SYSTEM Cited by 1 source
Netflix Metatron¶
Metatron is Netflix's workload identity service. It provisions workload identity certificates to each EC2 instance at boot time, providing a cryptographic root for every workload's identity that downstream systems can trust.
Role in eBPF flow-log attribution¶
For workloads running directly on EC2 (i.e. not on the Titus container platform), FlowExporter reads the Metatron certificate from local disk to determine the local workload identity at socket-capture time. This is how the EC2 path of the attribution pipeline bootstraps โ no network RPC, no additional control-plane round-trip.
For containerised workloads, IPMan plays a complementary per-socket role.
Adjacent use¶
Metatron predates the flow-log attribution work โ see the public Metatron talk referenced in the source post. This wiki page currently only canonicalises Metatron's role in local flow-log attribution; more detail can be added as other Netflix sources referencing Metatron are ingested.
Seen in¶
- sources/2025-04-08-netflix-how-netflix-accurately-attributes-ebpf-flow-logs โ named as the per-EC2-instance identity provisioner; FlowExporter reads certs from local disk for in-kernel local attribution.