Skip to content

Labels and Annotations

May 20, 2026

Labels

Key-value pairs for categorizing and selecting objects
Max 63 chars; alphanumeric + separators
Used by Deployments, Services, NetworkPolicies: essential for selectors
Query: kubectl get pods -l key=value

Mechanism	CLI	Manifest
Equality	`-l env=prod` (AND with commas)	`matchLabels`
Set-based	`-l 'team in (a,b)'`	`matchExpressions` with `In`, `NotIn`, `Exists`

Label commands

kubectl run <n> --image=<img> --labels=k=v,k2=v2
kubectl get po --show-labels
kubectl label pod <n> key=value / --overwrite / key- to remove

Recommended labels

app.kubernetes.io/name, version, component, managed-by

Annotations

Key-value metadata only: not queryable (-l does not work)
No --annotations on kubectl run: YAML or kubectl annotate after create
Uses: commit hash, author, release notes, on-call

Reserved annotations

kubernetes.io/change-cause: rollout history
pod-security.kubernetes.io/enforce: baseline: namespace Pod security

Labels vs annotations

	Labels	Annotations
Queryable	Yes (`-l`)	No
Used in selectors	Yes	No
Imperative at create	`--labels`	No
Modify	`kubectl label`	`kubectl annotate`
Remove	`key-`	`key-`

Exam tips

Equality selectors: comma = AND, not OR: use in for OR
NetworkPolicy podSelector.matchLabels must match Pod labels exactly