Open Source at Sysdig

Open Source at Sysdig

Earlier this year I found myself taking a much needed break from employment.

I began taking a meticulous approach at looking for a new gig. I was astonished and overwhelmed at the interest I had from amazing organizations in the Cloud Native ecosystem. I met with large tech companies, startups, and entrepreneurs yet to start their journey. I noticed everyone was very excited about Kubernetes. Every meeting shared the common theme. It seemed like the entire industry was obsessed with solving their unique problems with our new distributed kernel: Kubernetes.


There was only one problem:  Kubernetes is effectively “complete”


Don’t get me wrong, there is still a lot of work to do and Kubernetes will always have room for improvement.

My point here is that the core functionality of Kubernetes has not only been completed, but iterated on several times over. The scope of the project is relatively finite, and we have reached a point of maturity where we have functional components to satisfy this scope. The API is several versions deep, and the goal of the project was to provide a platform for the ecosystem to build on. We have achieved that. With that being said, taking another “Kubernetes Centric” role didn’t seem very attractive to me. I love Kubernetes and have been working with the core upstream community for a long time, but I think it’s time to pivot slightly.


I am an innovator.

One could argue the majority of innovation within Kubernetes has long since been crafted, whereas innovation with Kubernetes is just beginning.


Regardless, I am convinced Kubernetes is here to stay.

As the new Cloud Native “kernel” for distributed systems management, Kubernetes surely won’t be disappearing from my career any time soon. Nor will the CNCF. As a Kubernetes expert naturally I began my investigation into discovering technology that solved real problems in unique and powerful ways. I really wanted to find technology that I believed in, that I still hadn’t mastered, and that would get me excited. I wanted to go deeper into the little black boxes that still seemed like magic to me. I wanted more. I found myself speaking with many companies and looked at a lot of open source tools: service meshes, networking tools, deployment tools, etc.



There was one company that stood out…

I see the potential in gaining visibility into our systems at the kernel level, while operating a containerized system on top.



Furthermore there are a lot of other reasons I made the choice I did. To be be completely honest I simply fell in love with the way everyone worked. They were a low level shop of hackers and genuine people. Everyone I met was empowered and knew precisely what they were talking about. It was a refreshing interviewing experience. Good friends from open source like the infamous POP truly helped make me feel welcomed and respected. During my interview we white boarded the Linux kernel not to pass a frivolous test, but because we genuinely needed the diagram for our discussion on eBPF. I immediately knew that this job was going to push me forward technically. I loved it.

As the saga goes, the company offered me a position to take on ownership of our open source tools and I was thrilled. I am quite excited for our team, and an opportunity to do what I love doing: inspiring engineers and solving concrete problems with them!





So let’s talk Falco.


As part of my new role at Sysdig I will be managing our OSS team, while simultaneously working on our tools with them. I am way too excited about new friends in Kubernetes SIG-security. Growing Falco and driving adoption will be a primary goal for me at Sysdig. We want to flesh Falco out as the defacto way of pulling metrics from the kernel for runtime security and intrusion detection.

Once upon a time a simple network packet had every bit of information you needed for total forensics analysis. Today with Kubernetes abstractions sharing network, disk, and memory across containerized process the network is no longer a viable avenue for learning about our complete systems behavior. This is where Falco and eBPF come into the picture.

Falco uses two critical components into gaining visibility of our systems. The first is a comprehensive list of syscall information that we access via eBPF. The second is our context from Kubernetes. By joining these two otherwise completely separated bits of data together, we now have everything we need to secure a Kubernetes cluster.

Falco allows users to dynamically build rules against this rich data set, and can take action if and when a rule is broken. This noninvasive and elegant approach to security is built on battle tested concepts, applied in exciting new ways. To be honest, I can’t wait to start hacking on the kernel with the rest of the folks on the team. I am excited to go deeper into kernel security with eBPF and Falco.





So lets get started!

Today I am pleased to announce full time employment with Sysdig!


I will be spending some time getting to know our current state of affairs and exploring our other open source tools moving forward. Stay tuned for updates as we start to dial up our presence in the open source ecosystem with tools like Falco.


Please reach out if you are interested in collaborating or would like to find out more about our new projects. My email is and I would love to hear from you.










  1. Cody
    August 21, 2019 08:39:am Reply


  2. Andre Almar
    August 21, 2019 09:07:am Reply

    Good luck on your new adventure Kris!!