Introduction: Your Kubernetes Clusters Are Burning Money
Kubernetes has become the de facto standard for running containerized workloads in the cloud. But here's the uncomfortable truth that platform teams, engineering leaders, and finance departments are slowly waking up to: the vast majority of Kubernetes clusters are dramatically over-provisioned, and the waste is staggering.
A January 2026 study analyzing 3,042 production clusters across 600+ companies found that 68% of pods request 3–8x more memory than they actually use. Across the 847,293 pods tracked, the average company wastes $847 per month on memory over-provisioning alone. One company was hemorrhaging $2.1 million per year — and they had absolutely no idea until someone finally decided to measure it.
The problem is systemic. Cloud providers bill you for requested resources, not used resources. If your pod requests 2 GiB of memory but only uses 400 MiB, you're paying for the full 2 GiB. Multiply that across hundreds or thousands of pods, and you've got a cost problem that dwarfs most other cloud optimization opportunities.
This guide covers every major strategy for reducing Kubernetes costs without sacrificing reliability. We'll walk through right-sizing resource requests, configuring autoscalers correctly, leveraging spot instances safely, implementing cost allocation for multi-tenant clusters, and choosing the right tooling. Whether you run EKS, AKS, or GKE, these strategies apply — and realistically, most organizations can cut Kubernetes spend by 30–60% using the techniques described here.
Understanding Where Kubernetes Costs Come From
The Anatomy of a Kubernetes Bill
Before optimizing anything, you need to understand what you're actually paying for. A typical Kubernetes bill breaks down into several components:
- Compute (nodes): This is the biggest line item, typically 60–75% of total Kubernetes cost. You pay for the EC2 instances, Azure VMs, or GCE instances that form your node pools — regardless of how efficiently your pods use them.
- Control plane: Both EKS and GKE charge $0.10 per cluster per hour ($73/month). AKS doesn't charge for the control plane, giving Azure a slight edge for organizations running many small clusters.
- Storage: Persistent volumes (EBS, Azure Disks, Persistent Disks) and their associated snapshots. Often 10–15% of total spend.
- Networking: Load balancers, NAT gateways, cross-AZ data transfer, and ingress/egress charges. This can be 5–20% of spend and is frequently overlooked.
- Add-on services: Monitoring (CloudWatch, Azure Monitor, Cloud Operations), logging, service mesh, and managed add-ons.
The critical insight here is that compute cost is driven by node count and size, which is in turn driven by pod resource requests — not actual resource usage. That's why right-sizing is the single highest-leverage optimization you can make.
The Over-Provisioning Epidemic
So why do teams over-provision so aggressively? The 2026 Wozz study identified several root causes:
- OOMKill trauma: 64% of engineering teams admitted to adding "just to be safe" headroom of 2–4x after experiencing a single OOMKill event. One bad Saturday on-call incident leads to permanently inflated resource requests. (We've all been there.)
- Set-and-forget culture: Resource requests are typically configured at deployment time and never revisited. The workload evolves, traffic patterns change, but the requests stay frozen in time.
- Lack of visibility: Only 12% of teams could answer what their P95 memory usage was without looking it up. You can't optimize what you don't measure.
- No accountability: Without cost allocation and showback, individual teams have no incentive to right-size. The cost is absorbed centrally and nobody feels the pain.
AI and machine learning workloads are the worst offenders, requesting on average 6x more memory than they actually need. Data pipelines and batch jobs come in second at roughly 4x over-provisioning.
Strategy 1: Right-Sizing Resource Requests and Limits
The Foundation of All Kubernetes Cost Optimization
Right-sizing means adjusting CPU and memory requests (and limits) to closely match actual workload needs. It's not glamorous work, but it delivers the highest return of any optimization — real-world examples show companies cutting costs from $47,200 to $11,100 monthly (a 76% reduction) simply by aligning resource requests with actual usage.
Honestly, that number still surprises me every time I see it.
Step 1: Measure Actual Resource Consumption
Before changing anything, you need data. Deploy metrics-server (if it's not already installed) and collect at least 7–14 days of usage data. Here's how to get a quick snapshot of resource utilization across your cluster:
# Install metrics-server if not present
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
# View current resource requests vs actual usage for all pods
kubectl top pods --all-namespaces --sort-by=memory
# Get a detailed view of requests, limits, and actual usage for a namespace
kubectl describe nodes | grep -A 5 "Allocated resources"
# Export resource requests vs usage for analysis
kubectl get pods --all-namespaces -o json | jq -r \
'.items[] |
select(.status.phase == "Running") |
.metadata.namespace + "," +
.metadata.name + "," +
(.spec.containers[0].resources.requests.cpu // "none") + "," +
(.spec.containers[0].resources.requests.memory // "none")' > pod_requests.csv
For deeper analysis, use Prometheus with the container_memory_working_set_bytes and container_cpu_usage_seconds_total metrics. Here's a Prometheus query that reveals over-provisioned pods:
# Prometheus query: Memory request vs actual usage ratio
# Pods where requested memory is more than 2x actual P95 usage
(
kube_pod_container_resource_requests{resource="memory"}
/
quantile_over_time(0.95, container_memory_working_set_bytes[7d])
) > 2
Step 2: Apply Right-Sized Values
Once you've got the usage data in hand, follow these guidelines:
- CPU requests: Set to the P95 CPU usage over a representative time window (at least 7 days). Add a 10–15% buffer for safety.
