1 /* 2 Kubernetes labels and annotations used in Linkerd's control plane and data plane 3 Kubernetes configs. 4 */ 5 6 package k8s 7 8 import ( 9 "fmt" 10 11 ewv1beta1 "github.com/linkerd/linkerd2/controller/gen/apis/externalworkload/v1beta1" 12 "github.com/linkerd/linkerd2/pkg/version" 13 appsv1 "k8s.io/api/apps/v1" 14 corev1 "k8s.io/api/core/v1" 15 ) 16 17 const ( 18 /* 19 * Labels 20 */ 21 22 // Prefix is the prefix common to all labels and annotations injected by Linkerd 23 Prefix = "linkerd.io" 24 25 // LinkerdExtensionLabel is a label that helps identifying the namespace 26 // that contain a Linkerd Extension 27 LinkerdExtensionLabel = Prefix + "/extension" 28 29 // ControllerComponentLabel identifies this object as a component of Linkerd's 30 // control plane (e.g. web, controller). 31 ControllerComponentLabel = Prefix + "/control-plane-component" 32 33 // ExtensionAPIServerAuthenticationConfigMapName is the name of the ConfigMap where 34 // authentication data for extension API servers is placed. 35 ExtensionAPIServerAuthenticationConfigMapName = "extension-apiserver-authentication" 36 37 // ExtensionAPIServerAuthenticationRequestHeaderClientCAFileKey is the key that 38 // contains the value of the "--requestheader-client-ca-file" flag. 39 ExtensionAPIServerAuthenticationRequestHeaderClientCAFileKey = "requestheader-client-ca-file" 40 41 // RequireIDHeader signals to the proxy that a certain identity should be expected 42 // of the remote peer 43 RequireIDHeader = "l5d-require-id" 44 45 // ControllerNSLabel is injected into mesh-enabled apps, identifying the 46 // namespace of the Linkerd control plane. 47 ControllerNSLabel = Prefix + "/control-plane-ns" 48 49 // ProxyDeploymentLabel is injected into mesh-enabled apps, identifying the 50 // deployment that this proxy belongs to. 51 ProxyDeploymentLabel = Prefix + "/proxy-deployment" 52 53 // ProxyReplicationControllerLabel is injected into mesh-enabled apps, 54 // identifying the ReplicationController that this proxy belongs to. 55 ProxyReplicationControllerLabel = Prefix + "/proxy-replicationcontroller" 56 57 // ProxyReplicaSetLabel is injected into mesh-enabled apps, identifying the 58 // ReplicaSet that this proxy belongs to. 59 ProxyReplicaSetLabel = Prefix + "/proxy-replicaset" 60 61 // ProxyJobLabel is injected into mesh-enabled apps, identifying the Job that 62 // this proxy belongs to. 63 ProxyJobLabel = Prefix + "/proxy-job" 64 65 // ProxyDaemonSetLabel is injected into mesh-enabled apps, identifying the 66 // DaemonSet that this proxy belongs to. 67 ProxyDaemonSetLabel = Prefix + "/proxy-daemonset" 68 69 // ProxyStatefulSetLabel is injected into mesh-enabled apps, identifying the 70 // StatefulSet that this proxy belongs to. 71 ProxyStatefulSetLabel = Prefix + "/proxy-statefulset" 72 73 // ProxyCronJobLabel is injected into mesh-enabled apps, identifying the 74 // CronJob that this proxy belongs to. 75 ProxyCronJobLabel = Prefix + "/proxy-cronjob" 76 77 // WorkloadNamespaceLabel is injected into mesh-enabled apps, identifying the 78 // Namespace that this proxy belongs to. 79 WorkloadNamespaceLabel = Prefix + "/workload-ns" 80 81 // Enabled is used by annotations whose valid values include "enabled". 82 Enabled = "enabled" 83 84 // Disabled is used by annotations whose valid values include "disabled". 85 Disabled = "disabled" 86 87 /* 88 * Annotations 89 */ 90 91 // CreatedByAnnotation indicates the source of the injected data plane 92 // (e.g. linkerd/cli v2.0.0). 93 CreatedByAnnotation = Prefix + "/created-by" 94 95 // ProxyVersionAnnotation indicates the version of the injected data plane 96 // (e.g. v0.1.3). 97 ProxyVersionAnnotation = Prefix + "/proxy-version" 98 99 // ProxyInjectAnnotation controls whether or not a pod should be injected 100 // when set on a pod spec. When set on a namespace spec, it applies to all 101 // pods in the namespace. Supported values are Enabled or Disabled 102 ProxyInjectAnnotation = Prefix + "/inject" 103 104 // ProxyInjectEnabled is assigned to the ProxyInjectAnnotation annotation to 105 // enable injection for a pod or namespace. 