Limiting Identity-Relevant Labels
We recommend that operators with larger environments limit the set of identity-relevant labels to avoid frequent creation of new security identities. Many Kubernetes labels are not useful for policy enforcement or visibility. A few good examples of such labels include timestamps or hashes. These labels, when included in evaluation, cause Cilium to generate a unique identity for each pod instead of a single identity for all of the pods that comprise a service or application.
By default, Cilium considers all labels to be relevant for identities, with the following exceptions:
Label |
Description |
|
Ignore all |
|
Ignore all other |
|
Ignore |
|
Ignore |
|
Ignore |
|
Ignore |
|
Ignore all |
|
Ignore all |
|
Ignore all |
|
Ignore all |
|
Ignore all |
|
Ignore all |
|
Ignore all |
|
Ignore all |
The above label patterns are all exclusive label patterns, that is to say
they define which label keys should be ignored. These are identified by the
presence of the !
character.
Label configurations that do not contain the !
character are inclusive
label patterns. Once at least one inclusive label pattern is added, only
labels that match the inclusive label configuration may be considered relevant
for identities. Additionally, when at least one inclusive label pattern is
configured, the following inclusive label patterns are automatically added to
the configuration:
Label |
Description |
|
Include all |
|
Include all |
|
Include all |
|
Include all |
Configuring Identity-Relevant Labels
To limit the labels used for evaluating Cilium identities, edit the Cilium
ConfigMap object using kubectl edit cm -n kube-system cilium-config
and
insert a line to define the label patterns to include or exclude. Alternatively,
this attribute can also be set via helm option --set labels=<values>
.
apiVersion: v1
data:
...
kube-proxy-replacement: "true"
labels: "io\\.kubernetes\\.pod\\.namespace k8s-app app name"
enable-ipv4-masquerade: "true"
monitor-aggregation: medium
...
Note
The double backslash in \\.
is required to escape the slash in
the YAML string so that the regular expression contains \.
.
Label patterns are regular expressions that are implicitly anchored at the
start of the label. For example example\.com
will match labels that start
with example.com
, whereas .*example\.com
will match labels that contain
example.com
anywhere. Be sure to escape periods in domain names to avoid
the pattern matching too broadly and therefore including or excluding too many
labels.
The label patterns are using regular expressions. Therefore, using kind$
or ^kind$
can exactly match the label key kind
, not just the prefix.
Upon defining a custom list of label patterns in the ConfigMap, Cilium adds the provided list of label patterns to the default list of label patterns. After saving the ConfigMap, restart the Cilium Agents to pickup the new label pattern setting.
kubectl delete pods -n kube-system -l k8s-app=cilium
Note
Configuring Cilium with label patterns via labels
Helm value does
not override the default set of label patterns.
Existing identities will not change as a result of this new configuration. To apply the new label pattern setting to existing identities, restart the associated pods. Upon restart, new identities will be created. The old identities will be garbage collected by the Cilium Operator once they are no longer used by any Cilium endpoints.
When specifying multiple label patterns to evaluate, provide the list of labels as a space-separated string.
Including Labels
Labels can be defined as a list of labels to include. Only the labels specified and the default inclusive labels will be used to evaluate Cilium identities:
labels: "io\\.kubernetes\\.pod\\.namespace k8s-app app name kind$ other$"
The above configuration would only include the following label keys when evaluating Cilium identities:
k8s-app
app
name
kind
other
reserved:.*
io.kubernetes.pod.namespace
io.cilium.k8s.namespace.labels
app.kubernetes.io
Note that io.kubernetes.pod.namespace
is already included in default
label io.kubernetes.pod.namespace
.
Labels with the same prefix as defined in the configuration will also be considered. This lists some examples of label keys that would also be evaluated for Cilium identities:
k8s-app-team
app-production
name-defined
Because we have $
in label key kind$
and other$
. Only label keys using
exactly kind
and other
will be evaluated for Cilium.
When a single inclusive label is added to the filter, all labels not defined
in the default list will be excluded. For example, pods running with the
security labels team=team-1, env=prod
will have the label env=prod
ignored as soon Cilium is started with the filter team
.
Excluding Labels
Label patterns can also be specified as a list of exclusions. Exclude labels by placing an exclamation mark after colon separating the prefix and pattern. When defined as a list of exclusions, Cilium will include the set of default labels, but will exclude any matches in the provided list when evaluating Cilium identities:
labels: "!controller-uid !job-name"
The provided example would cause Cilium to exclude any of the following label matches:
controller-uid
job-name