In 2017, at a packed KubeCon keynote in Austin, a British engineer stepped on stage and, in under forty minutes, live-coded a container runtime from scratch. Using fewer than a hundred lines of Go, Liz Rice peeled away the mystique around containers — showing that they were not magical black boxes but straightforward applications of Linux kernel primitives: namespaces, cgroups, and chroot. The audience, many of whom had been deploying containers in production for years without fully understanding what happened beneath the API calls, watched as the abstraction dissolved into comprehensible system calls. It was a masterclass in demystification, and it cemented Rice’s reputation as one of the most effective communicators in the cloud-native ecosystem. Over the following years, she would become the chair of the CNCF Technical Oversight Committee, the Chief Open Source Officer at Isovalent, and perhaps the most influential advocate for eBPF — a technology that is quietly rewriting the rules of how we observe, secure, and network modern infrastructure.
Early Life and Education
Liz Rice grew up in the United Kingdom and studied mathematics at the University of Oxford, graduating with a degree from one of the most rigorous mathematical programs in the world. The mathematical training gave her a foundation in formal reasoning and abstraction that would later prove invaluable when working with kernel-level systems where precision is not optional — a misconfigured security policy or a malformed BPF program can crash an entire node or silently expose sensitive data.
After university, Rice did not follow a straight line into infrastructure engineering. She spent the early part of her career in the software industry working across various roles, including periods at companies building mobile and communications technology. This breadth of experience gave her perspective that pure systems engineers sometimes lack: an understanding that infrastructure exists to serve applications, and that the value of any platform technology is ultimately measured by whether it makes application developers more productive and their deployments more reliable.
Aqua Security and the Container Security Frontier
Joining the Container Security Movement
Rice’s trajectory converged with the container revolution when she joined Aqua Security, one of the earliest companies dedicated specifically to securing containerized environments. By the mid-2010s, Docker had transformed how developers packaged and shipped software, and Kubernetes was rapidly becoming the orchestration standard. But the security implications of this shift were profound and under-examined. Containers introduced new attack surfaces — shared kernels, ephemeral workloads that vanished before forensic analysis could begin, container images pulled from public registries with no guarantee of integrity, and orchestration APIs that could be exploited to schedule malicious workloads across an entire cluster.
At Aqua Security, Rice worked as VP of Open Source Engineering, focusing on the tooling and frameworks that the community needed to reason about container security. She became deeply involved in the Cloud Native Computing Foundation ecosystem, contributing to projects and standards that defined how organizations should approach the security of cloud-native workloads. Her approach was characteristically practical: rather than publishing abstract threat models, she built tools, wrote code, and gave talks that showed engineers exactly what the risks were and how to mitigate them.
The Famous Container Runtime Talk
Rice’s most celebrated technical demonstration was her live-coded container runtime, originally presented at various conferences and later developed into a widely referenced educational resource. The core insight was elegant: a Linux container is fundamentally a process with restricted namespaces, limited resources via cgroups, and a modified filesystem root. Rice demonstrated this by writing a minimal container runtime in Go that created these isolation boundaries step by step:
package main
import (
"fmt"
"os"
"os/exec"
"syscall"
)
// Minimal container runtime demonstrating Linux namespace isolation
// Inspired by Liz Rice's "Containers from Scratch" presentation
func main() {
switch os.Args[1] {
case "run":
run()
case "child":
child()
default:
fmt.Println("Usage: go run main.go run ")
}
}
func run() {
fmt.Printf("Running %v as PID %d\n", os.Args[2:], os.Getpid())
cmd := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
// Create new namespaces for the child process:
// UTS - separate hostname
// PID - separate process ID space
// MNT - separate mount points
cmd.SysProcAttr = &syscall.SysProcAttr{
Cloneflags: syscall.CLONE_NEWUTS |
syscall.CLONE_NEWPID |
syscall.CLONE_NEWNS,
Unshareflags: syscall.CLONE_NEWNS,
}
must(cmd.Run())
}
func child() {
fmt.Printf("Running %v as PID %d\n", os.Args[2:], os.Getpid())
// Set hostname inside the new UTS namespace
must(syscall.Sethostname([]byte("container")))
// Change root filesystem to an unpacked image
must(syscall.Chroot("/home/rootfs"))
must(os.Chdir("/"))
// Mount proc so tools like ps work correctly
must(syscall.Mount("proc", "proc", "proc", 0, ""))
cmd := exec.Command(os.Args[2], os.Args[3:]...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
must(cmd.Run())
must(syscall.Unmount("proc", 0))
}
func must(err error) {
if err != nil {
fmt.Println("Error:", err)
os.Exit(1)
}
} By walking through this code line by line, Rice showed that CLONE_NEWUTS gives the container its own hostname, CLONE_NEWPID creates an isolated process tree where the container’s init process sees itself as PID 1, and CLONE_NEWNS provides a separate mount namespace so the container’s filesystem changes do not affect the host. The syscall.Chroot call restricts the container’s view of the filesystem to a pre-prepared root directory — exactly the mechanism that production container runtimes use, wrapped in additional layers of security and convenience.
