Apply and manage Pod rightsizing with CLI

This topic describes how to apply Pod rightsizing to workloads with CLI using the AutoPilot Configuration (APC) system. APC configurations are defined in YAML and applied to your cluster with kubectl.

APC uses standard Kubernetes label-based targeting allowing automating Pod rightsizing management on multiple workloads.

With APC, you can define which workloads should be managed by Pod rightsizing with these components:

appList: explicit inclusion of specific workloads
appSelector.labels: select workloads based on Kubernetes labels
appSelector.namespaces: filter by namespace

All components are optional.

If no appList is defined, no explicit workloads are included.
If no appSelector.labels is defined, the label-selected set is empty.
If no appSelector.namespaces is defined, no namespace filtering is applied to the label-selected set.

When both appList and appSelector.labels are omitted, no workloads are managed by Pod rightsizing.

Use appList or appSelector.labels to target workloads, and use appSelector.namespaces to narrow that selection.

Common use cases

The following table shows common use cases:

To do this	Use these selectors
Target a single workload	Use appList to explicitly include a `deployment`, `statefulset`, or other workload type by name and namespace
Target workloads by label	Use appSelector.labels.matchLabels to include workloads that share a specific metadata label, such as `environment=production`
Target workloads by multiple label rules	Use matchExpressions to combine rules, for example: select workloads with `tier=frontend` AND exclude those with `version=beta`
Exclude a namespace	Use appSelector.namespaces.operator: Exclude to prevent rightsizing from affecting sensitive workloads in namespaces such as `critical-services` or `secret-ops`
Include only a namespace	Use appSelector.namespaces.operator: Include to limit rightsizing to one or two namespaces, such as `default` or `staging`

Workload selection components

Explicit workload inclusion (appList)

The appList field defines specific workloads on which Pod rightsizing is activated.

appList:
  - kind: <workload-type>     # Required (e.g., deployment, statefulset)
    name: <workload-name>     # Required
    namespace: <namespace>    # Required

Behavior

Always includes the specified workloads, regardless of other selector criteria.
Takes precedence in the selection logic.
Use when targeting specific workloads.

Label-based selection (appSelector.labels)

The appSelector.labels field defines label-based rules for dynamically selecting workloads.

It supports both matchLabels for exact matches and matchExpressions for more complex logical conditions.

appSelector:
  labels:
    matchLabels:
      <label-key>: <label-value>       # Exact match
    matchExpressions:
      - key: <label-key>
        operator: <operator>           # In | NotIn | Exists | DoesNotExist
        values:                        # Only used with In/NotIn
          - <value1>
          - <value2>

Operators

In: value must be in the provided list
NotIn: value must not be in the list
Exists: label key must exist (value ignored)
DoesNotExist: label key must not exist (value ignored)

Behavior

matchLabels and matchExpressions are evaluated together with AND logic.
Multiple matchExpressions are also ANDed together.

Namespace filtering (appSelector.namespaces)

The appSelector.namespaces field filters the workloads selected by labels according to namespace inclusion or exclusion rules.

It refines the label-selected set but does not select workloads on its own.

appSelector:
  namespaces:
    operator: <operator>    # Include | Exclude
    values:                 # List of namespace names
      - <namespace1>
      - <namespace2>

Behavior

Applied after label-based selection.
The kube-system namespace is always excluded.
Include: only workloads in listed namespaces are considered.
Exclude: workloads in listed namespaces are filtered out.

Priority configuration

You can assign a priority to an APC to determine which configuration manages a workload when multiple APCs match the same one.

The APC with the higher priority (lower numeric value) takes precedence and manages the matching workloads.

Example configuration

Not all fields are configurable
Everything above the spec section is predefined and should not be changed.

...
spec:
  appList:                          # Explicit workload inclusion
    - kind: statefulset
      name: app1
      namespace: default
  appSelector:                      # Label and namespace-based selection
    labels:
      matchExpressions:
        - key: some_label
          operator: In
          values:
            - label_value
      matchLabels:
        another_label: another_label_value
    namespaces:
      operator: Exclude
      values:
        - secret_namespace
  priority: 1

Resulting behavior

Always include statefulset/app1 in the default namespace.
Include workloads with both some_label=label_value and another_label=another_label_value
Exclude workloads in secret_namespace.
If this workload is matched by multiple APCs, this APC will manage the workload if the other APC priorities are 2 or greater.

Selection order

Kompass evaluates workload selection rules in the following order:

Workloads defined in appList are always included.
Label selectors (appSelector.labels) are applied next.
Namespace filters (appSelector.namespaces) refine the label-selected set.
The kube-system namespace is always excluded.

Important: appSelector.namespaces is a filter only. It does not select workloads by itself; it narrows the set already selected by labels.

Deploy the configuration

Save the configuration to a YAML file and apply it to your cluster
kubectl apply -f example-apc.yaml
(Optional) Verify that the APC resource was created:
kubectl get apc

Kompass activates Pod rightsizing for the selected workloads within approximately one hour.
You can inspect or update the configuration using standard kubectl describe, apply, or delete commands.