Annotations and Labels Best Practices
Annotations and Labels
Best practices for using Kubernetes annotations and labels.
What are Labels?
Labels are key-value pairs attached to Kubernetes objects. They are used to select and group objects. They are often used to group objects by environment (e.g. env=prod, env=staging, env=dev), by application (e.g. app=myapp), or by team (e.g. team=myteam).
They can also be used to group objects by other criteria, for example to select objects for specific tools and libraries (like Ingress Controllers, Prometheus, or ArgoCD).
What are Annotations?
Annotations are key-value pairs attached to Kubernetes objects. Unlike labels, which are used to select and group objects, annotations are used to attach arbitrary non-identifying metadata. This data is often used by tools and libraries (like Ingress Controllers, Prometheus, or ArgoCD) to trigger specific behaviors or configurations.
Official Kubernetes Annotations Documentation
Common Labels and Annotations for Natron
Natron uses labels and annotations to control the behavior of its components. The following labels and annotations are used by Natron:
gitops.natron.io/allow-prometheus: Allow Prometheus to scrape the metrics endpoint.gitops.natron.io/allow-ingress-internal
Namespace Labels
| Key | Values | Description |
|---|---|---|
pod-security.kubernetes.io/enforce | privileged baseline restricted | Pod Security Standards. See also Pod Security Standards. |
pod-security.kubernetes.io/enforce-version | e.g. v1.33 | Version of Kubernetes PSS. |
gitops.natron.io/trusted | true | Trusted label (e.g. for Kyverno Policies) which should only apply for all Natron Managed Namespaces. |
Pod Labels
According to Well-Known Labels, Annotations and Taints.
| Key | Values | Description |
|---|---|---|
gitops.natron.io/allow-ingress-external | true | Allow ingress controller pod to reach pods in other namespaces |
gitops.natron.io/allow-prometheus | true | Allow prometheus pod to reach pods in other namespaces |
gitops.natron.io/allow-teleport | true | Allow teleport-kube-agent pod to reach pods in other namespaces |
gitops.natron.io/lb-pool | internal external … | Service label selector for CiliumLoadBalancerIPPool |
gitops.natron.io/loki-rule | true | Loki Alerting-Rule label (See Loki Alerting) |
grafana_dashboard | {tenant-number} (e.g. 1) | Grafana Dashboard label |
Annotations
| Key | Values | Description |
|---|---|---|
gitops.natron.io/application | - | Name of application |
gitops.natron.io/customer | - | Name of customer |
gitops.natron.io/stage | poc dev test prod … | Name of stage |