Custom labels, annotations, and fields

The option to use custom or existing label is available in Traceable agent 1.13.2 and later. If you are using a Helm chart or Terraform template to install the Traceable agent, you have the option to use a custom or existing namespace, pod labels, annotations, or field values. The topic provides a few examples of how to use label selectors, field selectors, annotations, and so on.

Before you begin

Make sure that you have an understanding of:

• Labels and Selectors
• Field Selectors
• Understand the equality-based and set-based requirements and other label operators, like, in, notin, and so on.

Examples

The section provides a few examples of using selectors and annotations.

Example 1 - Label selector

Following is an example of a label selector:

app in (istio,ambassador,hackgoapp),service_app

In the above example, a pod will match if the app label is one of the three (istio, ambassador, hackgoapp) in the array and also contains a label key service_app.

Example 2 - Field selector

Following is an example of a field selector:

metadata.namespace=traceable

In the above example, a pod will match if it is in the traceable namespace. In line with Kubernetes API, only a subset of fields are allowed for selection:

• metadata.name
• metadata.namespace
• spec.nodeName
• spec.restartPolicy
• spec.scheduleName
• spec.serviceAccountName

Example 3 - Labels and annotations

If you have a deployment YAML, then for labels and annotations the fields are considered for matching are under spec.template.metadata, for example, as shown in the YAML below.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hackgoapp
  namespace: hackgoapp
  labels:
    app: hackgoapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hackgoapp
  template:
    metadata:
      labels: # This
        app: hackgoapp
      annotations: # And this
        foo: bar
    spec:
      containers:
      #

Example 4

The following example shows the proxy injectee. Currently the following four are supported:

• Proxy
• Java
• Traceable module extension (tme)
• Mirror

# Snippet from sample helm values.yaml
# -------------------------------
#
# inject if the pod meets any of the characteristics below. (i.e OR)
# - it contains the labels app=nginxapp, service_app=true and foo=baz AND
#     it's in the namespace traceable and restartPolicy is set to Always
# OR
# - it contains the label injector=hackgoapp
# OR
# - it contains the annotation app.kubernetes.io/name=myapp
injector:
  proxy:
    matchSelectors:
      - label_selectors:
          - "app=nginxapp,service_app=true"
          - "foo=baz"
        field_selectors:
          - "metadata.namespace=traceable,spec.restartPolicy=Always"
      - label_selectors:
          - "injector=hackgoapp"
      - annotation_selectors:
          - "app.kubernetes.io/name=myapp"

Example 5 - Custom label for DaemonSet mirroring

The following example shows custom label for DaemonSet mirroring. The example:

• Captures mirroring traffic for namespace hackgoapp
• Captures egress traffic for the foo app in hackgoapp namespace

daemonSetMirroring:
  matchSelectors: 
    - field_selectors:
      - "metadata.namespace=hackgoapp"
  matchSelectorsEgress:
    - field_selectors:
      - "app=foo" 

Common Use Cases

Injecting all pods in a namespace

Injecting a pod in a specific namespace is a common use case. For example, to inject a proxy into all the deployments in the namespace hackgoapp.

injector:
  proxy:
    matchSelectors:
      - field_selectors:
          - "metadata.namespace=hackgoapp"

Injecting all pods in namespace except some

You can inject pods in a particular namespace except one. For example, if you want to inject all pods in a namespace hackgoapp with the exception of those whose app label value is foo or baz, then you can have a YAML like shown below:

injector:
  proxy:
    matchSelectors:
      - field_selectors:
          - "metadata.namespace=hackgoapp"
        label_selectors:
          - "app notin (foo,baz)"