diff --git a/README.md b/README.md
index 802407c7926d68e7579951c34d61bb163ea73685..ec649c5dca3c00ff4c73045b68d13c781fc6d185 100644
--- a/README.md
+++ b/README.md
@@ -358,6 +358,21 @@ You may disable this feature by setting `DOCKER_METADATA` to empty or you can ov
 DOCKER_BUILD_ARGS: "--label org.opencontainers.image.title=my-project"
 ```
 
+If a label contains spaces then quotes need to be correctly escaped:
+
+```yaml
+DOCKER_BUILD_ARGS: "--label \"org.opencontainers.image.title=my project\""
+```
+
+or
+
+```yaml
+DOCKER_BUILD_ARGS: |-
+  --label "org.opencontainers.image.title=my project"
+```
+
+The `DOCKER_METADATA` variable can be overwritten in a similar way, but you will need to ensure that **all** relevant values are added.
+
 If you have defined one of those labels in the Dockerfile, the final value will depend if image is built with Kaniko or Docker in Docker. With Kaniko, the value of the Dockerfile take precedence, while with DinD command-line argument take precedence.
 
 ### `docker-healthcheck` job
diff --git a/kicker.json b/kicker.json
index ffd0a499fa19f983b2e6285e286d4889afcaca72..2a793e4a6af1504cccea0400a23675ae5de63653 100644
--- a/kicker.json
+++ b/kicker.json
@@ -77,12 +77,12 @@
     },
     {
       "name": "DOCKER_BUILD_ARGS",
-      "description": "Additional docker/kaniko/buildah build arguments"
+      "description": "Additional docker/kaniko/buildah build arguments.\n\n_If values contain spaces, ensure any required quote are correctly escaped when needed (not supported for Kaniko)_"
     },
     {
       "name": "DOCKER_METADATA",
-      "description": "Additional metadata to set as labels",
-      "default": "--label org.opencontainers.image.url=${CI_PROJECT_URL} --label org.opencontainers.image.source=${CI_PROJECT_URL} --label org.opencontainers.image.title=${CI_PROJECT_PATH} --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME} --label org.opencontainers.image.revision=${CI_COMMIT_SHA} --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}",
+      "description": "Additional metadata to set as labels.\n\nIf values contain spaces, ensure any required quote are correctly escaped when needed (not supported for Kaniko)_",
+      "default": "--label \"org.opencontainers.image.url=${CI_PROJECT_URL}\" --label \"org.opencontainers.image.source=${CI_PROJECT_URL}\" --label \"org.opencontainers.image.title=${CI_PROJECT_PATH}\" --label \"org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}\" --label \"org.opencontainers.image.revision=${CI_COMMIT_SHA}\" --label \"org.opencontainers.image.created=${CI_JOB_STARTED_AT}\"",
       "advanced": true
     },
     {
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index bc58e368ff960f5f6d24df28d3dbc8fdfdf1ea05..7bcd915468666988bbdc8515381ae35fea2db4ed 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -86,12 +86,12 @@ spec:
     metadata:
       description: Additional metadata to set as labels
       default: >-
-        --label org.opencontainers.image.url=${CI_PROJECT_URL}
-        --label org.opencontainers.image.source=${CI_PROJECT_URL}
-        --label org.opencontainers.image.title=${CI_PROJECT_PATH}
-        --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
-        --label org.opencontainers.image.revision=${CI_COMMIT_SHA}
-        --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
+        --label "org.opencontainers.image.url=${CI_PROJECT_URL}"
+        --label "org.opencontainers.image.source=${CI_PROJECT_URL}"
+        --label "org.opencontainers.image.title=${CI_PROJECT_PATH}"
+        --label "org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}"
+        --label "org.opencontainers.image.revision=${CI_COMMIT_SHA}"
+        --label "org.opencontainers.image.created=${CI_JOB_STARTED_AT}"
     publish-args:
       description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)
       default: ''
@@ -617,9 +617,9 @@ stages:
       kaniko_registry_mirror_option="--registry-mirror $(echo ${DOCKER_REGISTRY_MIRROR} | sed "s|^https*://||")"
     fi
     log_info "Build & deploy image $docker_image"
-    log_info "Kaniko command: /kaniko/executor ${TRACE+--verbosity debug} --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
+    log_info "Kaniko command: echo $DOCKER_METADATA $DOCKER_BUILD_ARGS $* | xargs /kaniko/executor ${TRACE+--verbosity debug} --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option"
     # shellcheck disable=SC2086
-    /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
+    echo $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@" | xargs /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option
   }
 
   # Used by containers tools like buildah, skopeo.
@@ -799,7 +799,7 @@ docker-dind-build:
         log_info "Build cache enabled; CLI options: ${dind_cache_args}"
       fi
     # Build using cache if exist
-    - docker build --file "$DOCKER_FILE" ${dind_cache_args} --tag $DOCKER_SNAPSHOT_IMAGE --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)"
+    - echo $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)" | xargs docker build --file "$DOCKER_FILE" ${dind_cache_args} --tag $DOCKER_SNAPSHOT_IMAGE --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
     - docker push $DOCKER_SNAPSHOT_IMAGE
     # Display the size of each layer
     - docker history $DOCKER_SNAPSHOT_IMAGE
@@ -842,7 +842,7 @@ docker-buildah-build:
       log_info "Buildah version:"
       buildah version
     # build and push image
-    - buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)"
+    - echo $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)" | xargs buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
     - buildah push --digestfile .img-digest.txt "$DOCKER_SNAPSHOT_IMAGE"
     # display digest of the resulting image
     - cat .img-digest.txt