Problem Statement

Sometimes, you got a challenge on labeling or tagging of various Kubernetes resources, including Pods, Deployments, StatefulSets, and PersistentVolumeClaims (PVCs). Consequently, you are unable to enforce admission webhooks or AWS Security Control Policies on Volumes. In Kubernetes resource management, labels play a pivotal role. Labels are key-value pairs affixed to Kubernetes resources, enabling effective categorization, organization, and resource selection based on diverse criteria. They empower you to add metadata to resources, thereby streamlining operations, facilitating monitoring, and enhancing access control.

Solution

You can write a bash script that utilizes the Kubernetes Command line tool. This solution entails implementing a labeling strategy, enabling you to effectively categorize and tag your Kubernetes resources. Consequently, you can apply AWS Security Control Policies and manage your resources more efficiently.

Example Bash Script for Resource Labeling

You can execute a bash script to apply labels to Kubernetes resources within the namespace. Below is an illustrative script that iterates through Deployments in a given namespace and applies customized labels using a patch operation:

#!/bin/bash
while true; do
    for deployment in $(kubectl -n $namespace get deployment | awk '{print $1}');
    do
        kubectl patch deployment $deployment -n $namespace --patch-file="patch-labels.yaml";
    done;
done

The content of “patch-labels.yaml” could be:

spec:
  template:
    metadata:
      labels:
        ApplicationID: APP-1234
        Environment: nonprod
        Owner: VictorLeung

Once all the resources are patched, it could be terminated by Ctrl + C in the terminal.

Script Parameters Explanation

  • while true; do: This initiates an infinite loop for continuous monitoring and updating of Deployments.
  • kubectl -n $namespace get deployment: This command retrieves the list of Deployments in the specified namespace (replace “$namespace” with the appropriate namespace).
  • for deployment in $(...); do: This loop iterates through the Deployments obtained from the previous command.
  • kubectl patch deployment $deployment -n $namespace --patch-file="patch-labels.yaml": This command applies a patch to the deployment specified by the variable $deployment in the given namespace. The patch content is defined in “patch-labels.yaml”.

Adaptation for Different Resource Types

This script can be adapted for other Kubernetes resource types, such as StatefulSets and PVCs, by modifying the relevant commands and target resources. For instance, for StatefulSets:

#!/bin/bash
while true; do
    for sts in $(kubectl -n $namespace get sts | awk '{print $1}');
    do
        kubectl patch sts $sts -n $namespace --patch-files="patch-labels.yaml";
    done;
done

Similarly, for PVCs:

#!/bin/bash
while true; do
    for pvc in $(kubectl get pvc | awk '{print $1}');
    do
        kubectl patch pvc $pvc --patch-file="patch-labels.yaml";
    done;
done

The content of “patch-labels.yaml” could be:

metadata:
  labels:
  ApplicationID: APP-1234
  Environment: nonprod
  Owner: VictorLeung

Conclusion

Integrating custom labels into Kubernetes resource management offers an effective solution for asset tagging and categorization. Leveraging Kubernetes’ flexible labeling mechanism empowers you to better organize, secure, and manage your resources. By using bash scripts as demonstrated, you can bridge the gap, enhancing your overall operational capabilities and ensuring better control over your Kubernetes environments.