Metadata Management

Tagger

Declarative label and annotation management for Kubernetes resources at scale. Automate cost allocation, enforce governance, and maintain consistent metadata across your entire cluster.

Learn More Get Started

Overview

Tagger is a Kubernetes Operator for OpenShift that solves the challenge of maintaining consistent, declarative metadata across heterogeneous resources at scale. Manual label management is error-prone, unsustainable, and doesn't scale in large clusters. Tagger transforms metadata management from a manual chore into a policy-driven, automated system that ensures your labels and annotations are always correct.

Define TaggingPolicy custom resources that specify which resources to target, what labels and annotations to apply, and where those values come from. Tagger supports static values, namespace inheritance, ConfigMap references, HTTP endpoints with full authentication support, and Go templates with custom functions. Whether you need cost-center labels for FinOps, team ownership annotations for incident response, or compliance metadata for governance, Tagger ensures your metadata is consistent and continuously enforced.

Features

Dual Enforcement Modes

Choose continuous reconciliation to ensure labels persist even when manually modified, or creation-only mode via mutating webhook to apply immutable metadata at resource creation time. Each mode optimized for different use cases.

Dynamic Value Sources

Pull tag values from static definitions, namespace labels and annotations, ConfigMaps, HTTP endpoints with JSONPath extraction, or Go templates. Supports complex value derivation including regex extraction and string manipulation.

HTTP Integration with Auth

Query external systems like Jira, ServiceNow, cost platforms, or CMDBs. Supports Bearer, Basic, API Key, and mTLS authentication. Response caching reduces API load while keeping values fresh.

Namespace Inheritance

Automatically propagate labels and annotations from namespaces to child resources. Filter by prefix to inherit only specific metadata like cost-center, team, or compliance labels. Automatic re-reconciliation when namespace labels change.

Priority-Based Conflict Resolution

When multiple policies target the same resource, higher priority policies take precedence. Combine with selective overwrite settings to respect manual overrides or preserve labels from other controllers.

OpenShift Console Plugin

Native OpenShift console integration with PatternFly UI. Browse, create, and manage TaggingPolicies with real-time statistics, condition monitoring, and editing directly from the OpenShift web console.

Use Cases

FinOps and Cost Allocation

Automatically apply cost-center, project, environment, and business-unit labels to all workloads. Integrate with Kubecost, AWS Cost Explorer, or custom cost allocation systems. Eliminate manual tagging workflows that lead to orphaned resources and inaccurate billing.
Ownership and Incident Response

Auto-tag resources with team, on-call-contact, Slack channel, and escalation path metadata inherited from namespaces. Enable rapid incident triage by ensuring every resource is traceable to a responsible team without manual intervention.
Compliance and Governance

Enforce data classification, retention policies, and audit trail annotations across all resources. Apply compliance metadata based on namespace, resource type, or selector patterns. Generate audit-ready reports showing policy coverage and tag consistency.
Multi-Tenant Cluster Management

Propagate tenant-specific metadata from namespace to all child resources. Ensure tenant isolation labels are consistently applied for network policies, resource quotas, and security contexts. Track resource ownership across hundreds of tenants.

Custom Resources

TaggingPolicy

The primary custom resource that defines what resources to target, which labels and annotations to apply, and where values come from. Supports enforcement modes, priority, namespace/resource selectors, and cleanup behavior. Status tracks matched resources, tagging statistics, and health conditions.

Example Workflow

This example demonstrates applying cost allocation labels to all Deployments in namespaces labeled with a cost-center. Labels are inherited from the namespace and applied continuously to ensure consistency.

# 1. Label your namespace with cost metadata
oc label namespace production cost-center=engineering project=platform-core

# 2. Create a TaggingPolicy to propagate cost labels
cat <<EOF | oc apply -f -
apiVersion: tagger.cosmosdevops.co.uk/v1alpha1
kind: TaggingPolicy
metadata:
  name: cost-allocation-deployments
  namespace: tagger-system
spec:
  enforcementMode: continuous
  targets:
    - apiGroups: ["apps"]
      kinds: ["Deployment"]
  namespaceSelector:
    matchExpressions:
      - key: cost-center
        operator: Exists
  inheritFromNamespace:
    enabled: true
    labelPrefixes: ["cost-center", "project"]
  priority: 100
EOF

# 3. Verify the policy is active
oc get taggingpolicy -n tagger-system

# 4. Check that Deployments now have cost labels
oc get deployment -n production --show-labels

Automate Your Metadata Strategy

Stop manually managing labels across thousands of resources. Tagger brings declarative, policy-driven metadata management to your Kubernetes cluster. Enable FinOps, improve incident response, and enforce governance with a single operator.

Get Started