This demonstration became one of the most referenced educational materials in the container community. It was the antidote to the cargo-cult approach to containers, where engineers used Docker and Kubernetes commands without understanding the underlying mechanisms. Rice’s philosophy was that security requires understanding — you cannot secure what you do not comprehend. Every container security engineer who followed in her footsteps benefited from this foundational clarity.
CNCF Technical Oversight Committee Chair
Rice’s contributions to the cloud-native ecosystem extended far beyond individual talks and tools. She served as chair of the Cloud Native Computing Foundation’s Technical Oversight Committee (TOC), the body responsible for evaluating and governing the CNCF’s portfolio of open-source projects. The CNCF is home to some of the most critical infrastructure software in the world — Kubernetes, Prometheus, Envoy, containerd, and dozens of other projects that collectively form the backbone of modern cloud-native computing.
As TOC chair, Rice was responsible for evaluating project maturity, resolving governance disputes, and ensuring that the CNCF’s growing portfolio maintained coherence and quality. This was a governance challenge as much as a technical one. The CNCF had grown rapidly, and with growth came the inevitable tensions: competing projects with overlapping scope, maintainer burnout, corporate influence on ostensibly neutral projects, and the challenge of maintaining security and quality standards across dozens of independent codebases. Rice’s mathematical background and her experience navigating the complex social dynamics of open-source communities made her effective in a role that required both technical depth and diplomatic skill.
Under her leadership, the TOC refined its processes for project evaluation and graduation. The CNCF’s three-tier model — sandbox, incubating, and graduated — required clear criteria for advancement, and Rice helped ensure that security practices, community health, and production readiness were weighted appropriately. Her tenure coincided with a period of significant growth for the CNCF, as organizations like Kelsey Hightower and other advocates brought Kubernetes and cloud-native practices into mainstream enterprise adoption. For project management teams navigating the complexity of cloud-native tooling, platforms like Taskee help coordinate the multi-team workflows that modern infrastructure projects demand.
Isovalent and the eBPF Revolution
What Is eBPF and Why It Matters
Rice joined Isovalent as Chief Open Source Officer, placing herself at the epicenter of what many consider the most important shift in Linux kernel technology since containers themselves. eBPF — extended Berkeley Packet Filter — is a technology that allows programs to run inside the Linux kernel without modifying kernel source code or loading kernel modules. Originally designed for network packet filtering, eBPF has evolved into a general-purpose in-kernel virtual machine that can observe and modify kernel behavior at runtime with near-zero overhead.
The implications are enormous. Before eBPF, gaining deep visibility into kernel-level events — network packets, system calls, file operations, process scheduling — required either modifying the kernel, loading potentially dangerous kernel modules, or using heavyweight tracing frameworks that imposed significant performance penalties. eBPF changed this calculus entirely. A developer can write a small program, compile it to eBPF bytecode, have the kernel’s built-in verifier check it for safety, and then attach it to virtually any kernel event. The verified program runs in a sandboxed environment with guaranteed termination — it cannot crash the kernel, enter infinite loops, or access arbitrary memory.
Rice became one of the most visible and articulate advocates for eBPF, explaining its significance through talks, blog posts, and her book “Learning eBPF” published by O’Reilly Media. Her ability to explain complex kernel-level concepts in accessible terms — the same skill that made her container runtime talk legendary — proved equally effective for eBPF evangelism. She drew clear lines between the abstract capability (running programs in the kernel) and concrete use cases: network observability without sidecar proxies, security enforcement at the kernel level rather than in userspace, and performance monitoring with negligible overhead.
Cilium and the New Networking Stack
Isovalent is the company behind Cilium, the eBPF-based networking, observability, and security platform for Kubernetes. Cilium replaces the traditional iptables-based networking stack in Kubernetes with eBPF programs that process packets directly in the kernel. The performance benefits are substantial: iptables rules are evaluated linearly, meaning that performance degrades as the number of services and network policies grows. eBPF programs, by contrast, use efficient hash maps and can make routing decisions in constant time regardless of the number of rules.
But the significance of Cilium goes beyond performance. Traditional Kubernetes network policies operate at Layer 3 and Layer 4 — IP addresses and ports. Cilium, powered by eBPF, can enforce policies at Layer 7, understanding HTTP, gRPC, Kafka, and other application-layer protocols. This means a network policy can specify not just which pods can communicate, but which API endpoints they can access — a fundamentally more precise security model that aligns with zero-trust networking principles.
