Open mikebryant opened 6 days ago
I think this is coming from this bit of code: https://github.com/crossplane/crossplane/blob/fa5f5850ef4ebe763def3c7a350a841a3d65b880/internal/controller/apiextensions/claim/object.go#L32-L40
There's a comment here that hints that the reason is to do with kubectl.kubernetes.io/last-applied-configuration
, which makes sense for that specific annotation - but I don't think that reasoning holds up for other things that are supposed to be under the user's control.
Ideally we'd either allowlist app.kubernetes.io/*
, or making this configurable at the controller or composite level would work too
What happened?
We're following the upstream guidance and using
app.kubernetes.io/instance
andapp.kubernetes.io/name
to track ownership of things. In particular this label is what we use to route alerts, to manage team / cost attribution, and various other things.We have a cluster-wide Kyverno policy requiring resources to have these labels - this is breaking with crossplane composite resources, which do not have these labels, even though the claims do - and we want to have these labels propagated to the composite.
How can we reproduce it?
Create a claim with an
app.kubernetes.io/instance
label and observe it's not on the composite.What environment did it happen in?
Crossplane version: 1.17.1