Update pod labels from the pod itself

Feb 2, 2023 • Mikolaj Gasior

Intro

Recently I have encountered a situation where we had to make a pod label itself in its init container. Pod was part of ReplicaSet (which was part of StatefulSet), and there were like 10 replicas. Label value for each pod in the ReplicaSet was meant to be different. There was this additional specific value that identified each pod, it was fetched in init container and it had to appear in pod labels so that logs can be filtered by it.

Kubernetes API

Quickest idea was to use kubectl but the container already had curl installed so why not just call the API.

To call the Kubernetes API, pod must use a ServiceAccount that is bound to a ClusterRole with certain permissions. So, the following things have to be done:
1) create ServiceAccount in the same namespace as your pod
2) create ClusterRole (or use existing, as shown below)
3) create ClusterRoleBinding that links above two resources
4) add serviceAccountName to the pod (in the case here it’s actually StatefulSet)

Sample YAML

See below YAML that uses existing cluster-admin ClusterRole. Replace test-kubeapi-access with your name and my-namespace with your namespace and use kubectl apply to create resources in your cluster.

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-kubeapi-access
subjects:
- kind: ServiceAccount
  name: test-kubeapi-access
  namespace: my-namespace
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-kubeapi-access
  namespace: my-namespace

Change in Pod

serviceAccountName: test-kubeapi-access must be added in the spec section of the pod.

For example, in StatefulSet YAML manifest, it’s actually in spec.template.spec like below.

spec:
  replicas: 2
  (...)
  template:
    (...)
    spec:
      containers:
      (...)
      serviceAccountName: test-kubeapi-access

Call the API

It’s time to call the Kubernetes API using curl. There is just one more thing! What is the pod’s name? There is an example on getting pod name from metadata in the official docs here.
Below environment variables can be added to the container.

spec:
  containers:
    - name: test-container
      (...)
      env:
        - name: MY_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: MY_POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace

Finally, the command to execute inside the pod to label itself.

curl -ik \
  -XPATCH \
  --data '{"metadata": { "labels": { "mynewlabel": "itsvalue" } } }' \
  -H "Accept: application/json, */*" \
  -H "Content-Type: application/strategic-merge-patch+json" \
  -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  https://kubernetes.default.svc.cluster.local/api/v1/namespaces/my-namespace/pods/$MY_POD_NAME
(C) 2022-2025 Mikolaj Gasior. All Rights Reserved. • LinkedInGitHub
Powered by tailwindcss and jekyll