As Chief Open Source Officer, Rice was responsible for ensuring that Isovalent’s commercial interests aligned with the health of the Cilium open-source community. This is one of the perennial tensions in open-source business: the company needs to monetize the technology to sustain development, but the community needs confidence that the open-source project will not be artificially limited to drive commercial sales. Rice’s credibility in the CNCF community and her track record of genuine open-source advocacy made her uniquely qualified for this balancing act. Cilium became a CNCF graduated project — the highest level of maturity — during her tenure, a testament to both the technology’s readiness and the community’s trust in its governance.
eBPF for Security: Runtime Enforcement
One of Rice’s central arguments is that eBPF represents a paradigm shift in how we approach security in cloud-native environments. Traditional security tools operate in userspace, intercepting events after they have already passed through the kernel. This creates an inherent lag — by the time a userspace security agent detects a malicious system call, the kernel has already processed it. eBPF-based security tools like Tetragon (another Isovalent project) can intercept events at the kernel level, making enforcement decisions before they take effect. Here is a simplified example of a Tetragon policy that monitors and restricts process execution inside Kubernetes pods:
# Tetragon TracingPolicy: monitor and restrict process execution
# Demonstrates eBPF-based runtime security enforcement
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: restrict-exec-in-pods
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
args:
- index: 0
type: "linux_binprm"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns" # Only apply inside containers
matchBinaries:
- operator: "In"
values:
- "/bin/sh"
- "/bin/bash"
- "/usr/bin/curl"
- "/usr/bin/wget"
matchActions:
- action: Sigkill # Terminate the process immediately
rateLimit: "1m"
- action: Post # Also send an event for audit logging
rateLimit: "1m"This policy attaches an eBPF program to the security_bprm_check kernel function, which is called every time a new program is executed. When the kernel detects that a shell (/bin/sh, /bin/bash) or a network tool (curl, wget) is being executed inside a container namespace, it immediately kills the process via SIGKILL and logs the event. The enforcement happens at the kernel level, before the process has a chance to execute any instructions — a fundamentally stronger security guarantee than userspace detection. This approach reflects the same defense-in-depth philosophy that has defined Rice’s career, from her early container security work to her advocacy for eBPF-based enforcement in production Kubernetes clusters.
Writing and Education
Rice is the author of several books that have become essential reading in the cloud-native security space. Her book “Container Security,” published by O’Reilly Media, provides a comprehensive guide to the security mechanisms underlying containers — from Linux capabilities and seccomp profiles to image scanning, runtime protection, and network security. The book reflects her characteristic approach: start with the fundamentals, build understanding layer by layer, and always connect abstract concepts to practical implications.
Her second major book, “Learning eBPF,” also from O’Reilly, serves as the definitive introduction to eBPF programming. The book takes readers from basic concepts — what the eBPF virtual machine is, how programs are loaded and verified — through practical applications in networking, security, and observability. Rice’s ability to make kernel-level programming accessible to application developers is perhaps her greatest educational contribution. eBPF had existed for years before it gained mainstream attention, and Rice’s writing and speaking were significant factors in its adoption beyond the small community of kernel developers who had used it initially.
Beyond books, Rice has been a prolific speaker at conferences including KubeCon, DockerCon, FOSDEM, QCon, and dozens of other events. Her talks consistently receive top ratings not because they cover simple topics — they often involve live kernel tracing, BPF bytecode, or deep dives into Linux security mechanisms — but because she has a gift for structuring complex information so that it builds naturally from familiar concepts to unfamiliar ones. This pedagogical skill has made her one of the most sought-after speakers in the infrastructure community, following in the tradition of educators like Kelsey Hightower who believe that the best way to advance technology is to make it understandable.
Philosophy and Approach to Technology
Several consistent themes run through Rice’s career and public work. The first is the conviction that understanding systems at their deepest level is not optional — it is a prerequisite for securing them. When she built a container from scratch in Go, she was not showing off; she was arguing that every engineer deploying containers should understand what a namespace is, what a cgroup does, and what happens when you call chroot. When she advocates for eBPF, she is making the same argument at a different layer: you cannot secure your network if you do not understand how packets flow through the kernel, and you cannot monitor your system effectively if your observability tools are blind to kernel-level events.
The second theme is practicality. Rice is not a theoretician who publishes papers about idealized security models. She writes code, builds tools, and gives demonstrations that engineers can immediately apply in their own environments. Her books are filled with runnable examples, her talks feature live coding, and her open-source contributions are tools that solve real problems. This practical orientation has made her work accessible to a far wider audience than typical kernel security research, which often remains locked in academic papers and specialized mailing lists.
