Pod Labels Discipline

Labels drive selectors. The discipline.

Required labels

app.kubernetes.io/name: the application name. app.kubernetes.io/instance: the deployment instance. Standard k8s recommended labels.

app.kubernetes.io/version: the version string. Critical for tracking which version is running where.

app.kubernetes.io/component: the component (api, worker, scheduler). Useful in multi-pod applications.

Ownership labels

team: the team that owns the workload. Page routing, cost attribution, debugging all start with team.

owner: specific engineer or rotation. For incident response and questions.

contact: Slack channel or email. The on-call should know who to ping.

Environment and lifecycle

environment: prod, staging, dev. Drives policy enforcement and alerting.

lifecycle: long-running, ephemeral, batch. Helps capacity planning and scheduler decisions.

criticality: tier-0, tier-1, tier-2. Drives priority class, dedicated nodes, alert routing.

What not to put in labels

High-cardinality values. user_id, request_id, transaction_id. Cardinality explosion in metrics; expensive in observability bills.

Free-form descriptions. Use annotations for that. Labels should be selectable; annotations are documentation.

Secrets or sensitive data. Labels are visible to anyone with cluster read access.

Enforcement

OPA Gatekeeper or Kyverno policy: required labels at admission. Pods without them are rejected.

CI lint: catch missing labels at PR time, before deploy. Faster feedback than admission rejection.

Quarterly audit: cluster-wide query for label compliance. Per-team report; address drift.