Gardener

Appearance

Edit this page Report an issue

AWS Resource Tags ​

This document gives an overview of all AWS resource tags applied by the different components of the gardener-extension-provider-aws.

Overview ​

AWS resource tags are used to:

  • Identify resources that belong to a specific cluster
  • Mark resources managed by Gardener
  • Indicate the role of subnets for Kubernetes load balancer routing
  • Enable garbage collection of S3 objects

Tags by Component ​

Infrastructure Controller ​

The infrastructure controller (pkg/controller/infrastructure/) manages all VPC-related resources. It establishes a set of common tags applied to every resource it creates:

Tag KeyTag ValueDescription
Name<shoot-namespace>Human-readable resource name
kubernetes.io/cluster/<shoot-namespace>1Cluster ownership marker, used for resource discovery

The following EC2 resource types receive these common tags at creation time (via pkg/aws/client/client.go):

  • DHCP Options
  • VPC
  • Security Groups (default + nodes)
  • Internet Gateway
  • Egress-Only Internet Gateway
  • VPC Endpoint
  • Route Tables
  • Elastic IPs
  • NAT Gateways
  • Key Pair

Subnet-Specific Tags ​

Subnets receive the common tags plus a name suffix and, for utility subnets, an additional ELB role tag:

Subnet TypeAdditional Tag KeyTag ValuePurpose
WorkersName<namespace>-nodes-<zone-suffix>Identifies worker node subnet
Public utilityName<namespace>-public-utility-<zone-suffix>Identifies public subnet
Public utilitykubernetes.io/role/elb1Allows Kubernetes cloud controller to use subnet for public load balancers
Private utilityName<namespace>-private-utility-<zone-suffix>Identifies private subnet
Private utilitykubernetes.io/role/internal-elb1Allows Kubernetes cloud controller to use subnet for internal load balancers

EFS Resources ​

EFS file systems receive the common tags extended with the managed tag if created by gardener:

Tag KeyTag ValueDescription
Name<shoot-namespace>Resource name
kubernetes.io/cluster/<shoot-namespace>1Cluster ownership marker
managed-by-gardenertrueMarks resource as managed by Gardener

Worker Controller ​

The worker controller (pkg/controller/worker/) creates MachineClass objects that configure EC2 instances for worker nodes. Each instance receives:

Tag KeyTag ValueDescription
kubernetes.io/cluster/<shoot-technical-id>1Cluster ownership marker (uses technical ID, not namespace)
kubernetes.io/role/node1Identifies EC2 instance as a Kubernetes node
<pool-label-key><pool-label-value>All labels from the worker pool are propagated as tags

Control Plane Controller (AWS Load Balancer Controller) ​

The control plane controller configures the AWS Load Balancer Controller with default tags that are applied to every AWS load balancer it creates:

Tag KeyTag ValueDescription
KubernetesCluster<shoot-namespace>Legacy cluster identifier for ALB
kubernetes.io/cluster/<shoot-namespace>ownedALB cluster ownership marker

Note: The value owned (instead of 1) follows the Kubernetes cloud provider tag convention for load balancers.

Bastion Controller ​

The bastion controller creates a dedicated security group for SSH bastion hosts. It only applies a Name tag:

Tag KeyTag ValueDescription
Name<bastion-security-group-name>Identifies the bastion security group

S3 Garbage Collection ​

S3 objects scheduled for deletion are tagged to be picked up by an S3 lifecycle policy:

Tag KeyTag ValueDescription
gc-marked-for-deletiontrueMarks object for deletion via S3 lifecycle rule GC-forTaggedObjects

Summary Table ​

Tag KeyTag ValueApplied ByAWS Resource Types
Nameresource-specificInfrastructure controllerAll VPC resources, subnets, EFS
Namebastion SG nameBastion controllerSecurity group
kubernetes.io/cluster/<namespace>1Infrastructure controllerVPC, subnets, security groups, gateways, route tables, EIPs, NAT gateways, EFS
kubernetes.io/cluster/<technical-id>1Worker controllerEC2 instances
kubernetes.io/cluster/<namespace>ownedAWS LB controllerLoad balancers (ALB/NLB)
kubernetes.io/role/elb1Infrastructure controllerPublic utility subnets
kubernetes.io/role/internal-elb1Infrastructure controllerPrivate utility subnets
kubernetes.io/role/node1Worker controllerEC2 instances
managed-by-gardenertrueInfrastructure controllerEFS file systems
KubernetesCluster<namespace>AWS LB controllerLoad balancers (ALB/NLB)
gc-marked-for-deletiontrueInfrastructure controllerS3 objects
<pool-label-key><pool-label-value>Worker controllerEC2 instances
EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Resource Tags | Gardener is a project of the Open Component Model Community. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.

Building this site is powered by
Terms of Use|Privacy Statement|Legal Disclosure