The third theme is community. Through her CNCF governance work, her conference organizing, and her mentoring, Rice has consistently invested in building the human infrastructure that sustains open-source projects. She understands that the container and eBPF ecosystems are not just collections of code — they are communities of people who need governance structures, educational resources, and opportunities to collaborate. Her leadership in the CNCF TOC demonstrated that technical governance requires not just deep knowledge but the ability to listen, mediate, and build consensus among people with competing interests and strong opinions. This philosophy parallels the approach of other DevOps thought leaders who recognize that technology transformation is fundamentally a human challenge.
Legacy and Continuing Impact
Liz Rice occupies a unique position in the cloud-native landscape. She is simultaneously a deep technical expert — someone who can explain the difference between kprobe and tracepoint eBPF attachment points or the security implications of CAP_SYS_ADMIN — and an effective communicator who can make these concepts accessible to developers who have never looked at kernel source code. This combination of depth and accessibility is rare, and it has made her one of the most influential figures in container security and eBPF adoption.
Her impact can be measured along several axes. As an educator, her container runtime talk has been viewed hundreds of thousands of times and has become a canonical reference for understanding how containers work at the Linux kernel level. As an author, her books on container security and eBPF are used in university courses, corporate training programs, and self-directed learning paths around the world. As a CNCF leader, she helped govern the ecosystem of projects that forms the foundation of modern cloud infrastructure. And as Isovalent’s Chief Open Source Officer, she played a central role in bringing eBPF from a specialized kernel feature to a mainstream technology that is reshaping networking, security, and observability for Kubernetes environments worldwide.
The thread connecting all of these roles is a belief that infrastructure should be understandable, that security should be built into the platform rather than bolted on after the fact, and that the best way to improve technology is to help people understand it deeply. In a field that often rewards complexity and gatekeeping, Rice has consistently chosen clarity and openness — and the cloud-native ecosystem is stronger for it.
Frequently Asked Questions
Who is Liz Rice?
Liz Rice is a container security expert, eBPF advocate, author, and open-source leader. She serves as Chief Open Source Officer at Isovalent (the company behind the Cilium eBPF networking platform) and has chaired the CNCF Technical Oversight Committee. She is best known for her educational work demystifying containers and eBPF, and for her O’Reilly books “Container Security” and “Learning eBPF.”
What is Liz Rice’s “Containers from Scratch” talk about?
In this widely referenced presentation, Rice live-codes a minimal container runtime in Go, demonstrating that Linux containers are built from three kernel primitives: namespaces (for isolation), cgroups (for resource limits), and chroot (for filesystem restriction). The talk demystifies containers by showing that they are not virtual machines but ordinary processes with kernel-enforced boundaries.
What is eBPF and why does Liz Rice advocate for it?
eBPF (extended Berkeley Packet Filter) is a technology that allows sandboxed programs to run inside the Linux kernel without modifying kernel source code. Rice advocates for eBPF because it enables high-performance networking, observability, and security enforcement at the kernel level — capabilities that were previously impossible without custom kernel modules or heavyweight userspace tools.
What is Cilium and how does it relate to Liz Rice’s work?
Cilium is an eBPF-based networking, observability, and security platform for Kubernetes, built by Isovalent where Rice serves as Chief Open Source Officer. Cilium replaces traditional iptables-based Kubernetes networking with eBPF programs that can enforce network policies at Layer 7 (application protocol level) with significantly better performance and more granular security controls.
What books has Liz Rice written?
Rice has authored two major O’Reilly books: “Container Security” (a comprehensive guide to securing containerized workloads, covering Linux capabilities, seccomp, image scanning, and runtime protection) and “Learning eBPF” (the definitive introduction to eBPF programming for networking, security, and observability applications).
What was Liz Rice’s role in the CNCF?
Rice chaired the Cloud Native Computing Foundation’s Technical Oversight Committee (TOC), the governing body responsible for evaluating project maturity, resolving governance disputes, and maintaining quality standards across the CNCF’s portfolio of open-source projects including Kubernetes, Prometheus, Envoy, and Cilium.
How did Liz Rice contribute to container security?
Rice contributed to container security through multiple channels: her work at Aqua Security on open-source security tooling, her educational talks and books explaining container isolation mechanisms, her CNCF governance work ensuring security standards across cloud-native projects, and her advocacy for eBPF-based runtime security enforcement through Isovalent’s Tetragon project.
What is Tetragon and how does it use eBPF for security?
Tetragon is an eBPF-based security observability and runtime enforcement tool created by Isovalent. It attaches eBPF programs to kernel functions to monitor and control process execution, file access, and network activity in real time. Unlike traditional security tools that operate in userspace, Tetragon can enforce policies at the kernel level before potentially malicious actions take effect.
