eBPF is a technology that enables running sandboxed programs in privileged contexts, such as the Linux kernel, without the need to patch the kernel or load custom drivers.

This is a game changer for Observability and security, as it facilitates auditing of packets and enables monitoring at a kernel level, reducing the need for instrumenting applications. Observability without instrumenting applications directly is discussed further in the great talk Observability for 99% Developers.

eBPF programs are event-driven, and generally hook into an specific kernel event, such as syscalls, function entry/exit, network events etc.

References

https://ebpf.io/what-is-ebpf/
https://www.youtube.com/watch?v=J_EehoXLbIU
https://www.youtube.com/watch?v=jM3vL2LLm5o