Apply and manage Pod rightsizing with CLI

Prev Next

This topic describes how to apply Pod rightsizing to workloads with CLI using the AutoPilot Configuration (APC) system.  APC configurations are defined in YAML and applied to your cluster with kubectl.

APC uses standard Kubernetes label-based targeting allowing automating Pod rightsizing management on multiple workloads.

With APC, you can define which workloads should be managed by Pod rightsizing with these components:

  • appList: explicit inclusion of specific workloads

  • appSelector.labels: select workloads based on Kubernetes labels

  • appSelector.namespaces: filter by namespace

All components are optional.

  • If no appList is defined, no explicit workloads are included.

  • If no appSelector.labels is defined, the label-selected set is empty.

  • If no appSelector.namespaces is defined, no namespace filtering is applied to the label-selected set.

When both appList and appSelector.labels are omitted, no workloads are managed by Pod rightsizing.

Use appList or appSelector.labels to target workloads, and use appSelector.namespaces to narrow that selection.

Common use cases

The following table shows common use cases:

To do this

Use these selectors

Target a single workload

Use appList to explicitly include a deployment, statefulset, or other workload type by name and namespace

Target workloads by label

Use appSelector.labels.matchLabels to include workloads that share a specific metadata label, such as environment=production

Target workloads by multiple label rules

Use matchExpressions to combine rules, for example: select workloads with tier=frontend AND exclude those with version=beta

Exclude a namespace

Use appSelector.namespaces.operator: Exclude to prevent rightsizing from affecting sensitive workloads in namespaces such as critical-services or secret-ops

Include only a namespace

Use appSelector.namespaces.operator: Include to limit rightsizing to one or two namespaces, such as default or staging

Workload selection components

Explicit workload inclusion (appList)

The appList field defines specific workloads on which Pod rightsizing is activated.

appList:
  - kind: <workload-type>     # Required (e.g., deployment, statefulset)
    name: <workload-name>     # Required
    namespace: <namespace>    # Required

Behavior

  • Always includes the specified workloads, regardless of other selector criteria.

  • Takes precedence in the selection logic.

  • Use when targeting specific workloads.

Label-based selection (appSelector.labels)

The appSelector.labels field defines label-based rules for dynamically selecting workloads.

It supports both matchLabels for exact matches and matchExpressions for more complex logical conditions.

appSelector:
  labels:
    matchLabels:
      <label-key>: <label-value>       # Exact match
    matchExpressions:
      - key: <label-key>
        operator: <operator>           # In | NotIn | Exists | DoesNotExist
        values:                        # Only used with In/NotIn
          - <value1>
          - <value2>

Operators

  • In: value must be in the provided list

  • NotIn: value must not be in the list

  • Exists: label key must exist (value ignored)

  • DoesNotExist: label key must not exist (value ignored)

Behavior

  • matchLabels and matchExpressions are evaluated together with AND logic.

  • Multiple matchExpressions are also ANDed together.

Namespace filtering (appSelector.namespaces)

The appSelector.namespaces field filters the workloads selected by labels according to namespace inclusion or exclusion rules.

It refines the label-selected set but does not select workloads on its own.

appSelector:
  namespaces:
    operator: <operator>    # Include | Exclude
    values:                 # List of namespace names
      - <namespace1>
      - <namespace2>

Behavior

  • Applied after label-based selection.

  • The kube-system namespace is always excluded.

  • Include: only workloads in listed namespaces are considered.

  • Exclude: workloads in listed namespaces are filtered out.

Example configuration

apiVersion: <group/version>     # e.g., kompass.zesty.io/v1alpha1   (replace with actual value)
kind: <APCKind>                 # e.g., AutoPilotConfiguration      (replace with actual value)
metadata:
  name: example-apc             # required
  # namespace: <ns>             # include only if APC is namespace-scoped
spec:
  appList:                          # Explicit workload inclusion
    - kind: statefulset
      name: app1
      namespace: default
  appSelector:                      # Label and namespace-based selection
    labels:
      matchExpressions:
        - key: some_label
          operator: In
          values:
            - label_value
      matchLabels:
        another_label: another_label_value
    namespaces:
      operator: Exclude
      values:
        - secret_namespace

Resulting behavior

  1. Always include statefulset/app1 in the default namespace.

  2. Include workloads with both some_label=label_value and another_label=another_label_value

  3. Exclude workloads in secret_namespace.

Selection order

Kompass evaluates workload selection rules in the following order:

  1. Workloads defined in appList are always included.

  2. Label selectors (appSelector.labels) are applied next.

  3. Namespace filters (appSelector.namespaces) refine the label-selected set.

  4. The kube-system namespace is always excluded.

    Important: appSelector.namespaces is a filter only. It does not select workloads by itself; it narrows the set already selected by labels.

Deploy the configuration

  1. Save the configuration to a YAML file and apply it to your cluster
    kubectl apply -f example-apc.yaml

  2. (Optional) Verify that the APC resource was created:
    kubectl get apc


    Kompass activates Pod rightsizing for the selected workloads within approximately one hour.

    You can inspect or update the configuration using standard kubectl describe, apply, or delete commands.