Feature request: Map k8s pod labels as project tags

[muellerst-hg]

As a System Operator,
I would like to add pod labels as project tags in DependencyTrack
So that grouping/filtering by label in dtrack is possible

Background: We use k8s pod labels to determine and group things like application, stage, department, ...

Given the following deployment was applied to k8s cluster:
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: dependencytrack-frontend
    namespace: dependencytrack-sales-live
  spec:
    template:
        metadata:
          labels:
            app=dependencytrack
            stage=live
            department=sales
            service=inventory
        spec:
          containers:
            - name: dependencytrack-frontend
              image: dependencytrack-frontend:4.5.1
  ---
When the sbom-operator scans the pod and adds the project to dtrack
Then the following tags should be added to dtrack:
  [namespace=dependencytrack-sales-live, app=dependencytrack, stage=live, department=sales, ...]
But currently only the following tags are added:
  [namespace=dependencytrack-sales-live, ...]

What do you think about the idea of adding Labels map[string]string to struct libk8s.PodInfo and allow custom mapping of labels to dtrack project tags?
What would be an appropriate way to configure the custom mapping?

sbom-operator is awesome. Thank you!

[ckotzbauer]

Hi @muellerst-hg,
thanks for your request. Sure, the Dependency Track integration can be extended with the pod-labels as you specified.
What do you mean with "custom mapping"? Can you give a few more details about this?

[muellerst-hg]

Maybe "custom mapping" isn't the right term.

Given I have the following labels:
  spec:
    template:
        metadata:
          labels:
            app=dependencytrack
            stage=live
            department=sales
            service=inventory
            pod-template-hash=12c5401afc
And I have selected "app" and "stage" as labels to be added as tags
Then the following project tags should be added to dtrack
    app=dependencytrack
    stage=live

[muellerst-hg]

With two labels "app=dependencytrack" and "app=nginx", some magic would be required to identify both by matching "app" left of the equals sign.

[muellerst-hg]

A user could provide a regex for matching labels like SBOM_DTRACK_LABEL_TAG_MATCHER="^(?:app|stage)="

[ckotzbauer]

I got it, you want to control which pod-labels should be mapped to Dependency Track.