diff --git a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml
index bf2c386..7117673 100644
--- a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml
+++ b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml
@@ -6,6 +6,8 @@ kind: ConfigMap
 metadata:
   name: istio-gateway-bootstrap-config
   namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "kubezero-lib.labels" . | indent 4 }}
 data:
   custom_bootstrap.json: |
     {
diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml
index 5d6a29a..dd1d9d3 100644
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml
@@ -4,6 +4,8 @@ kind: EnvoyFilter
 metadata:
   name: ingressgateway-hardening
   namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
   configPatches:
   - applyTo: CLUSTER
diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
index da8feea..6bc89a9 100644
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
@@ -4,6 +4,8 @@ kind: EnvoyFilter
 metadata:
   name: ingressgateway-listener-tcp-keepalive
   namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
   configPatches:
   - applyTo: LISTENER
diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh
index 98b2ca3..0bece09 100755
--- a/charts/kubezero-istio/update.sh
+++ b/charts/kubezero-istio/update.sh
@@ -1,3 +1,6 @@
+### TODO
+- https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
+
 #!/bin/bash
 set -ex