Description

Strongly related to ROX-32798, but it has not been confirmed yet as the sole root cause of the issue.

What was the bug?

Sensor maintains an in-memory map (ipMap) that tracks which deployment currently owns each pod IP address. When a deployment was removed, the cleanup function (deleteDeploymentFromCurrent) was supposed to remove that deployment's entry from the map. However, if the IP was temporarily shared by two or more deployments, the cleanup skipped the removal entirely and only logged a warning. The stale deployment ID stayed in the map forever.

When could it happen?

Kubernetes routinely recycles pod IP addresses: when a pod dies, its IP can be reassigned to a new pod in a different deployment. Sensor receives these lifecycle events asynchronously — and on clusters with high pod churn, it is common for the "new pod got IP X" event to arrive before the "old pod with IP X is gone" event. During that short window, two deployments appear to share the same IP. This is the exact condition that triggered the bug.

What were the consequences?

Once the bug wasriggered, it was self-reinforcing:

1. Memory leak — (major) ipMap accumulated stale deployment IDs that were never cleaned up. On an affected customer cluster, a single IP (10.131.x.y) had accumulated references to 4 deployments, only one of which was still alive.
2. Accelerating noise — (minor, but many complained) because the stale entries inflated the cardinality check, every subsequent IP recycling event for the same address hit the buggy code path again, adding more stale entries and producing more warnings.
3. Metric cardinality explosion — (minor) the existing ips_having_multiple_containers_total Prometheus metric used deployment UUIDs as a label. Each new combination of stale + active UUIDs created a new time series, resulting in ~50 distinct series from only ~30 affected IPs on the customer cluster.
4. Incorrect network attribution — (minor, but hard to detect) network flow lookups using ipMap could attribute traffic to deployments that no longer existed and thus incorrect data to the network graph.

What does this PR change?

• Bug fix (2 lines): deleteDeploymentFromCurrent now removes the specific deployment ID from the IP's set, and only deletes the map entry when the set is empty.
• Metric fix: the containers label (comma-joined deployment UUIDs) is dropped from ips_having_multiple_containers_total. The ip label is kept — its cardinality is bounded by the pod CIDR and is sufficient to identify which IPs are being recycled.
• Regression tests: 5 new test cases exercise the fix both at the low-level (deleteDeploymentFromCurrent) and via the public API (Store.Apply), simulating realistic out-of-order event delivery.

The bug fix and regression tests were generated with AI assistance. The metric change, test review, and validation were done by the author.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Ran the full cluster entities test suite locally:

go test -v -count=1 ./sensor/common/clusterentities/...

All 67 tests pass, including 5 new regression tests that:

• directly exercise deleteDeploymentFromCurrent with shared IPs (3 subtests)
• simulate realistic IP recycling via Store.Apply with out-of-order events (2 subtests)

These tests fail on master (confirming the bug exists) and pass with the fix applied.