Platform Tags Reference
Feature status: planned
This page lists all tags that Entigo Platform and its components apply to cloud resources.
Platform System Tags
Tags managed by the Entigo Platform. Do not modify these manually.
| K8s Label | AWS Tag | Azure Tag | GCP Label | Purpose | When Present |
|---|---|---|---|---|---|
entigo.com/workspace | entigo:workspace | entigo.workspace | entigo_workspace | Workspace isolation via ABAC | Always |
entigo.com/zone | entigo:zone | entigo.zone | entigo_zone | Zone scoping via ABAC | Zone-scoped resources |
| — | Name | — | — | Human-readable name in AWS Console | Always (AWS only) |
Notes
entigo:workspaceis the only universally required tag. Its presence signals that the resource is within platform scope.entigo:zoneis omitted for workspace-scoped resources not associated with a specific zone.- Management policy is not propagated to cloud tags. The
entigo.com/management-policylabel is a Kubernetes-only concept that controls syncer behavior. See Kubernetes-Only Labels below. Namefollows AWS naming conventions for console readability.
Crossplane System Tags
Tags added by Crossplane (the cloud resource provisioning engine). These cannot be renamed or suppressed.
| AWS Tag | Purpose | Example Value |
|---|---|---|
crossplane-kind | Kubernetes managed resource type (GVK) | instance.rds.aws.upbound.io |
crossplane-name | Kubernetes managed resource name | my-database-abc12 |
crossplane-providerconfig | ProviderConfig used for provisioning | default |
Customer Passthrough Tags
Tags defined by users via the tags.entigo.com/ prefix on Organization, Workspace, or Zone objects. The prefix is stripped before applying to cloud resources.
| Source | Cloud Tag |
|---|---|
Label tags.entigo.com/cost-center: CC-12345 | cost-center: CC-12345 |
Annotation tags.entigo.com/project-description: My project | project-description: My project |
See the Custom Resource Tags guide for usage details.
Kubernetes-Only Labels
These labels exist within the platform (control plane and workspace clusters) and are not propagated to cloud resources:
| Label | Purpose | Set By |
|---|---|---|
entigo.com/management-policy | Lifecycle management (full vs. observed) | Platform / Syncer |
app.kubernetes.io/managed-by | Identifies creating tool (argocd, helm, entigo-web) | Creating tool |
Tag Key Format Per Cloud Provider
The platform translates Kubernetes label prefixes to provider-appropriate formats:
| Cloud Provider | Prefix Format | Separator | Example |
|---|---|---|---|
| Kubernetes | entigo.com/ | / | entigo.com/workspace |
| AWS | entigo: | : | entigo:workspace |
| Azure | entigo. | . | entigo.workspace |
| GCP | entigo_ | _ | entigo_workspace |
Provider-Specific Limitations
| Constraint | AWS | Azure | GCP |
|---|---|---|---|
| Max tags per resource | 50 | 50 | 64 (labels) |
| Key max length | 128 | 512 (128 for storage) | 63 |
| Value max length | 256 | 256 | 63 |
| Case sensitive (keys) | Yes | No | Lowercase only |
| Case sensitive (values) | Yes | Yes | Lowercase only |
Example: Complete Tag Set on an AWS Resource
A fully managed RDS database in zone-1:
entigo:workspace = ws-prod-001
entigo:zone = zone-1
Name = my-production-database
crossplane-kind = instance.rds.aws.upbound.io
crossplane-name = my-production-database-x7k2m
crossplane-providerconfig = default
cost-center = CC-12345 (passthrough from Zone)
environment = production (passthrough from Workspace)
company = acme-corp (passthrough from Organization)
An observed S3 bucket:
entigo:workspace = ws-prod-001
entigo:zone = zone-1
Name = legacy-data-bucket
crossplane-kind = bucket.s3.aws.upbound.io
crossplane-name = legacy-data-bucket-m3p9q
crossplane-providerconfig = default
cost-center = CC-12345 (passthrough from Zone)