Merge pull request #1944 from weaveworks/1929-discard-shortlived-conn…

…ections-to-pods-in-host-net Discard short-lived connections to/from Pods in the host net
weaveworks · Oct 25, 2016 · 2ab1715 · 2ab1715
2 parents 8b3c13c + 9881a6b
commit 2ab1715
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 4 deletions.
diff --git a/app/api_topologies_test.go b/app/api_topologies_test.go
@@ -83,6 +83,9 @@ func TestAPITopologyAddsKubernetes(t *testing.T) {
 				{ContainerID: "container2"},
 			},
 		},
+		Spec: api.PodSpec{
+			SecurityContext: &api.PodSecurityContext{},
+		},
 	}).GetNode("")
 	buf := &bytes.Buffer{}
 	encoder := codec.NewEncoder(buf, &codec.MsgpackHandle{})

diff --git a/probe/kubernetes/pod.go b/probe/kubernetes/pod.go
@@ -7,7 +7,8 @@ import (
 
 // These constants are keys used in node metadata
 const (
-	State = "kubernetes_state"
+	State           = "kubernetes_state"
+	IsInHostNetwork = "kubernetes_is_in_host_network"
 
 	StateDeleted = "deleted"
 )
@@ -57,11 +58,17 @@ func (p *pod) NodeName() string {
 }
 
 func (p *pod) GetNode(probeID string) report.Node {
-	return p.MetaNode(report.MakePodNodeID(p.UID())).WithLatests(map[string]string{
+	latests := map[string]string{
 		State: p.State(),
 		IP:    p.Status.PodIP,
 		report.ControlProbeID: probeID,
-	}).
+	}
+
+	if sc := p.Pod.Spec.SecurityContext; sc != nil && sc.HostNetwork {
+		latests[IsInHostNetwork] = "true"
+	}
+
+	return p.MetaNode(report.MakePodNodeID(p.UID())).WithLatests(latests).
 		WithParents(p.parents).
 		WithLatestActiveControls(GetLogs, DeletePod)
 }
diff --git a/probe/kubernetes/reporter_test.go b/probe/kubernetes/reporter_test.go
@@ -46,6 +46,9 @@ var (
 		},
 		Spec: api.PodSpec{
 			NodeName: nodeName,
+			SecurityContext: &api.PodSecurityContext{
+				HostNetwork: true,
+			},
 		},
 	}
 	apiPod2 = api.Pod{
@@ -65,7 +68,8 @@ var (
 			},
 		},
 		Spec: api.PodSpec{
-			NodeName: nodeName,
+			NodeName:        nodeName,
+			SecurityContext: &api.PodSecurityContext{},
 		},
 	}
 	apiService1 = api.Service{

diff --git a/render/pod.go b/render/pod.go
@@ -139,6 +139,13 @@ func MapContainer2Pod(n report.Node, _ report.Networks) report.Nodes {
 // MapPod2IP maps pod nodes to their IP address.  This allows pods to
 // be joined directly with the endpoint topology.
 func MapPod2IP(m report.Node) []string {
+	// if this pod belongs to the host's networking namespace
+	// we cannot use its IP to attribute connections
+	// (they could come from any other process on the host or DNAT-ed IPs)
+	if _, ok := m.Latest.Lookup(kubernetes.IsInHostNetwork); ok {
+		return nil
+	}
+
 	ip, ok := m.Latest.Lookup(kubernetes.IP)
 	if !ok {
 		return nil