Skip to content

A utility to tag volumes based on a Kubernetes PVC annotation

License

Notifications You must be signed in to change notification settings

speedfl/k8s-pvc-tagger

This branch is 35 commits behind mtougeron/k8s-pvc-tagger:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

30a3442 · Jul 23, 2022
Jul 23, 2022
Jul 23, 2022
Jul 23, 2022
Jan 11, 2021
Jul 23, 2022
Jan 8, 2021
Jan 8, 2021
Jul 9, 2022
Jan 8, 2021
Jul 23, 2022
Jul 9, 2022
Jul 23, 2022
Jul 12, 2022
Jul 12, 2022
Jul 23, 2022
Jul 23, 2022
Jul 23, 2022
Jan 20, 2021

Repository files navigation

k8s-pvc-tagger

NOTE: This project was originally named k8s-aws-ebs-tagger but was renamed to k8s-pvc-tagger as the scope has expanded to more than aws ebs volumes.

A utility to tag PVC volumes based on the PVC's k8s-pvc-tagger/tags annotation

Go Gosec ContainerScan GitHub tag

The k8s-pvc-tagger watches for new PersistentVolumeClaims and when new AWS EBS/EFS volumes are created it adds tags based on the PVC's k8s-pvc-tagger/tags annotation to the created EBS/EFS volume. Other cloud provider and volume times are coming soon.

How to set tags

cmdline args

--default-tags - A json or csv encoded key/value map of the tags to set by default on EBS/EFS Volumes. Values can be overwritten by the k8s-pvc-tagger/tags annotation.

--tag-format - Either json or csv for the format the k8s-pvc-tagger/tags and --default-tags are in.

--allow-all-tags - Allow all tags to be set via the PVC; even those used by the EBS/EFS controllers. Use with caution!

Annotations

k8s-pvc-tagger/ignore - When this annotation is set (any value) it will ignore this PVC and not add any tags to it

k8s-pvc-tagger/tags - A json encoded key/value map of the tags to set on the EBS/EFS Volume (in addition to the --default-tags). It can also be used to override the values set in the --default-tags

NOTE: Until version v1.2.0 the legacy annotation prefix of aws-ebs-tagger will continue to be supported for aws-ebs volumes ONLY.

Examples

  1. The cmdline arg --default-tags={"me": "touge"} and no annotation will set the tag me=touge

  2. The cmdline arg --default-tags={"me": "touge"} and the annotation k8s-pvc-tagger/tags: | {"me": "someone else", "another tag": "some value"} will create the tags me=someone else and another tag=some value on the EBS/EFS Volume

  3. The cmdline arg --default-tags={"me": "touge"} and the annotation k8s-pvc-tagger/ignore: "" will not set any tags on the EBS/EFS Volume

  4. The cmdline arg --default-tags={"me": "touge"} and the annotation k8s-pvc-tagger/tags: | {"cost-center": "abc", "environment": "prod"} will create the tags me=touge, cost-center=abc and environment=prod on the EBS/EFS Volume

ignored tags

The following tags are ignored by default

  • kubernetes.io/*
  • KubernetesCluster
  • Name

Tag Templates

Tag values can be Go templates using values from the PVC's Name, Namespace, Annotations, and Labels.

Some examples could be:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: touge-test
  namespace: touge
  labels:
    TeamID: "Frontend"
  annotations:
    CostCenter: "1234"
    k8s-pvc-tagger/tags: |
      {"Owner": "{{ .Labels.TeamID }}-{{ .Annotations.CostCenter }}"}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: app-1
  namespace: my-app
  annotations:
    k8s-pvc-tagger/tags: |
      {"OwnerID": "{{ .Namespace }}/{{ .Name }}"}

Installation

AWS IAM Role

You need to create an AWS IAM Role that can be used by k8s-pvc-tagger. For EKS clusters, an IAM Role for Service Accounts should be used instead of using an AWS access key/secret. For non-EKS clusters, I recommend using a tool like kube2iam. An example policy is in examples/iam-role.json.

Install via helm

helm repo add mtougeron https://mtougeron.github.io/helm-charts/
helm repo update
helm install k8s-pvc-tagger mtougeron/k8s-pvc-tagger

Container Image

Images are available on the GitHub Container Registry and DockerHub. Containers are published for linux/amd64 & linux/arm64.

The container images are signed with sigstore/cosign and can be verified by running COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/mtougeron/k8s-pvc-tagger:<tag>

Licensing

This project is licensed under the Apache V2 License. See LICENSE for more information.

About

A utility to tag volumes based on a Kubernetes PVC annotation

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 95.2%
  • Mustache 3.0%
  • Dockerfile 1.8%