106 ProxyInjectEnabled = Enabled 107 108 // ProxyInjectIngress is assigned to the ProxyInjectAnnotation annotation to 109 // enable injection in ingress mode for a pod. 110 ProxyInjectIngress = "ingress" 111 112 // ProxyInjectDisabled is assigned to the ProxyInjectAnnotation annotation to 113 // disable injection for a pod or namespace. 114 ProxyInjectDisabled = Disabled 115 116 // ProxyTrustRootSHA indicates the cert bundle configured on the injected 117 // workload. 118 ProxyTrustRootSHA = Prefix + "/trust-root-sha256" 119 120 /* 121 * Proxy config annotations 122 */ 123 124 // ProxyConfigAnnotationsPrefix is the prefix of all config-related annotations 125 ProxyConfigAnnotationsPrefix = "config.linkerd.io" 126 127 // ProxyConfigAnnotationsPrefixAlpha is the prefix of newly released config-related annotations 128 ProxyConfigAnnotationsPrefixAlpha = "config.alpha.linkerd.io" 129 130 // ProxyImageAnnotation can be used to override the proxyImage config. 131 ProxyImageAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-image" 132 133 // ProxyImagePullPolicyAnnotation can be used to override the 134 // proxyImagePullPolicy and proxyInitImagePullPolicy configs. 135 ProxyImagePullPolicyAnnotation = ProxyConfigAnnotationsPrefix + "/image-pull-policy" 136 137 // ProxyInitImageAnnotation can be used to override the proxyInitImage 138 // config. 139 ProxyInitImageAnnotation = ProxyConfigAnnotationsPrefix + "/init-image" 140 141 // ProxyInitImageVersionAnnotation can be used to override the proxy-init image version 142 ProxyInitImageVersionAnnotation = ProxyConfigAnnotationsPrefix + "/init-image-version" 143 144 // DebugImageAnnotation can be used to override the debugImage config. 145 DebugImageAnnotation = ProxyConfigAnnotationsPrefix + "/debug-image" 146 147 // DebugImageVersionAnnotation can be used to override the debugImageVersion config. 148 DebugImageVersionAnnotation = ProxyConfigAnnotationsPrefix + "/debug-image-version" 149 150 // DebugImagePullPolicyAnnotation can be used to override the debugImagePullPolicy config. 151 DebugImagePullPolicyAnnotation = ProxyConfigAnnotationsPrefix + "/debug-image-pull-policy" 152 153 // ProxyControlPortAnnotation can be used to override the controlPort config. 154 ProxyControlPortAnnotation = ProxyConfigAnnotationsPrefix + "/control-port" 155 156 // ProxyIgnoreInboundPortsAnnotation can be used to override the 157 // ignoreInboundPorts config. 158 ProxyIgnoreInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/skip-inbound-ports" 159 160 // ProxyOpaquePortsAnnotation can be used to override the opaquePorts 161 // config. 162 ProxyOpaquePortsAnnotation = ProxyConfigAnnotationsPrefix + "/opaque-ports" 163 164 // ProxyIgnoreOutboundPortsAnnotation can be used to override the 165 // ignoreOutboundPorts config. 166 ProxyIgnoreOutboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/skip-outbound-ports" 167 168 // ProxySkipSubnetsAnnotation can be used to override the skipSubnets config 169 ProxySkipSubnetsAnnotation = ProxyConfigAnnotationsPrefix + "/skip-subnets" 170 171 // ProxyInboundPortAnnotation can be used to override the inboundPort config. 172 ProxyInboundPortAnnotation = ProxyConfigAnnotationsPrefix + "/inbound-port" 173 174 // ProxyAdminPortAnnotation can be used to override the adminPort config. 175 ProxyAdminPortAnnotation = ProxyConfigAnnotationsPrefix + "/admin-port" 176 177 // ProxyOutboundPortAnnotation can be used to override the outboundPort 178 // config. 179 ProxyOutboundPortAnnotation = ProxyConfigAnnotationsPrefix + "/outbound-port" 180 181 // ProxyPodInboundPortsAnnotation can be used to set a comma-separated 182 // list of (non-proxy) container ports exposed by the pod spec. Useful 183 // when other mutating webhooks inject sidecar containers after the 184 // proxy injector has run. 185 ProxyPodInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/pod-inbound-ports" 186 187 // ProxyCPURequestAnnotation can be used to override the requestCPU config. 