✦ For everyone, free.

Practical knowledge for real and everyday life

Home

7.17 Kubernetes Annotation Usage

Kubernetes annotations provide metadata to customize resources, enabling advanced configuration and integration within container orchestration environments.

Kubernetes Annotation Usage is the concrete, ecosystem-wide catalog of specific, well-known annotation keys that particular controllers, admission webhooks, and tools actually recognize and act upon, illustrating in practical terms how the abstract annotation mechanism is put to work by real, widely deployed components across a typical cluster.


kubectl's Own Annotations

last-applied-configuration

The kubectl.kubernetes.io/last-applied-configuration annotation, set automatically by client-side kubectl apply, stores a serialized copy of the most recently applied manifest, which kubectl reads back on subsequent applies to compute its three-way merge, a foundational example of a tool using an annotation purely for its own internal bookkeeping.


Ingress Controller Annotations

Vendor-Specific Behavior Configuration

Because the core Ingress resource's schema is deliberately minimal, ingress controllers such as ingress-nginx rely heavily on annotations, prefixed with their own controller-specific domain such as nginx.ingress.kubernetes.io, to configure behavior the base Ingress spec does not natively support, including request timeout values, rewrite rules, and rate limiting.

Controller Class Selection

The kubernetes.io/ingress.class annotation, largely superseded by the newer ingressClassName field but still encountered in older manifests, historically determined which ingress controller among several installed in a cluster should handle a given Ingress object.


cert-manager Annotations

Automated Certificate Issuance Triggers

cert-manager watches for annotations such as cert-manager.io/cluster-issuer on Ingress objects, using their presence to automatically provision a TLS certificate for the Ingress's hosts through the referenced issuer, turning a simple annotation into the trigger for an entire automated certificate lifecycle workflow.


Prometheus Scraping Annotations

Signaling Metrics Endpoints

The de facto convention annotations prometheus.io/scrape, prometheus.io/port, and prometheus.io/path, while not defined by Kubernetes itself, are widely recognized by Prometheus service discovery configurations as a signal that a given Pod exposes metrics and where to find them, illustrating how community convention can establish annotation meaning without any formal Kubernetes specification.


Admission and Policy Annotations

Pod Security Standard Enforcement

The pod-security.kubernetes.io/enforce annotation, applied at the namespace level, configures which Pod Security Standard level the built-in Pod Security admission controller enforces for Pods created within that namespace, an annotation directly interpreted by a core Kubernetes admission mechanism rather than a third-party tool.

Audit and Warning Levels

Related annotations, pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn, configure additional enforcement modes that record violations or surface warnings without outright blocking non-compliant Pods, giving operators a gradual rollout path before switching a namespace to full enforcement.


Deployment Rollout Annotations

Change Cause Tracking

The kubernetes.io/change-cause annotation, historically set by kubectl when using rollout history tracking, records a human-readable description of why a particular Deployment revision was created, surfaced later through kubectl rollout history to give operators context on past changes.


Autoscaling and Resource Management Annotations

Vertical Pod Autoscaler Hints

Some autoscaling tooling reads specific annotations to receive hints or overrides beyond what a resource's core spec fields express, such as indicating that a particular container within a Pod should be excluded from automatic resource recommendation adjustments.


Why This Catalog Matters in Practice

Recognizing Annotations as Live Configuration

Because so much real, functioning behavior in a production cluster is driven by annotations rather than core spec fields, recognizing and understanding a manifest's annotations is often just as important as understanding its spec when diagnosing why a particular Ingress, certificate, or scraping target is behaving the way it is.