Pixie — eBPF-Based Auto-Instrumentation for Kubernetes Observability

Introduction

Pixie is a CNCF sandbox project that instruments Kubernetes workloads using eBPF probes attached at the kernel boundary. There are no agents to import, no SDKs to adopt, and no sampling — Pixie captures full-fidelity HTTP, gRPC, MySQL, Postgres, Redis, DNS, and TLS traffic, plus CPU profiles, automatically from every pod on every node.

What Pixie Does

• Runs an eBPF-based collector (PEM) on every Kubernetes node
• Captures HTTP/2, gRPC, MySQL, Postgres, Cassandra, Redis, DNS, Kafka traffic
• Records CPU stack samples, TCP stats, and Kubernetes events
• Stores data in-cluster in an embedded time-series DB; nothing leaves the cluster by default
• Exposes a PxL scripting language + live dashboards for exploration

Architecture Overview

Pixie deploys a Vizier control plane plus a DaemonSet of PEMs (Pixie Edge Modules). PEMs load eBPF programs that attach to kprobes/uprobes and syscall tracepoints, enrich events with Kubernetes metadata, and store them in a compressed in-memory ring buffer sharded by node. Queries (written in PxL) are pushed down to the PEMs and aggregated by the Vizier. Data is ephemeral by default, addressing the "observability egress tax" and data-locality concerns.

Self-Hosting & Configuration

• Deploy via px deploy or Helm; requires kernel 4.14+ with BTF
• pixie-chart runs Vizier + PEMs; pixie-cloud (optional) runs the UI locally
• PxL scripts live in px/*.pxl — versioned, shareable, and LSP-friendly
• Export to Prometheus, OpenTelemetry, or long-term storage via otel-plugin
• Requires privileged eBPF permissions (CAP_BPF, CAP_PERFMON)

Key Features

• Zero-instrumentation — no code changes, no SDK bumps
• Full-fidelity capture — not sampled
• Data stays in-cluster by default (privacy friendly)
• PxL scripting for ad-hoc analyses (like a SQL for observability)
• CNCF sandbox; originally by Pixie Labs, now New Relic open source

Comparison with Similar Tools

• Cilium Tetragon / Hubble — eBPF network/security visibility; not focused on APM
• Parca — eBPF CPU profiling only; Pixie does profiling + protocol parsing
• Datadog / New Relic — hosted APM with agents; Pixie can feed them via OTel
• OpenTelemetry Collector — needs instrumented apps; Pixie captures without them
• Elastic APM — agent-based, multi-language, polished UI; heavier footprint

FAQ

Q: Does Pixie replace Prometheus? A: No. It complements it — Pixie excels at deep, full-trace protocol data, Prometheus at cheap time series.

Q: What kernel version do I need? A: Linux 4.14+ with BTF is recommended. Most modern distros (Ubuntu 20.04+) are supported.

Q: Is my data sent to a SaaS? A: No. Data stays in-cluster; the hosted UI (optional) proxies queries over a tunnel without storing data.

Q: Does it work with mTLS? A: Yes via uprobes on openssl / Go's crypto/tls — captures decrypted payloads before they hit the wire.

Sources

• https://github.com/pixie-io/pixie
• https://docs.px.dev