Discard short-lived connections to/from Pods in the host net

probe/kubernetes/pod.go

@@ -7,7 +7,8 @@ import (
 
 // These constants are keys used in node metadata
 const (
-	State = "kubernetes_state"
+	State           = "kubernetes_state"
+	IsInHostNetwork = "kubernetes_is_in_host_network"
 
 	StateDeleted = "deleted"
 )
@@ -57,11 +58,17 @@ func (p *pod) NodeName() string {
 }
 
 func (p *pod) GetNode(probeID string) report.Node {
-	return p.MetaNode(report.MakePodNodeID(p.UID())).WithLatests(map[string]string{
+	latests := map[string]string{
 		State: p.State(),
 		IP:    p.Status.PodIP,
 		report.ControlProbeID: probeID,
-	}).
+	}
+
+	if p.Pod.Spec.SecurityContext.HostNetwork {
+		latests[IsInHostNetwork] = "true"
+	}
+
+	return p.MetaNode(report.MakePodNodeID(p.UID())).WithLatests(latests).
 		WithParents(p.parents).
 		WithLatestActiveControls(GetLogs, DeletePod)
 }

render/pod.go

@@ -139,6 +139,13 @@ func MapContainer2Pod(n report.Node, _ report.Networks) report.Nodes {
 // MapPod2IP maps pod nodes to their IP address.  This allows pods to
 // be joined directly with the endpoint topology.
 func MapPod2IP(m report.Node) []string {
+	// if this pod belongs to the host's networking namespace
+	// we cannot use its IP to attribute connections
+	// (they could come from any other process on the host or DNAT-ed IPs)
+	if _, ok := m.Latest.Lookup(kubernetes.IsInHostNetwork); ok {
+		return nil
+	}
+
 	ip, ok := m.Latest.Lookup(kubernetes.IP)
 	if !ok {
 		return nil