Resource Tagging
Entigo Platform uses labels, annotations and tags to manage, secure, and organize resources across Kubernetes and cloud provider accounts. This page explains what tags the platform uses, why, and what you can control.
How Entigo Platform Uses Tags
Tags serve three purposes in the platform:
-
Access control — Cloud resources are tagged with workspace and zone identifiers. AWS IAM Permission Boundaries use these tags to ensure the platform can only access resources within its designated scope. See Permission Boundaries.
-
Lifecycle management — The management policy tag distinguishes between resources the platform fully manages and resources it only observes. This determines whether the platform can create, update, and delete a resource or just read its status.
-
Customer metadata — You can propagate your own tags (cost center, team, project) from the platform hierarchy to cloud resources. See the Custom Resource Tags guide.
Tag Layers
Tags exist at two layers, with the platform translating between them:
Kubernetes Labels and Annotations
Within the platform (control plane and workspace clusters), tags are implemented as standard Kubernetes labels using the entigo.com/ prefix:
entigo.com/management-policy— Lifecycle management (details)app.kubernetes.io/managed-by— Resource ownership tracking
These follow Kubernetes conventions and work with standard tools like kubectl, label selectors, and admission webhooks.
Cloud Provider Tags
Feature status: planned
On cloud resources (AWS, Azure, GCP), the platform applies tags using provider-appropriate naming:
| Cloud Provider | Tag Format | Example |
|---|---|---|
| AWS | entigo:{name} | entigo:workspace |
| Azure | entigo.{name} | entigo.workspace |
| GCP | entigo_{name} | entigo_workspace |
You do not need to manage cloud provider tags directly. The platform handles the translation from Kubernetes labels to cloud tags transparently.
Platform Tags on Cloud Resources
Feature status: planned
Every cloud resource managed by the platform carries these tags:
| Tag (AWS) | Purpose | When Present |
|---|---|---|
entigo:workspace | Identifies which workspace owns the resource | Always |
entigo:zone | Identifies which zone the resource belongs to | Zone-scoped resources |
Name | Human-readable name in the AWS Console | Always |
Additionally, Crossplane (the platform's cloud resource provisioning engine) adds system tags for traceability:
| Tag | Purpose |
|---|---|
crossplane-kind | The Kubernetes resource type that manages this cloud resource |
crossplane-name | The Kubernetes resource name |
crossplane-providerconfig | The provider configuration used |
Tag Budget
AWS allows a maximum of 50 tags per resource. Platform and Crossplane system tags use 6 of these, leaving 44 slots for your custom tags. See the Platform Tags Reference for the complete breakdown.
Custom Tags
Feature status: planned
You can define custom tags at Organization, Workspace, and Zone levels. These propagate down the hierarchy and are applied to all cloud resources within that scope.
Tags defined at a lower level override the same tag from a higher level:
Organization (lowest priority)
→ Workspace
→ Zone (highest priority)
→ Cloud resources
For details on how to configure custom tags, see the Custom Resource Tags guide.
Transparency
Entigo Platform is designed to be transparent about what it does in your cloud accounts. All platform tags are visible in your cloud provider console (AWS Console, Azure Portal, GCP Console). You should be aware of these tags but should not modify them manually — the platform manages them and will detect and correct drift.
Related Concepts
- Management Policies — How the platform manages resource lifecycles
- Permission Boundaries — How tags enable access control in your cloud account
- Custom Resource Tags — How to add your own tags
- Platform Tags Reference — Complete tag reference