Three Modes of Database-Kernel Integration via eBPF: Observability, Policy Injection, and Kernel-Resident State

eBPF is increasingly used around databases, but prior systems and papers often conflate goals and therefore blur the trade space: instrumentation versus control versus in-kernel state. This impedes principled comparisons and hides the kernel constraints that determine feasibility. We present a unified analysis organized into three modes of database–kernel integration via eBPF: observability (deriving DB-relevant signals from kernel and user-space hooks), policy injection (installing workload-specific cache and networking policies at kernel choke points), and kernel-resident state (providing safe transactional state semantics for eBPF programs beyond raw maps). For each mode, we characterized the hook placement, state model, and verifier/synchronization/portability constraints that shape feasibility, and then analyzed representative systems (programmable page-cache policies, XDP ingress offload, and ACID key-value with WAL export) against this framework. We show where microsecond overheads compound to core-scale costs when user-kernel crossings dominate tail latency and which integration mode fits the workload patterns. The outcome is a decision framework that guides when to measure, when to specialize the kernel policy, and when to introduce the kernel-resident state, enabling reproducible performance work without custom kernels.