- 13 Sep 2022
- 2 Minutes to read
Custom labels, annotations, and fields
- Updated on 13 Sep 2022
- 2 Minutes to read
You can use your existing namespace names, pod labels, annotations and field values to inject Traceable Sidecar. The option to use custom or existing label is available in Traceable agent 1.13.2 and later.
The option to use custom or existing namespace, pod labels, annotations or field values is available if you are using Helm chart or Terraform template to install Traceable agent.
traceableailabels and annotations to configure injection, then only use that. If you choose to use custom configuration, then do not set the
traceableailabels, and annotations. Configuring using both modes at the same time may lead to unexpected outcomes, for example, injection failure.
The topic provides a few examples on how to use label selectors, field selectors, annotations, and so on.
Before you being
Make sure that you have an understanding of:
- Labels and Selectors
- Field Selectors
- Understand equality-based and set-based requirement and other label operators, like,
notin, and so on.
The section provides a few examples on using selectors and annotations.
Example 1 - Label selector
Following is an example of label selector:
app in (istio,ambassador,hackgoapp),service_app
In the above example, a pod will match if the app label is one of the three (istio, ambassador, hackgoapp) in the array and also contains a label key
Example 2 - Field selector
Following is an example of field selector:
In the above example, a pod will match if it is in the traceable namespace. In line with Kubernetes API, only a subset of fields are allowed for selection:
Example 3 - Labels and annotations
If you have a deployment YAML, then for labels and annotations the fields are considered for matching are under spec.template.metadata, for example, as shown in the YAML below.
apiVersion: apps/v1 kind: Deployment metadata: name: hackgoapp namespace: hackgoapp labels: app: hackgoapp spec: replicas: 1 selector: matchLabels: app: hackgoapp template: metadata: labels: # This app: hackgoapp annotations: # And this foo: bar spec: containers: #
The following example shows the proxy injectee. Currently the following four are supported:
- Traceable module extension (tme)
# Snippet from sample helm values.yaml # ------------------------------- # # inject if the pod meets any of the characteristics below. (i.e OR) # - it contains the labels app=nginxapp, service_app=true and foo=baz AND # it's in the namespace traceable and restartPolicy is set to Always # OR # - it contains the label injector=hackgoapp # OR # - it contains the annotation app.kubernetes.io/name=myapp injector: proxy: matchSelectors: - label_selectors: - "app=nginxapp,service_app=true" - "foo=baz" field_selectors: - "metadata.namespace=traceable,spec.restartPolicy=Always" - label_selectors: - "injector=hackgoapp" - annotation_selectors: - "app.kubernetes.io/name=myapp"
Example 5 - Custom label for DaemonSet mirroring
The following example shows custom label for DaemonSet mirroring. The example:
- Captures mirroring traffic for namespace hackgoapp
- Captures egress traffic for the foo app in hackgoapp namespace
daemonSetMirroring: matchSelectors: - field_selectors: - "metadata.namespace=hackgoapp" matchSelectorsEgress: - field_selectors: - "app=foo"
Common Use Cases
Injecting all pods in a namespace
Injecting a pod in a specific namespace is a common use case. For example, to inject a proxy into all the deployments in the namespace
injector: proxy: matchSelectors: - field_selectors: - "metadata.namespace=hackgoapp"
Injecting all pods in namespace except some
You can inject pods in a particular namespace except one. For example, if you want to inject all pods in a namespace
hackgoapp with the exception of those whose app label value is
baz, then you can have a YAML like shown below:
injector: proxy: matchSelectors: - field_selectors: - "metadata.namespace=hackgoapp" label_selectors: - "app notin (foo,baz)"