containers · Retr0-XD · Nov 9, 2025
diff --git a/cmd/podman/kube/play.go b/cmd/podman/kube/play.go
@@ -40,6 +40,7 @@ type playKubeOptionsWrapper struct {
 	BuildCLI       bool
 	annotations    []string
 	macs           []string
+	labels         []string
 }
 
 const yamlFileSeparator = "\n---\n"
@@ -109,6 +110,10 @@ func playFlags(cmd *cobra.Command) {
 		"Add Podman-specific annotations to containers and pods created by Podman (key=value)",
 	)
 	_ = cmd.RegisterFlagCompletionFunc(annotationFlagName, completion.AutocompleteNone)
+
+	labelFlagName := "label"
+	flags.StringArrayVarP(&playOptions.labels, labelFlagName, "l", []string{}, "Add labels to resources created by podman kube play (key=value)")
+	_ = cmd.RegisterFlagCompletionFunc(labelFlagName, completion.AutocompleteNone)
 	credsFlagName := "creds"
 	flags.StringVar(&playOptions.CredentialsCLI, credsFlagName, "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry")
 	_ = cmd.RegisterFlagCompletionFunc(credsFlagName, completion.AutocompleteNone)
@@ -265,6 +270,15 @@ func play(cmd *cobra.Command, args []string) error {
 		playOptions.Annotations[key] = val
 	}
 
+	// parse labels provided on CLI and attach to PlayKubeOptions
+	if len(playOptions.labels) > 0 {
+		labelMap, err := parse.GetAllLabels([]string{}, playOptions.labels)
+		if err != nil {
+			return err
+		}
+		playOptions.Labels = labelMap
+	}
+
 	if err := annotations.ValidateAnnotations(playOptions.Annotations); err != nil {
 		return err
 	}

diff --git a/pkg/api/handlers/libpod/kube.go b/pkg/api/handlers/libpod/kube.go
@@ -106,6 +106,7 @@ func KubePlay(w http.ResponseWriter, r *http.Request) {
 	decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder)
 	query := struct {
 		Annotations      map[string]string `schema:"annotations"`
+		Labels           map[string]string `schema:"labels"`
 		LogDriver        string            `schema:"logDriver"`
 		LogOptions       []string          `schema:"logOptions"`
 		Network          []string          `schema:"network"`
@@ -179,6 +180,7 @@ func KubePlay(w http.ResponseWriter, r *http.Request) {
 	containerEngine := abi.ContainerEngine{Libpod: runtime}
 	options := entities.PlayKubeOptions{
 		Annotations:        query.Annotations,
+		Labels:             query.Labels,
 		Authfile:           authfile,
 		IsRemote:           true,
 		LogDriver:          logDriver,

diff --git a/pkg/bindings/kube/types.go b/pkg/bindings/kube/types.go
@@ -10,6 +10,8 @@ import (
 type PlayOptions struct {
 	// Annotations - Annotations to add to Pods
 	Annotations map[string]string
+	// Labels - labels to add to created resources
+	Labels map[string]string
 	// Authfile - path to an authentication file.
 	Authfile *string
 	// CertDir - to a directory containing TLS certifications and keys.

diff --git a/pkg/bindings/kube/types_play_options.go b/pkg/bindings/kube/types_play_options.go
diff --git a/pkg/domain/entities/play.go b/pkg/domain/entities/play.go
@@ -11,6 +11,8 @@ import (
 type PlayKubeOptions struct {
 	// Annotations - Annotations to add to Pods
 	Annotations map[string]string
+	// Labels - Labels to add to created resources
+	Labels map[string]string
 	// Authfile - path to an authentication file.
 	Authfile string
 	// Indicator to build all images with Containerfile or Dockerfile

diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
@@ -368,6 +368,14 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, options
 				podYAML.Annotations[name] = val
 			}
 
+			// Merge CLI-specified labels into pod YAML labels so they are applied to created resources
+			for name, val := range options.Labels {
+				if podYAML.Labels == nil {
+					podYAML.Labels = make(map[string]string)
+				}
+				podYAML.Labels[name] = val
+			}
+
 			if err := annotations.ValidateAnnotations(podYAML.Annotations); err != nil {
 				return nil, err
 			}
@@ -443,6 +451,14 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, options
 				pvcYAML.Annotations[name] = val
 			}
 
+			// Merge CLI-provided labels into PVC labels so created volumes get them
+			for name, val := range options.Labels {
+				if pvcYAML.Labels == nil {
+					pvcYAML.Labels = make(map[string]string)
+				}
+				pvcYAML.Labels[name] = val
+			}
+
 			if options.IsRemote {
 				if _, ok := pvcYAML.Annotations[util.VolumeImportSourceAnnotation]; ok {
 					return nil, fmt.Errorf("importing volumes is not supported for remote requests")
@@ -470,7 +486,15 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, options
 				return nil, fmt.Errorf("unable to read YAML as kube secret: %w", err)
 			}
 
-			r, err := ic.playKubeSecret(&secret)
+			// Merge CLI-provided labels into secret labels
+			for name, val := range options.Labels {
+				if secret.ObjectMeta.Labels == nil {
+					secret.ObjectMeta.Labels = make(map[string]string)
+				}
+				secret.ObjectMeta.Labels[name] = val
+			}
+
+			r, err := ic.playKubeSecret(&secret, options)
 			if err != nil {
 				return nil, err
 			}
@@ -1837,7 +1861,7 @@ func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, body io.Reader, opt
 }
 
 // playKubeSecret allows users to create and store a kubernetes secret as a podman secret
-func (ic *ContainerEngine) playKubeSecret(secret *v1.Secret) (*entities.SecretCreateReport, error) {
+func (ic *ContainerEngine) playKubeSecret(secret *v1.Secret, options entities.PlayKubeOptions) (*entities.SecretCreateReport, error) {
 	r := &entities.SecretCreateReport{}
 
 	// Create the secret manager before hand
@@ -1854,9 +1878,6 @@ func (ic *ContainerEngine) playKubeSecret(secret *v1.Secret) (*entities.SecretCr
 	secretsPath := ic.Libpod.GetSecretsStorageDir()
 	opts := make(map[string]string)
 	opts["path"] = filepath.Join(secretsPath, "filedriver")
-	// maybe k8sName(data)...
-	// using this does not allow the user to use the name given to the secret
-	// but keeping secret.Name as the ID can lead to a collision.
 
 	s, err := secretsManager.Lookup(secret.Name)
 	if err == nil {
@@ -1879,9 +1900,23 @@ func (ic *ContainerEngine) playKubeSecret(secret *v1.Secret) (*entities.SecretCr
 		meta["immutable"] = "true"
 	}
 
+	// Merge labels from the secret YAML and CLI-provided options
+	mergedLabels := make(map[string]string)
+	if secret.ObjectMeta.Labels != nil {
+		for k, v := range secret.ObjectMeta.Labels {
+			mergedLabels[k] = v
+		}
+	}
+	if options.Labels != nil {
+		for k, v := range options.Labels {
+			mergedLabels[k] = v
+		}
+	}
+
 	storeOpts := secrets.StoreOptions{
 		DriverOpts: opts,
 		Metadata:   meta,
+		Labels:     mergedLabels,
 	}
 
 	secretID, err := secretsManager.Store(secret.Name, data, "file", storeOpts)

diff --git a/test/tools/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go b/test/tools/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go
diff --git a/test/tools/vendor/github.com/Masterminds/goutils/randomstringutils.go b/test/tools/vendor/github.com/Masterminds/goutils/randomstringutils.go