https://github.com/capsule8/capsule8/blob/master/docs/KProbes.md looks like the simple intro. It's based on kprobes. Additionally leverages cgroups so you can instrument differently at different processes.

As I recall it uses standard perf techniques instead of ebpf so broader kernel support but not as performant (more context switches etc).

Uses kprobes. My coworkers think it's performant.

yes, it uses kprobes and perf_event_open to get data from kernel ring buffer.