Documentation
  1. Kubernetes Monitoring

Kubernetes Network Cost Enhancement

Summary

We've improved the accuracy of Kubernetes network cost attribution by excluding pods that run on the host network from per-pod network usage metrics. Previously, these pods were attributed the full node-level network traffic, inflating their reported network usage and costs. With this fix, only pods with their own isolated network namespace contribute to per-pod network cost - giving you a true picture of which workloads are actually driving network spend.

What changed

Per-pod network metrics now exclude hostNetwork: true pods.

📘

The change applies to AWS, Azure


Network usage in Umbrella is derived from cAdvisor's container_network_receive_bytes_total and container_network_transmit_bytes_total metrics, which track traffic at the network namespace level.

Pods configured with hostNetwork: true (such as kube-proxy, aws-node, node-problem-detector, CNI agents, and many third-party DaemonSets used for observability, networking, and security) share the host's network namespace. As a result, cAdvisor reports the entire node's traffic for each of these pods rather than their individual contribution.


The data processing layer now uses the kube_pod_info true label, already collected, to identify these pods and exclude them from per-pod network usage calculations.

Scope of impact

  • Affects network metrics only.
  • Compute (CPU, memory) and storage metrics for these pods were never affected and remain unchanged.
  • Applies to all clusters reporting through the Umbrella K8s Prometheus agent.

Why this matters?

Customers running host-network workloads - particularly security and observability agents such as eBPF sensors, CNI plugins, and node-level DaemonSets - have seen these workloads appear far more expensive than they actually are. In one customer environment, four unrelated host-network pods on the same node all reported nearly identical network throughput (~60K bytes/sec each), because each was being charged the full node traffic instead of its own share.

After the change, network cost attribution reflects real per-workload behavior, which:

  • Removes misleading cost spikes for security and infrastructure DaemonSets.
  • Improves the trustworthiness of namespace and workload-level network cost reports.
  • Aligns Umbrella with how this class of metric is correctly handled across the FinOps space - this is a known limitation of cAdvisor-based network measurement, not unique to any one vendor.

Updated about 2 hours ago