-Lived Tokens via Envoy
In Kubernetes, service accounts and associated RBAC policies provide a way to secure access to API services. However, they are cumbersome to configure, and don’t scale well for high-traffic, multi-cluster environments increasingly used in large organizations such as eBay.
In this session, Vinay will outline the use case for cross-cluster APIserver access, and introduce a new IAM architecture for securing access to the Kubernetes API and services via short-lived tokens. He will walk through the design illustrating how bootstrap token (OAuth 2.0 Code Grant) is injected into the pod, and how it is leveraged to obtain access tokens and inject them via light-weight envoy proxy filter, and how tokens are validated to secure access to cross-cluster APIservers and services. Jonathan will go over performance metrics, discuss implementation aspects that make this design scale for high traffic loads with low latency, and conclude with a demo.
No 'Soup' for You! Enforcing Network Policies for Host Processes via eBPF
Current Kubernetes networking solutions provide basic security for pod network traffic using layers 3 and 4 CIDR-based or identity-based network policies. However, there is no mechanism to assign network identities to native processes running on hosts (e.g., kubelet) or processes in pods that use the host network. Securing host processes has traditionally been done using layer 7 auth, which comes with its overhead costs and scale challenges.
In this talk, Vinay presents an innovative, industry-first approach that leverages eBPF to efficiently identify, in the kernel at network layer, traffic from native host processes and pods using host network. This takes network micro-segmentation to a new level. He will explain how host process identities are transmitted on a per-packet basis, and illustrate efficient network policy enforcement for such traffic. He will discuss how this approach offers significant scalability advantages, and conclude with a demo showcasing the proposed solution.
Network Quality of Service (QoS) for Kubernetes Pods via eBPF/XDP
Mizar project is a research prototype open-source K8s pod networking solution developed with performant eBPF/XDP technology and architected for fast provisioning & multi-tenant networking needs of cloud environments.
While K8s provides the ability for users to specify compute QoS class for CPU & memory, there is no such facility for pod networking. In this talk, Vinay & Phu will describe a use case where payment processing pods need priority access to the network. They will discuss how Mizar’s XDP-first architecture helped build a unique solution that brings fine-grained network QoS to pod network traffic. They show how to cleverly leverage XDP & Linux Traffic Control (tc) BPF hooks to offer a rich set of network QoS classifications with Earliest Departure Time (EDT) algorithm-based traffic rate-limiting implemented in eBPF. Furthermore, they show how to exploit QoS features in data center physical switches & bring true end-to-end network QoS to pods. They will conclude with a demo.
Resize Your Pods In-Place With Deterministic eBPF Triggers
The long desired feature to vertically resize Kubernetes pods (CPU and memory) in-place without restarting is landing soon. A common approach to "right-sizing" running pods is via Vertical Pod Autoscaler (VPA) which observes usage via metrics API, recommends, and reactively applies recommended resources to the running pods.
An alternative approach is to resize pods based on deterministic events observed via eBPF. For example, we can capture events with eBPF to detect when a CPU-intensive process is going to be executed, and proactively resize the pod CPU accordingly.
In this session, Vinay will summarize the design of in-place resizing of K8s pods and Pablo will discuss the use case of remote development environments running inside pods. Such pods need minimal resources when a developer is writing code, but need significantly higher CPU & memory when the developer issues a “build” command or runs a battery of tests. We will show how eBPF can be leveraged to get ahead of the problem.
Sustainable Scaling of Kubernetes Workloads with In-Place Pod Resize and Predictive AI
Accurately guessing CPU & memory requirements for workloads is hard! So, it is common for users to over-provision pods which leads to under-utilized clusters, and the need to scale up cluster size to accommodate workloads.
Recently added in-place pod resize feature brings the ability to right-size over-provisioned pods without restarting them. In this talk, Vinay will discuss how cluster autoscaler currently handles pods pending due to insufficient resources, then introduce a change to the autoscaling workflow that right-sizes over-provisioned pods, and show how it can help schedule pending pods more quickly while lowering costs & carbon footprint.
Haoran will talk about the latest research that leverages machine learning and reinforcement learning techniques to achieve multi-dimensional autoscaling, and discuss how this cutting-edge work can help proactively scale workloads to achieve optimal cluster utilization while meeting application SLOs by more precisely provisioning the pods.
Performance Analysis of XDP-native, XDP-generic, and TC eBPF hooks
eBay consistently ranks as the second-most visited e-commerce website after Amazon, which means ingesting a lot of network traffic. Hence, network performance, latency, and overhead are very important scaling metrics alongside network security.
While designing a new feature in Cilium for better network-level security, we did traffic ingress throughput and latency performance experiments in order to determine how the different eBPF hooks (XDP-native vs. XDP-generic vs. TC) compare.
In this session, Vinay will illustrate the use case, talk about related hooks to which eBPF programs can be attached on the network traffic receive path, and discuss the experiments performed and the outcomes. He will show how to use the eBPF profiler and FlameGraph tools to capture and analyze overhead in the network traffic receive path. He will conclude the talk with recommendations based on the findings from this experiment.
KubeCon + CloudNativeCon Europe 2024 Sessionize Event
CNCF-hosted Co-located Events Europe 2024 Sessionize Event
KubeCon + CloudNativeCon North America 2023 Sessionize Event
eBPF Summit 2023 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top