diff --git a/cmd/k8s-operator/proxygroup.go b/cmd/k8s-operator/proxygroup.go
index 440e3372f..6256feb57 100644
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -329,7 +329,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 			ObjectMeta: metav1.ObjectMeta{
 				Name:            fmt.Sprintf("%s-%d-config", pg.Name, i),
 				Namespace:       r.tsNamespace,
-				Labels:          secretLabels("proxygroup", pg.Name, "config"),
+				Labels:          pgSecretLabels(pg.Name, "config"),
 				OwnerReferences: pgOwnerReference(pg),
 			},
 		}
@@ -444,7 +444,7 @@ func (r *ProxyGroupReconciler) validate(_ *tsapi.ProxyGroup) error {
 func (r *ProxyGroupReconciler) getNodeMetadata(ctx context.Context, pg *tsapi.ProxyGroup) (metadata []nodeMetadata, _ error) {
 	// List all state secrets owned by this ProxyGroup.
 	secrets := &corev1.SecretList{}
-	if err := r.List(ctx, secrets, client.InNamespace(r.tsNamespace), client.MatchingLabels(secretLabels("proxygroup", pg.Name, "state"))); err != nil {
+	if err := r.List(ctx, secrets, client.InNamespace(r.tsNamespace), client.MatchingLabels(pgSecretLabels(pg.Name, "state"))); err != nil {
 		return nil, fmt.Errorf("failed to list state Secrets: %w", err)
 	}
 	for _, secret := range secrets.Items {
diff --git a/cmd/k8s-operator/proxygroup_specs.go b/cmd/k8s-operator/proxygroup_specs.go
index d39973837..94a095ff5 100644
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@@ -16,8 +16,6 @@ import (
 	"tailscale.com/types/ptr"
 )
 
-const labelSecretType = "tailscale.com/secret-type"
-
 // Returns the base StatefulSet definition for a ProxyGroup. A ProxyClass may be
 // applied over the top after.
 func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, cfgHash string) *appsv1.StatefulSet {
@@ -25,19 +23,19 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, cfgHash string) *apps
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Spec: appsv1.StatefulSetSpec{
 			Replicas: ptr.To(pgReplicas(pg)),
 			Selector: &metav1.LabelSelector{
-				MatchLabels: labels("proxygroup", pg.Name, nil),
+				MatchLabels: pgLabels(pg.Name, nil),
 			},
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:                       pg.Name,
 					Namespace:                  namespace,
-					Labels:                     labels("proxygroup", pg.Name, nil),
+					Labels:                     pgLabels(pg.Name, nil),
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
 					Annotations: map[string]string{
 						podAnnotationLastSetConfigFileHash: cfgHash,
@@ -113,7 +111,7 @@ func pgServiceAccount(pg *tsapi.ProxyGroup, namespace string) *corev1.ServiceAcc
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 	}
@@ -124,7 +122,7 @@ func pgRole(pg *tsapi.ProxyGroup, namespace string) *rbacv1.Role {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Rules: []rbacv1.PolicyRule{
@@ -155,7 +153,7 @@ func pgRoleBinding(pg *tsapi.ProxyGroup, namespace string) *rbacv1.RoleBinding {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Subjects: []rbacv1.Subject{
@@ -178,7 +176,7 @@ func pgStateSecrets(pg *tsapi.ProxyGroup, namespace string) (secrets []*corev1.S
 			ObjectMeta: metav1.ObjectMeta{
 				Name:            fmt.Sprintf("%s-%d", pg.Name, i),
 				Namespace:       namespace,
-				Labels:          secretLabels("proxygroup", pg.Name, "state"),
+				Labels:          pgSecretLabels(pg.Name, "state"),
 				OwnerReferences: pgOwnerReference(pg),
 			},
 		})
@@ -187,12 +185,25 @@ func pgStateSecrets(pg *tsapi.ProxyGroup, namespace string) (secrets []*corev1.S
 	return secrets
 }
 
-func secretLabels(app, instance, typ string) map[string]string {
-	return labels(app, instance, map[string]string{
+func pgSecretLabels(pgName, typ string) map[string]string {
+	return pgLabels(pgName, map[string]string{
 		labelSecretType: typ, // "config" or "state".
 	})
 }
 
+func pgLabels(pgName string, customLabels map[string]string) map[string]string {
+	l := make(map[string]string, len(customLabels)+3)
+	for k, v := range customLabels {
+		l[k] = v
+	}
+
+	l[LabelManaged] = "true"
+	l[LabelParentType] = "ProxyGroup"
+	l[LabelParentName] = pgName
+
+	return l
+}
+
 func pgEnv(_ *tsapi.ProxyGroup) []corev1.EnvVar {
 	envs := []corev1.EnvVar{
 		{
diff --git a/cmd/k8s-operator/sts.go b/cmd/k8s-operator/sts.go
index 46499d397..19c98100f 100644
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -47,6 +47,7 @@ const (
 	LabelParentType      = "tailscale.com/parent-resource-type"
 	LabelParentName      = "tailscale.com/parent-resource"
 	LabelParentNamespace = "tailscale.com/parent-resource-ns"
+	labelSecretType      = "tailscale.com/secret-type" // "config" or "state".
 
 	// LabelProxyClass can be set by users on Connectors, tailscale
 	// Ingresses and Services that define cluster ingress or cluster egress,