The option to use custom or existing label is available in Traceable agent 1.13.2 and later. If you are using a Helm chart or Terraform template to install the Traceable agent, you have the option to use a custom or existing namespace, pod labels, annotations, or field values. The topic provides a few examples of how to use label selectors, field selectors, annotations, and so on.
Before you begin
Make sure that you have an understanding of:
- Labels and Selectors
- Field Selectors
- Understand the equality-based and set-based requirements and other label operators, like,
in,notin, and so on.
Examples
The section provides a few examples of using selectors and annotations.
Example 1 - Label selector
Following is an example of a label selector:
app in (istio,ambassador,hackgoapp),service_appIn the above example, a pod will match if the app label is one of the three (istio, ambassador, hackgoapp) in the array and also contains a label key service_app.
Example 2 - Field selector
Following is an example of a field selector:
metadata.namespace=traceableIn the above example, a pod will match if it is in the traceable namespace. In line with Kubernetes API, only a subset of fields are allowed for selection:
metadata.namemetadata.namespacespec.nodeNamespec.restartPolicyspec.scheduleNamespec.serviceAccountName
Example 3 - Labels and annotations
If you have a deployment YAML, then for labels and annotations the fields are considered for matching are under spec.template.metadata, for example, as shown in the YAML below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: hackgoapp
namespace: hackgoapp
labels:
app: hackgoapp
spec:
replicas: 1
selector:
matchLabels:
app: hackgoapp
template:
metadata:
labels: # This
app: hackgoapp
annotations: # And this
foo: bar
spec:
containers:
#Example 4
The following example shows the proxy injectee. Currently the following four are supported:
- Proxy
- Java
- Traceable module extension (tme)
- Mirror
# Snippet from sample helm values.yaml
# -------------------------------
#
# inject if the pod meets any of the characteristics below. (i.e OR)
# - it contains the labels app=nginxapp, service_app=true and foo=baz AND
# it's in the namespace traceable and restartPolicy is set to Always
# OR
# - it contains the label injector=hackgoapp
# OR
# - it contains the annotation app.kubernetes.io/name=myapp
injector:
proxy:
matchSelectors:
- label_selectors:
- "app=nginxapp,service_app=true"
- "foo=baz"
field_selectors:
- "metadata.namespace=traceable,spec.restartPolicy=Always"
- label_selectors:
- "injector=hackgoapp"
- annotation_selectors:
- "app.kubernetes.io/name=myapp"Example 5 - Custom label for DaemonSet mirroring
The following example shows custom label for DaemonSet mirroring. The example:
- Captures mirroring traffic for namespace hackgoapp
- Captures egress traffic for the foo app in hackgoapp namespace
daemonSetMirroring:
matchSelectors:
- field_selectors:
- "metadata.namespace=hackgoapp"
matchSelectorsEgress:
- field_selectors:
- "app=foo" Common Use Cases
Injecting all pods in a namespace
Injecting a pod in a specific namespace is a common use case. For example, to inject a proxy into all the deployments in the namespace hackgoapp.
injector:
proxy:
matchSelectors:
- field_selectors:
- "metadata.namespace=hackgoapp"Injecting all pods in namespace except some
You can inject pods in a particular namespace except one. For example, if you want to inject all pods in a namespace hackgoapp with the exception of those whose app label value is foo or baz, then you can have a YAML like shown below:
injector:
proxy:
matchSelectors:
- field_selectors:
- "metadata.namespace=hackgoapp"
label_selectors:
- "app notin (foo,baz)"