diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
index 7a3dae41c7..09dcdb28a6 100644
--- a/cluster/config-defaults.yaml
+++ b/cluster/config-defaults.yaml
@@ -804,6 +804,10 @@ observability_collector_scheme: "https"
 observability_metrics_endpoint: "ingest.lightstep.com"
 observability_metrics_port: "443"
 
+# labels whitelisted to kube-state-metrics
+observability_metrics_pods_labels: "application,component"
+observability_metrics_ingresses_labels: ""
+
 # opentelemetry collector
 observability_otel_collector_enabled: "false"
 
diff --git a/cluster/manifests/kube-state-metrics/deployment.yaml b/cluster/manifests/kube-state-metrics/deployment.yaml
index 67d9458855..a82fee30c8 100644
--- a/cluster/manifests/kube-state-metrics/deployment.yaml
+++ b/cluster/manifests/kube-state-metrics/deployment.yaml
@@ -32,7 +32,7 @@ spec:
         image: container-registry.zalando.net/teapot/kube-state-metrics:v2.2.1-master-21
         args:
         - --resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments,verticalpodautoscalers
-        - --metric-labels-allowlist=pods=[application,component],nodes=[topology.kubernetes.io/zone,node.kubernetes.io/instance-type,node.kubernetes.io/node-pool,node.kubernetes.io/role,dedicated]
+        - --metric-labels-allowlist=pods=[{{.Cluster.ConfigItems.observability_metrics_pods_labels}}],ingresses=[{{.Cluster.ConfigItems.observability_metrics_ingresses_labels}}],nodes=[topology.kubernetes.io/zone,node.kubernetes.io/instance-type,node.kubernetes.io/node-pool,node.kubernetes.io/role,dedicated]
         ports:
         - containerPort: 8080
           name: http-metrics