Documentation
  1. Kubernetes Monitoring

K8s Network Cost Enhancement

Host Network Pod Exclusion

Summary

We've improved the accuracy of Kubernetes network (data transfer) cost attribution by excluding pods that run on the host network from per-pod network usage metrics. Previously, these pods were attributed the full node-level network traffic, inflating their reported network usage and costs. With this fix, only pods with their own isolated network namespace contribute to per-pod network cost - giving you a true picture of which workloads are actually driving network spend.

What changed?

Per-pod network metrics now exclude [hostNetwork: true] pods.

⚠️

Due to a change in network cost allocation effective May 14th, costs that were previously reported as network costs are now assigned to compute. As a result, the reported compute costs of other Pods/Namespaces may increase.

📘

The change applies to AWS and Azure


Network usage in Umbrella is derived from cAdvisor's container_network_receive_bytes_total and container_network_transmit_bytes_total metrics, which track traffic at the network namespace level.

Pods configured with hostNetwork: true (such as kube-proxy, aws-node, node-problem-detector, CNI agents, and many third-party DaemonSets used for observability, networking, and security) share the host's network namespace. As a result, cAdvisor reports the entire node's traffic for each of these pods rather than their individual contribution.


The data processing layer now uses the kube_pod_info {host_network="true"} label, already collected, to identify these pods and exclude them from per-pod network usage calculations.

Scope of impact

  • Affects Data Transfer - network metrics only.
  • Compute (CPU, memory) and storage metrics for these pods were never affected and remain unchanged.
  • Applies to all clusters reporting through the Umbrella K8s Prometheus agent.

Why this matters?

Customers running host-network workloads, particularly security and observability agents such as eBPF sensors, CNI plugins, and node-level DaemonSets - have seen these workloads appear far more expensive than they actually are. In one customer environment, four unrelated host-network pods on the same node all reported nearly identical network throughput (~60K bytes/sec each), because each was being charged the full node traffic instead of its own share.

After the change, network cost attribution reflects real per-workload behavior, which:

  • Removes misleading cost spikes for security and infrastructure DaemonSets.
  • Improves the trustworthiness of namespace and workload-level network cost reports.