188 ProxyCPURequestAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-cpu-request" 189 190 // ProxyMemoryRequestAnnotation can be used to override the 191 // requestMemoryConfig. 192 ProxyMemoryRequestAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-memory-request" 193 194 // ProxyEphemeralStorageRequestAnnotation can be used to override the requestEphemeralStorage config. 195 ProxyEphemeralStorageRequestAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-ephemeral-storage-request" 196 197 // ProxyCPULimitAnnotation can be used to override the limitCPU config. 198 ProxyCPULimitAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-cpu-limit" 199 200 // ProxyMemoryLimitAnnotation can be used to override the limitMemory config. 201 ProxyMemoryLimitAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-memory-limit" 202 203 // ProxyEphemeralStorageLimitAnnotation can be used to override the limitEphemeralStorage config. 204 ProxyEphemeralStorageLimitAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-ephemeral-storage-limit" 205 206 // ProxyUIDAnnotation can be used to override the UID config. 207 ProxyUIDAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-uid" 208 209 // ProxyGIDAnnotation can be used to override the GID config. 210 ProxyGIDAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-gid" 211 212 // ProxyLogLevelAnnotation can be used to override the log level config. 213 ProxyLogLevelAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-log-level" 214 215 // ProxyLogFormatAnnotation can be used to override the log format config. 216 ProxyLogFormatAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-log-format" 217 218 // ProxyEnableExternalProfilesAnnotation can be used to override the 219 // disableExternalProfilesAnnotation config. 220 ProxyEnableExternalProfilesAnnotation = ProxyConfigAnnotationsPrefix + "/enable-external-profiles" 221 222 // ProxyVersionOverrideAnnotation can be used to override the proxy version config. 223 ProxyVersionOverrideAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-version" 224 225 // ProxyRequireIdentityOnInboundPortsAnnotation can be used to configure the proxy 226 // to always require identity on inbound ports 227 ProxyRequireIdentityOnInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-require-identity-inbound-ports" 228 229 // ProxyOutboundConnectTimeout can be used to configure the outbound TCP connection 230 // timeout in the proxy 231 ProxyOutboundConnectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-connect-timeout" 232 233 // ProxyInboundConnectTimeout can be used to configure the inbound TCP connection 234 // timeout in the proxy 235 ProxyInboundConnectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-inbound-connect-timeout" 236 237 // ProxyOutboundDiscoveryCacheTimeout can be used to configure the timeout 238 // that will evict unused outbound discovery results 239 ProxyOutboundDiscoveryCacheUnusedTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-discovery-cache-unused-timeout" 240 241 // ProxyInboundDiscoveryCacheUnusedTimeout can be used to configure the timeout 242 // that will evict unused inbound discovery results 243 ProxyInboundDiscoveryCacheUnusedTimeout = ProxyConfigAnnotationsPrefix + "/proxy-inbound-discovery-cache-unused-timeout" 244 245 // ProxyDisableOutboundProtocolDetectTimeout can be used to disable protocol 246 // detection timeouts for outbound connections by setting them to a very 247 // high value. 248 ProxyDisableOutboundProtocolDetectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-disable-outbound-protocol-detect-timeout" 249 250 // ProxyDisableInboundProtocolDetectTimeout can be used to disable protocol 251 // detection timeouts for inbound connections by setting them to a very 252 // high value. 253 ProxyDisableInboundProtocolDetectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-disable-inbound-protocol-detect-timeout" 254 255 // ProxyEnableGatewayAnnotation can be used to configure the proxy 256 // to operate as a gateway, routing requests that target the inbound router. 257 ProxyEnableGatewayAnnotation = ProxyConfigAnnotationsPrefix + "/enable-gateway" 258 259 // ProxyEnableDebugAnnotation is set to true if the debug container is 260 // injected. 261 ProxyEnableDebugAnnotation = ProxyConfigAnnotationsPrefix + "/enable-debug-sidecar" 262 263 // CloseWaitTimeoutAnnotation configures nf_conntrack_tcp_timeout_close_wait. 264 CloseWaitTimeoutAnnotation = ProxyConfigAnnotationsPrefix + "/close-wait-timeout" 265 266 // ProxyWaitBeforeExitSecondsAnnotation makes the proxy container to wait for the given period before exiting 267 // after the Pod entered the Terminating state. Must be smaller than terminationGracePeriodSeconds 268 // configured for the Pod 269 ProxyWaitBeforeExitSecondsAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-wait-before-exit-seconds" 270 271 // ProxyEnableNativeSidecarAnnotation enables the new native initContainer sidecar 272 ProxyEnableNativeSidecarAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-enable-native-sidecar" 273 274 // ProxyAwait can be used to force the application to wait for the proxy 275 // to be ready. 276 ProxyAwait = ProxyConfigAnnotationsPrefix + "/proxy-await" 277 278 // ProxyDefaultInboundPolicyAnnotation is used to configure the default 279 // inbound policy of the proxy 280 ProxyDefaultInboundPolicyAnnotation = ProxyConfigAnnotationsPrefix + "/default-inbound-policy" 281 282 // ProxyAccessLogAnnotation configures whether HTTP access logging is 283 // enabled, and what access log format is used. 284 ProxyAccessLogAnnotation = ProxyConfigAnnotationsPrefix + "/access-log" 285 286 // AllUnauthenticated allows all unathenticated connections. 287 AllUnauthenticated = "all-unauthenticated" 288 289 // AllAuthenticated allows all authenticated connections. 290 AllAuthenticated = "all-authenticated" 291 292 // ClusterUnauthenticated allows all unauthenticated connections from 293 // within the cluster. 294 ClusterUnauthenticated = "cluster-unauthenticated" 295 296 // ClusterAuthenticated allows all authenticated connections from within 297 // the cluster. 298 ClusterAuthenticated = "cluster-authenticated" 299 300 // Deny denies all connections. 301 Deny = "deny" 302 303 // ProxyShutdownGracePeriodAnnotation configures the grace period for 304 // graceful shutdowns in the proxy. 305 ProxyShutdownGracePeriodAnnotation = ProxyConfigAnnotationsPrefix + "/shutdown-grace-period" 306 307 /* 308 * Component Names 309 */ 310 311 // ConfigConfigMapName is the name of the ConfigMap containing the linkerd controller configuration. 312 ConfigConfigMapName = "linkerd-config" 313 314 // DebugContainerName is the name of the default linkerd debug container 315 DebugContainerName = "linkerd-debug" 316 317 // DebugSidecarImage is the image name of the default linkerd debug container 318 DebugSidecarImage = "cr.l5d.io/linkerd/debug" 319 320 // InitContainerName is the name assigned to the injected init container. 321 InitContainerName = "linkerd-init" 322 323 // InitXtablesLockVolumeMountName is the name of the volumeMount used by proxy-init 324 // to handle iptables-legacy 325 InitXtablesLockVolumeMountName = "linkerd-proxy-init-xtables-lock" 326 327 // LinkerdTokenVolumeMountName is the name of the volumeMount used for 328 // the serviceAccount token 329 LinkerdTokenVolumeMountName = "linkerd-identity-token" 330 331 // ProxyContainerName is the name assigned to the injected proxy container. 332 ProxyContainerName = "linkerd-proxy" 333 334 // IdentityEndEntityVolumeName is the name assigned the temporary end-entity 335 // volume mounted into each proxy to store identity credentials. 336 IdentityEndEntityVolumeName = "linkerd-identity-end-entity" 337 338 // IdentityIssuerSecretName is the name of the Secret that stores issuer credentials. 