Labels Related to Kubernetes Clusters
The following information applies to plain-vanilla Kubernetes, OpenShift, and to Kubernetes running on supported cloud platforms (EKS, AKS, and GKE).
For each object type, Secure Workload imports inventory live from a Kubernetes cluster, including labels associated with the object. Label keys and values are imported as-is.
In addition to importing the labels defined for the Kubernetes objects, Secure Workload also generates labels that facilitate the use of these objects in inventory filters. These additional labels are especially useful in defining scopes and policies.
Generated labels for all resources
Secure Workload adds the following labels to all the nodes, pods and services retrieved from the Kubernetes/OpenShift/EKS/AKS/GKE API server.
|
Key |
Value |
|---|---|
|
orchestrator_system/orch_type |
kubernetes |
|
orchestrator_system/cluster_id |
<UUID of the cluster’s configuration in |product|> |
|
orchestrator_system/cluster_name |
<Name of kubernetes cluster> |
|
orchestrator_system/name |
<Name of connector> |
|
orchestrator_system/namespace |
<The Kubernetes/OpenShift/EKS/AKS/GKE namespace of this item> |
Node-specific labels
The following labels are generated for nodes only.
|
Key |
Value |
|---|---|
|
orchestrator_system/workload_type |
machine |
|
orchestrator_system/machine_id |
<UUID assigned by Kubernetes/OpenShift> |
|
orchestrator_system/machine_name |
<Name given to this node> |
|
orchestrator_system/kubelet_version |
<Version of the kubelet running on this node> |
|
orchestrator_system/container_runtime_version |
<The container runtime version running on this node> |
Pod-specific labels
The following labels are generated for pods only.
|
Key |
Value |
|---|---|
|
orchestrator_system/workload_type |
pod |
|
orchestrator_system/pod_id |
<UUID assigned by Kubernetes/OpenShift> |
|
orchestrator_system/pod_name |
<Name given to this pod> |
|
orchestrator_system/hostnetwork |
<true|false> reflecting whether the pod is running in the host network |
|
orchestrator_system/machine_name |
<Name of the node the pod is running on> |
|
orchestrator_system/service_endpoint |
[List of service names this pod is providing] |
Service-specific labels
The following labels are generated for services only.
|
Key |
Value |
|---|---|
|
orchestrator_system/workload_type |
service |
|
orchestrator_system/service_name |
<Name given to this service> |
-
(For cloud-managed Kubernetes only) Services of ServiceType: LoadBalancer are supported only for gathering metadata, not for collecting flow data or for policy enforcement.
|
Filtering items using orchestrator_system/service_name is not the same as using orchestrator_system/service_endpoint. For example, using the filter orchestrator_system/service_name = web selects all services with the name web while orchestrator_system/service_endpoint = web selects all pods that provide a service with the name web. |
Labels Example for Kubernetes Clusters
The following example shows a partial YAML representation of a Kubernetes node and the corresponding labels imported by Secure Workload.
- apiVersion: v1
kind: Node
metadata:
annotations:
node.alpha.kubernetes.io/ttl: "0"
volumes.kubernetes.io/controller-managed-attach-detach: "true"
labels:
beta.kubernetes.io/arch: amd64
beta.kubernetes.io/os: linux
kubernetes.io/hostname: k8s-controller
|
Imported label keys |
|---|
|
orchestrator_beta.kubernetes.io/arch |
|
orchestrator_beta.kubernetes.io/os |
|
orchestrator_kubernetes.io/hostname |
|
orchestrator_annotation/node.alpha.kubernetes.io/ttl |
|
orchestrator_annotation/volumes.kubernetes.io/controller-managed-attach-detach |
|
orchestrator_system/orch_type |
|
orchestrator_system/cluster_id |
|
orchestrator_system/cluster_name |
|
orchestrator_system/namespace |
|
orchestrator_system/workload_type |
|
orchestrator_system/machine_id |
|
orchestrator_system/machine_name |
|
orchestrator_system/kubelet_version |
|
orchestrator_system/container_runtime_version |