A policy defines the Pod rightsizing behavior that applies to the workloads it matches. All configuration is scoped to the policy.
This topic includes the following sections:
Apply a Pod rightsizing rightsizing policy to a workload - CLI
Change or remove existing policies for Pod rightsizing - CLI
Apply a Pod rightsizing policy to a workload - CLI
Each policy must include a complete set of configuration parameters. Policies do not inherit values from cluster-level defaults.
Built-in policies have fixed rightsizing parameter values. After you decide which policy to apply to a workload, you edit the policy selection parameters to match the workloads you want to manage.
To apply a policy to workloads, you define the workload selection parameters in the policy, described in Define workload selection.
Built-in policy fixed parameter values
Built-in policies have fixed parameter values.
Click here to see the fixed parameter values for the built-in policies.
Parameter | Balanced | Stability-focused | Cost-focused |
| 2h | 2h | 2h |
| 20 | 30 | 5 |
| false | false | false |
| 10 | 10 | 0 |
| 100m | 100m | 100m |
| 10m | 10m | 10m |
| p95 | max | p85 |
| max | max | p85 |
| 80 | 90 | 50 |
| false | false | false |
| 1d | 1d | 12h |
| 30 | 40 | 10 |
| false | false | false |
| 10 | 10 | 0 |
| 256Mi | 256Mi | 64Mi |
| 256Mi | 256Mi | 64Mi |
| p99 | max | p95 |
| max | max | p95 |
| true | false | false |
| 0 | 1 | 2 |
You can also create a custom policy, based on a built-in policy. For more information, see Create a custom policy.
Define workload selection
You define which workloads a policy matches using selector fields in the policy and a policy annotation on the workload.
In-policy selection (configured in the policy):
appList — explicitly match specific workloads by kind, name, and namespace
appSelector.labels — match workloads dynamically based on Kubernetes labels
appSelector.namespaces — filter the label-matched workloads by namespace
Workload-side matching (configured on the workload)
Policy annotation — explicitly match a workload to a policy by referencing the policy name in an annotation
When multiple selection mechanisms apply to the same workload, Pod rightsizing uses priority and conflict resolution rules to determine which policy manages it.
If neither appList nor appSelector.labels is defined, the policy does not match any workloads through selectors; workloads can still be matched by annotation.
Use appList or appSelector.labels to target workloads, and use appSelector.namespaces to narrow that selection.
Common policy selection use cases
The following table shows common policy selection use cases:
To do this | Use these mechanisms |
Target a single workload | Use appList to explicitly include a |
Target workloads by label | Use appSelector.labels.matchLabels to include workloads that share a specific metadata label, such as |
Target workloads by multiple label rules | Use matchExpressions to combine rules, for example: select workloads with |
Exclude a namespace | Use appSelector.namespaces.operator: Exclude to prevent rightsizing from affecting sensitive workloads in namespaces such as |
Include only a namespace | Use appSelector.namespaces.operator: Include to limit rightsizing to one or two namespaces, such as |
Explicitly assign one workload to a specific policy (override selectors and priority) | Use the workload policy annotation ( |
Explicit workload inclusion (appList)
Explicit workload inclusion (appList) matches specific workloads by kind, name, and namespace.
In this topic, appList refers to the explicit workload inclusion mechanism, which is configured using the appList field in the policy.
Use appList to target specific workloads by kind, name, or namespace.
appList:
- kind: <workload-kind>
name: <workload-name>
namespace: <namespace>Behavior:
Matches the workloads specified in the
appListentry.Takes precedence over label-based matching.
If only
namespaceis specified, the policy matches all supported workloads in that namespace.nameandkindcan’t be used by themselves; specify them together withnamespace.
Label-based selection (appSelector.labels) dynamically matches workloads based on Kubernetes labels.
appSelector:
labels:
matchLabels:
<label-key>: <label-value>
matchExpressions:
- key: <label-key>
operator: <operator>
values:
- <value>Supported operators: In, NotIn, Exists, DoesNotExist
Behavior:
matchLabelsandmatchExpressionsare evaluated using AND logic.Multiple
matchExpressionsare also evaluated using AND logic.Only workloads that match all conditions are matched to the policy.