339 IdentityIssuerSecretName = "linkerd-identity-issuer" 340 341 // IdentityIssuerSchemeLinkerd is the issuer secret scheme used by linkerd 342 IdentityIssuerSchemeLinkerd = "linkerd.io/tls" 343 344 // IdentityIssuerKeyName is the issuer's private key file. 345 IdentityIssuerKeyName = "key.pem" 346 347 // IdentityIssuerCrtName is the issuer's certificate file. 348 IdentityIssuerCrtName = "crt.pem" 349 350 // IdentityIssuerTrustAnchorsNameExternal is the issuer's certificate file (when using cert-manager). 351 IdentityIssuerTrustAnchorsNameExternal = "ca.crt" 352 353 // ProxyPortName is the name of the Linkerd Proxy's proxy port. 354 ProxyPortName = "linkerd-proxy" 355 356 // ProxyAdminPortName is the name of the Linkerd Proxy's metrics port. 357 ProxyAdminPortName = "linkerd-admin" 358 359 // ProxyInjectorWebhookServiceName is the name of the mutating webhook service 360 ProxyInjectorWebhookServiceName = "linkerd-proxy-injector" 361 362 // ProxyInjectorWebhookConfigName is the name of the mutating webhook configuration 363 ProxyInjectorWebhookConfigName = ProxyInjectorWebhookServiceName + "-webhook-config" 364 365 // SPValidatorWebhookServiceName is the name of the validating webhook service 366 SPValidatorWebhookServiceName = "linkerd-sp-validator" 367 368 // SPValidatorWebhookConfigName is the name of the validating webhook configuration 369 SPValidatorWebhookConfigName = SPValidatorWebhookServiceName + "-webhook-config" 370 371 // PolicyValidatorWebhookConfigName is the name of the validating webhook configuration 372 PolicyValidatorWebhookConfigName = "linkerd-policy-validator-webhook-config" 373 374 /* 375 * Mount paths 376 */ 377 378 // MountPathBase is the base directory of the mount path. 379 MountPathBase = "/var/run/linkerd" 380 381 // MountPathTrustRootsBase is the base directory of the trust roots. 382 MountPathTrustRootsBase = MountPathBase + "/identity/trust-roots" 383 384 // MountPathTrustRootsPEM is the path at which the trust bundle is mounted. 385 MountPathTrustRootsPEM = MountPathTrustRootsBase + "/ca-bundle.crt" 386 387 // MountPathServiceAccount is the default path where Kubernetes stores 388 // the service account token 389 MountPathServiceAccount = "/var/run/secrets/kubernetes.io/serviceaccount" 390 391 // MountPathValuesConfig is the path at which the values config file is mounted. 392 MountPathValuesConfig = MountPathBase + "/config/values" 393 394 // MountPathTLSBase is the path at which the TLS cert and key PEM files are mounted 395 MountPathTLSBase = MountPathBase + "/tls" 396 397 // MountPathTLSKeyPEM is the path at which the TLS key PEM file is mounted. 398 MountPathTLSKeyPEM = MountPathTLSBase + "/tls.key" 399 400 // MountPathTLSCrtPEM is the path at which the TLS cert PEM file is mounted. 401 MountPathTLSCrtPEM = MountPathTLSBase + "/tls.crt" 402 403 /* 404 * Service mirror constants 405 */ 406 407 // SvcMirrorPrefix is the prefix common to all labels and annotations 408 // and types used by the service mirror component 409 SvcMirrorPrefix = "mirror.linkerd.io" 410 411 // MulticlusterPrefix is the prefix common to all labels and annotations 412 // used for multicluster services. 413 MulticlusterPrefix = "multicluster.linkerd.io" 414 415 // MirrorSecretType is the type of secret that is supposed to contain 416 // the access information for remote clusters. 417 MirrorSecretType = SvcMirrorPrefix + "/remote-kubeconfig" 418 419 // DefaultExportedServiceSelector is the default label selector for exported 420 // services. 421 DefaultExportedServiceSelector = SvcMirrorPrefix + "/exported" 422 423 // MirroredResourceLabel indicates that this resource is the result 424 // of a mirroring operation (can be a namespace or a service) 425 MirroredResourceLabel = SvcMirrorPrefix + "/mirrored-service" 426 427 // MirroredGatewayLabel indicates that this is a mirrored gateway 428 MirroredGatewayLabel = SvcMirrorPrefix + "/mirrored-gateway" 429 430 // MirroredHeadlessSvcNameLabel indicates the root headless service for 431 // mirrored headless hosts. 