7.2 Kubernetes Metadata Identity
Kubernetes Metadata Identity defines how entities are uniquely identified and managed within the Kubernetes ecosystem through structured labels and annotations.
Kubernetes Metadata Identity is the subset of an object's metadata responsible for uniquely and unambiguously distinguishing that specific object from every other object in the cluster, formed by the combination of name, namespace, and uid, and standing in deliberate contrast to labels, which serve grouping and selection rather than singular, exact identification.
Identity as a Precise, Singular Concept
One Object, One Identity
Where labels are designed to match many objects sharing a common characteristic, identity is designed to pinpoint exactly one specific object; a request addressed to a specific name and namespace resolves to at most a single object, never a set, reflecting identity's fundamentally different purpose from the grouping role labels play.
The Three Components of Identity
name and namespace together form the human-facing, addressable identity used in day-to-day API interactions, while uid forms the system-assigned, collision-proof identity that remains valid and unique even across the deletion and recreation of an object sharing the same name and namespace.
Name and Namespace as Addressable Identity
The Coordinate Used in Every Direct Request
Every direct API operation targeting a specific object, a get, update, delete, or patch, addresses that object by its name, and namespace where applicable, making this pairing the practical, everyday identity that clients, controllers, and human operators actually use to interact with a specific object.
Stability Across an Object's Lifetime
Unlike labels, which are commonly changed to reflect an object's evolving state or classification, name and namespace are effectively immutable for the life of an object; changing either is not supported as an in-place operation and instead requires deleting and recreating the object under its new coordinates.
UID as Collision-Proof Identity
Guaranteeing Uniqueness Beyond Reuse
Because name and namespace can be reused after an object is deleted, a new object created with the exact same name and namespace as a previously deleted one is a genuinely different object, and uid, assigned once and never reused, is what allows the system, and careful client code, to distinguish this new object from its now-deleted predecessor.
Where UID-Based Identity Matters Most
UID-based identity matters most in scenarios involving asynchronous processing or auditing, such as an owner reference recording exactly which specific object created a dependent, or an audit log entry needing to unambiguously refer to a particular object instance even if a same-named object was later deleted and recreated.
Identity Versus Selection
Two Complementary but Distinct Mechanisms
Identity answers "which specific object is this," while labels and selectors answer "which set of objects share this characteristic," and Kubernetes' object model deliberately keeps these as separate, complementary mechanisms rather than conflating them, since a Service needs to select a changing, potentially multi-member set of backend Pods by shared characteristic, an operation identity alone cannot express.
When Each Is the Right Tool
Direct API operations, RBAC rules scoped to a specific object, and owner references all rely on identity, since they need to refer to one exact object, while Service backend selection, NetworkPolicy targeting, and controller ownership of a dynamic Pod set all rely on label-based selection instead, since they need to refer to a set that can grow, shrink, or change membership over time.
Identity in Access Control and Auditing
RBAC Scoping by Name
Kubernetes RBAC supports scoping permissions down to specific named resources within a rule, relying directly on the identity fields to express "this specific object" rather than a broader, label-selected category, a narrower and more precise access grant than typical namespace- or kind-level RBAC scoping.
Audit Trails Anchored to UID
Kubernetes audit logging records the uid of objects involved in API operations, giving audit trails a stable anchor for tracing the history of a specific object instance even across name reuse scenarios that could otherwise make a purely name-based audit trail ambiguous or misleading.