Namespace filtering (appSelector.namespaces) scopes label-based selection to specific namespaces by including or excluding namespaces.
appSelector:
namespaces:
operator: <Include | Exclude>
values:
- <namespace>Behavior:
Applies only to workloads matched by label selectors.
The
kube-systemnamespace is always excluded.
A workload can be explicitly matched to a policy using a Kubernetes annotation.
metadata:
annotations:
kompass.zesty.co/PodRightsizing/policy: <policy-name>Behavior:
The referenced policy matches the workload, and Pod rightsizing applies to that workload.
Annotation-based matching overrides selector-based selection and priority.
Removing the annotation removes this explicit match.
User interface and CLI:
The UI assigns a policy to a workload by creating or updating the workload’s policy annotation.
You can manage or modify Pod rightsizing in the UI only for workloads matched to a policy by annotation.
For workloads matched by appList or label selectors, make changes in the cluster (CLI).
The following table shows example uses of workload selection:
To match this | Use this |
|---|---|
Match one |
|
Match all workloads with |
|
Include |
|
Override selector-based selection and priority. | set |
Priority and conflict resolution
When multiple policies match the same workload, Pod rightsizing uses policy priority to determine which policy manages the workload.
A policy must define a
priorityvalue.Lower numeric values indicate higher priority. For example, priority 1 takes precedence over priority 2.
Priority values must be unique per cluster. If you create or update a policy with a priority value that is already used, the request is rejected with a validation error.
Pod rightsizing determines the managing policy using the following resolution order:
Annotation-based resolution: If a workload is matched to a policy by annotation, that policy manages the workload regardless of priority.
Selector-based resolution: If a workload matches multiple policies through appList or label selectors, the policy with the highest priority manages the workload.
A workload is managed by at most one policy at a time.
To confirm which policy manages a workload:
Check whether the workload has a policy annotation.
Ifmetadata.annotations.<policy-annotation-key>is set, the referenced policy manages the workload (and overrides selector-based selection and priority).If no policy annotation exists, determine which policies match the workload via
appListandappSelectorrules.If multiple policies match, the policy with the lowest
priorityvalue manages the workload.If the workload is not matched by any policy, it is unmanaged and Pod rightsizing is not applied.
Change or remove existing policies for Pod rightsizing - CLI
This section describes how to use the CLI to change or remove the Pod rightsizing policy that manages a workload, and how to create and edit custom policies.
You can change or remove Pod rightsizing on workloads from the cluster.
To change the policy that manages a workload, edit the policy selectors on the current and the desired policy.
Tip
To avoid an unmanaged gap, add the workload to the new policy before removing it from the old policy.
To remove a policy from a workload, remove the workload from policy selection, using the relevant solution:
Remove it from the policy’s
appListselector.Update the policy label selector so it no longer matches the workload.
Remove the policy annotation from the workload.
After removing, the workload may still be managed if it matches a different policy.
Create and manage custom policies - CLI
You can create, edit, and delete custom policies.
After you create a custom policy, you can apply it to workloads from the UI or CLI.
Create a custom policy
When creating a custom policy, all parameters need to be explicitly defined. Duplicating a policy creates a new custom policy resource. The duplicate is editable because it is a custom policy, even if the original policy was built-in.
To create a custom policy:
From the cluster, duplicate an existing built-in policy.
You can see the rightsizing parameters of the built-in policies at Built-in policy fixed parameter values.(Optional) Change parameters.
You can see the full list of parameters and descriptions at Policy parameters reference.Save the policy with a new name.
Edit or delete a custom policy
When you edit policy parameters, those changes will affect future orchestrations. Running workloads will not be affected until the next orchestration.
You can delete a custom policy only if it is not assigned to any active workloads.
If you attempt to delete a custom policy that is assigned to workloads, the delete operation is blocked with a validation error. The error indicates how many workloads are still assigned to the policy and provides a way to view which workloads they are.
To edit or delete a policy, use Kubernetes CLI.
Common CLI commands
Replace the values inside [ ] with your values.
To do this | Use this command |
|---|---|
List policies |
|
View a policy manifest |
|
Create or update a policy |
|
Add or update the workload policy annotation |
|
Remove the workload policy annotation |
|
Delete a custom policy |
|