432 MirroredHeadlessSvcNameLabel = SvcMirrorPrefix + "/headless-mirror-svc-name" 433 434 // RemoteClusterNameLabel put on a local mirrored service, it 435 // allows us to associate a mirrored service with a remote cluster 436 RemoteClusterNameLabel = SvcMirrorPrefix + "/cluster-name" 437 438 // RemoteDiscoveryLabel indicates that this service is a remote discovery 439 // service and the value of this label is the name of the remote cluster. 440 RemoteDiscoveryLabel = MulticlusterPrefix + "/remote-discovery" 441 442 // RemoteServiceLabel is the name of the service in the remote cluster. 443 RemoteServiceLabel = MulticlusterPrefix + "/remote-service" 444 445 // RemoteResourceVersionAnnotation is the last observed remote resource 446 // version of a mirrored resource. Useful when doing updates 447 RemoteResourceVersionAnnotation = SvcMirrorPrefix + "/remote-resource-version" 448 449 // RemoteServiceFqName is the fully qualified name of the mirrored service 450 // on the remote cluster 451 RemoteServiceFqName = SvcMirrorPrefix + "/remote-svc-fq-name" 452 453 // RemoteGatewayIdentity follows the same kind of logic as RemoteGatewayNameLabel 454 RemoteGatewayIdentity = SvcMirrorPrefix + "/remote-gateway-identity" 455 456 // GatewayIdentity can be found on the remote gateway service 457 GatewayIdentity = SvcMirrorPrefix + "/gateway-identity" 458 459 // GatewayProbePeriod the interval at which the health of the gateway should be probed 460 GatewayProbePeriod = SvcMirrorPrefix + "/probe-period" 461 462 // GatewayProbePath the path at which the health of the gateway should be probed 463 GatewayProbePath = SvcMirrorPrefix + "/probe-path" 464 465 // ConfigKeyName is the key in the secret that stores the kubeconfig needed to connect 466 // to a remote cluster 467 ConfigKeyName = "kubeconfig" 468 469 // GatewayPortName is the name of the incoming port of the gateway 470 GatewayPortName = "mc-gateway" 471 472 // ProbePortName is the name of the probe port of the gateway 473 ProbePortName = "mc-probe" 474 ) 475 476 // CreatedByAnnotationValue returns the value associated with 477 // CreatedByAnnotation. 478 func CreatedByAnnotationValue() string { 479 return fmt.Sprintf("linkerd/cli %s", version.Version) 480 } 481 482 // GetServiceAccountAndNS returns the pod's serviceaccount and namespace. 483 func GetServiceAccountAndNS(pod *corev1.Pod) (sa string, ns string) { 484 sa = pod.Spec.ServiceAccountName 485 if sa == "" { 486 sa = "default" 487 } 488 489 ns = pod.GetNamespace() 490 if ns == "" { 491 ns = "default" 492 } 493 494 return 495 } 496 497 // GetPodLabels returns the set of prometheus owner labels for a given pod 498 func GetPodLabels(ownerKind, ownerName string, pod *corev1.Pod) map[string]string { 499 labels := map[string]string{"pod": pod.Name} 500 501 l5dLabel := KindToL5DLabel(ownerKind) 502 labels[l5dLabel] = ownerName 503 504 labels["serviceaccount"], _ = GetServiceAccountAndNS(pod) 505 506 if controllerNS := pod.Labels[ControllerNSLabel]; controllerNS != "" { 507 labels["control_plane_ns"] = controllerNS 508 } 509 510 if pth := pod.Labels[appsv1.DefaultDeploymentUniqueLabelKey]; pth != "" { 511 labels["pod_template_hash"] = pth 512 } 513 514 return labels 515 } 516 517 // GetExternalWorkloadLabels returns the set of prometheus owner labels for a given ExternalWorkload 518 func GetExternalWorkloadLabels(ownerKind, ownerName string, ew *ewv1beta1.ExternalWorkload) map[string]string { 519 labels := map[string]string{"external_workload": ew.Name} 520 521 if ownerKind != "" && ownerName != "" { 522 labels[ownerKind] = ownerName 523 } 524 return labels 525 } 526 527 // IsMeshed returns whether a given Pod is in a given controller's service mesh. 528 func IsMeshed(pod *corev1.Pod, controllerNS string) bool { 529 return pod.Labels[ControllerNSLabel] == controllerNS 530 } 531