eBPF has been identified as a promising alternative data source for network metrics, in addition to our current work around netflows/IPFIX.

It could provide more metrics than what we get from netflow/IPFIX, including DNS related ones (success rate, etc.) and HTTP ones (errors, latency...). We can also expect a much reduced overhead compared to flow logs.

This R&D task is about doing more investigations around eBPF; A non exhaustive list:

• look for potential reuse of existing eBPF metrics collectors (e.g. Flowmill [1] or Pixie's Stirling [2] or Cilium)
• identify dependencies / pre-requisite (e.g. what is necessary to enable eBPF on nodes, running programs & exporting metrics)
• figure out if the chosen infrastructure for netflows / ipfix is also relevant for that source of data (e.g. is Loki relevant?)
• eventually initiate some PoC (or via new subtasks)

[1] https://github.com/Flowmill/flowmill-collector ; Contribution proposal to CNCF: https://github.com/open-telemetry/community/issues/733
[2] https://github.com/pixie-labs/pixie/tree/main/src/stirling

Other resources:

• "How To Add eBPF Observability To Your Product" https://brendangregg.com/blog/2021-07-03/how-to-add-bpf-observability.html