Prerequisites: kubernetes
eBPF is a feature of the Linux kernel that lets small, carefully checked programs run inside the kernel itself, triggered by events like a packet arriving. The programs are verified before they load, so they cannot crash the kernel or loop forever, which is what makes it safe to run custom logic in a place that used to be off limits. It is a general kernel technology, not a networking one, but networking is where it changed the most.
It matters here because it is how cilium replaces kube-proxy. Instead of a userspace controller filling the kernel with iptables rules, one per Service, Cilium loads eBPF programs that intercept the Service lookup far lower down and rewrite the destination there, with no per-Service rule pile to grow. You can see Cilium’s eBPF view of Service routing on devata:
kubectl -n kube-system exec ds/cilium -- cilium-dbg service list | headEach line maps a Service address to its backend pod addresses, the same mapping kube-proxy held in iptables chains, kept in eBPF maps instead. The decision happens down where the packets actually are, in the kernel, rather than in a separate process writing rules.
Reference: ebpf.io, Cilium eBPF datapath.