Standard recommended Kubernetes labels are not copied to composite resources

[mikebryant]

What happened?

We're following the upstream guidance and using app.kubernetes.io/instance and app.kubernetes.io/name to track ownership of things. In particular this label is what we use to route alerts, to manage team / cost attribution, and various other things.

We have a cluster-wide Kyverno policy requiring resources to have these labels - this is breaking with crossplane composite resources, which do not have these labels, even though the claims do - and we want to have these labels propagated to the composite.

How can we reproduce it?

Create a claim with an app.kubernetes.io/instance label and observe it's not on the composite.

What environment did it happen in?

Crossplane version: 1.17.1

[mikebryant]

I think this is coming from this bit of code: https://github.com/crossplane/crossplane/blob/fa5f5850ef4ebe763def3c7a350a841a3d65b880/internal/controller/apiextensions/claim/object.go#L32-L40

There's a comment here that hints that the reason is to do with kubectl.kubernetes.io/last-applied-configuration, which makes sense for that specific annotation - but I don't think that reasoning holds up for other things that are supposed to be under the user's control.

Ideally we'd either allowlist app.kubernetes.io/*, or making this configurable at the controller or composite level would work too