> Instead, Kubernetes annotations are meant for sharing information with other colleagues. For example, you may use an annotation to record the phone number of the person responsible for a pod
...wat? The k8s docs say
> You can use Kubernetes annotations to attach arbitrary non-identifying metadata to objects. Clients such as tools and libraries can retrieve this metadata.
I've only ever seen them used in this fashion, i.e. declarative configuration facilitated by the control plane. Furthermore why would you have a _phone number_ as an annotation on a _pod_? If you're managing pods individually without a controller of some sort then you'd better have a really good reason.
Yeah, I agree. I actually think that labels are a much better fit for this reference.
> Instead, Kubernetes annotations are meant for sharing information with other colleagues. For example, you may use an annotation to record the phone number of the person responsible for a pod
But it can be super helpful to put owner/contact info for alerting purposes as teams scale.
I also agree that having this metadata on the controller is helpful.
I wouldn't use it on a pod directly, but I recommend that annotations on deployments include the oncall rotation that is responsible for them - And there's no real reason not to cascade that down onto pods as well.
Just "company.com/pagerduty-service" as a "required" annotation (i.e. if you forget your namespace's team gets a reminder at their E-mail, which is another required annotation)
Namespace onboarding is self-service by pull request: a template namespace is in the readme, and contains a number of standard annotations like ldap group and etc. The kubernetes admin team accepts and merges those requests and the bot deploys the namespace folder to the clusters.
This is basically zero overhead at small groups and scales well to giant companies, you just add annotations and sometimes labels as business requirements and structure dictate.
Labeling is incredibly useful but there is such a thing as overuse of them. One time I encountered a particularly fanatical user of labels and it made all of the logs difficult to view, index, and query. Also it can be oenerous to set all of those labels on every resource according to each key’s conventions. 3-5 taxonomies are great, 20 not so much.
Funny. I'm working on a specific issue with GCP GKE Autopilot. I'm running a bunch of workloads every day with 1 pod per client. Each pod has various running time and I wanted to know the pod cost per client.
I tried to use Kubecost but could not find any option at all to do what I wanted. My labels never appeared on the Kubecost UI. It's funny now to see an article about labels knowing that Kubecost itself doesn't seem to support them.
Kubecost fully supports labels by default-- however until recent versions we relied on kube-state-metrics for that data, which requires users to whitelist the labels they want to see. If you upgrade to our latest version, I'd be surprised if this still wasn't working for you. Once you've upgraded, you can reach out to support@kubecost.com if labels still aren't appearing or me personally ajay@kubecost.com and I'd be happy to help troubleshoot.
What's the general thinking around putting private identifiers (eg user name) in kube labels? That data would be going to a monitoring stack, eg Prometheus or hosted Cortex?
Unless you explicitly allow them (via a flag) in your kube-state-metrics deployment, Kubernetes labels and annotations are not translated into Prometheus labels.
kube-state-metrics doesn't specifically matter. Prometheus has built-in Kubernetes service discovery, and you can drop labels/annotations or not. Most people never see this because they take an opaque blob from a vendor (helm chart, prometheus-operator), etc. -- but it's there: https://prometheus.io/docs/prometheus/latest/configuration/c...
kube-state-metrics does its own service discovery and outputs prometheus metrics that it cares about, but any app could do that.
You’re absolutely right, though none of these transfer labels by default (neither does the example Prometheus config in the prometheus repo). Prometheus, including Prometheus operator require you to allow-list them. (I should have mentioned that I maintain the Prometheus Kubernetes SD, and am the original creator of kube-state-metrics, prometheus-operator and kube-prometheus)
Each use case is different, but I think expiring the data after 60d in your monitoring stack makes sense both from a scaling perspective of your monitoring stack and from a privacy perspective.
I wouldn't necessarily put _user_ data in labels, but team/product names and contact info of the coworkers responsible for the service seem fine to me.
I've been working on Kubernetes stuff for about 5 years now and I have never seen people "organize" their stuff with labels.
It sounds great in theory ("lemme query all my pods in staging", "lemme find secrets by the marketing team") but it's just not used for some reason. I think people like flat organization (e.g. "find deployment X") more than searching by labels.
I've actually worked with 100+ companies that use labels heavily. It's way more common when you have multiple engineering teams and nobody everybody knows all projects in a cluster. Also, it's common to start with namespace labels which are generally easier to manage.
> Instead, Kubernetes annotations are meant for sharing information with other colleagues. For example, you may use an annotation to record the phone number of the person responsible for a pod
...wat? The k8s docs say
> You can use Kubernetes annotations to attach arbitrary non-identifying metadata to objects. Clients such as tools and libraries can retrieve this metadata.
I've only ever seen them used in this fashion, i.e. declarative configuration facilitated by the control plane. Furthermore why would you have a _phone number_ as an annotation on a _pod_? If you're managing pods individually without a controller of some sort then you'd better have a really good reason.