- Memory requests: Set to P99 memory usage plus a 10–20% buffer. Memory is less elastic than CPU — an OOMKill is way worse than brief CPU throttling.
- CPU limits: Many teams now leave CPU limits unset (or set them very high) to allow bursting. CPU is compressible — if a container exceeds its request, it gets throttled but not killed. This is a common best practice endorsed by Google and others.
- Memory limits: Set these equal to or slightly above memory requests. Unlike CPU, memory is incompressible — exceeding the limit triggers an OOMKill.
Here's an example of a properly right-sized deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-service
labels:
app: api-service
cost-center: platform-team
spec:
replicas: 3
selector:
matchLabels:
app: api-service
template:
metadata:
labels:
app: api-service
spec:
containers:
- name: api-service
image: myregistry/api-service:v2.4.1
resources:
requests:
# Based on P95 CPU usage (120m) + 15% buffer
cpu: "140m"
# Based on P99 memory usage (180Mi) + 15% buffer
memory: "210Mi"
limits:
# No CPU limit - allow bursting
# Memory limit = request + small buffer
memory: "256Mi"
ports:
- containerPort: 8080
The data backs this up: teams that right-sized memory saw OOMKill rates move from 0.02% to 0.03% — a statistically insignificant difference. The fear of OOMKills is vastly overblown compared to the cost of over-provisioning, and 94% of memory spikes are handled better by scaling out (adding replicas) than by over-provisioning individual pods.
Strategy 2: Autoscaling Done Right — HPA, VPA, KEDA, and Karpenter
Horizontal Pod Autoscaler (HPA): Scaling Out on Demand
HPA adjusts the number of pod replicas based on observed metrics. The key to cost-effective HPA is choosing the right metrics and setting aggressive scale-down policies:
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: api-service-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: api-service
minReplicas: 2
maxReplicas: 20
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
# Target 70% CPU utilization - good balance
# between responsiveness and efficiency
averageUtilization: 70
behavior:
scaleDown:
stabilizationWindowSeconds: 300 # 5 minutes
policies:
- type: Percent
value: 25 # Scale down by at most 25% at a time
periodSeconds: 60
scaleUp:
stabilizationWindowSeconds: 30 # React quickly to spikes
policies:
- type: Percent
value: 100 # Can double capacity in one step
periodSeconds: 60
- type: Pods
value: 4
periodSeconds: 60
selectPolicy: Max
The behavior section is critical for cost optimization. Without it, HPA uses default policies that can be sluggish on scale-down, leaving you paying for idle replicas long after traffic drops. Configure aggressive scale-down with a reasonable stabilization window to avoid flapping.
Vertical Pod Autoscaler (VPA): Automated Right-Sizing
VPA automates the right-sizing process I described above by analyzing historical usage and adjusting resource requests. Start with recommendation mode (the default "Off" mode) — it provides suggestions without making changes, which lets you validate recommendations before committing to them:
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: api-service-vpa
spec:
targetRef:
apiVersion: apps/v1
kind: Deployment
name: api-service
updatePolicy:
# Start with "Off" to get recommendations without auto-applying
# Move to "Auto" once you trust the recommendations
updateMode: "Off"
resourcePolicy:
containerPolicies:
- containerName: api-service
minAllowed:
cpu: "50m"
memory: "64Mi"
maxAllowed:
cpu: "2"
memory: "2Gi"
controlledResources: ["cpu", "memory"]
Check VPA recommendations with:
kubectl describe vpa api-service-vpaImportant caveat: Running both HPA and VPA on the same deployment targeting the same metrics causes conflicts. The recommended pattern is to use HPA for horizontal scaling on CPU or custom metrics, and VPA for vertical memory optimization only. Keep them on different resource dimensions so they don't fight each other.
KEDA: Scale-to-Zero for Event-Driven Workloads
KEDA (Kubernetes Event-Driven Autoscaling) is a game-changer for cost optimization because it supports scaling to zero replicas — something HPA simply can't do (HPA's minimum is 1). For workloads that process messages from queues, handle scheduled jobs, or respond to events, KEDA eliminates idle compute entirely:
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: order-processor
spec:
scaleTargetRef:
name: order-processor
minReplicaCount: 0 # Scale to zero when queue is empty
maxReplicaCount: 50
cooldownPeriod: 300 # Wait 5 minutes before scaling to zero
triggers:
- type: aws-sqs-queue
metadata:
queueURL: https://sqs.us-east-1.amazonaws.com/123456789/orders
queueLength: "5" # One pod per 5 messages
awsRegion: "us-east-1"
identityOwner: "operator"
Scale-to-zero is a massive cost saver for development environments, staging clusters, and sporadic batch processing. Teams report 40–70% cost reduction on event-driven workloads after adopting KEDA. That's not a typo.
Karpenter: Smarter Node Provisioning
While pod-level autoscalers optimize what runs, Karpenter optimizes what it runs on. Karpenter is a node provisioner (originally built for EKS, now expanding to other providers) that replaces the traditional Cluster Autoscaler with a faster, more cost-aware alternative.
Key advantages over Cluster Autoscaler:
- No pre-defined node groups: Karpenter selects the optimal instance type from a broad pool based on pending pod requirements.
- Faster provisioning: Nodes launch in seconds rather than the minutes typical with Cluster Autoscaler.
- Consolidation: Karpenter proactively consolidates underutilized nodes by moving pods and terminating excess capacity.
- Spot-aware: First-class support for mixing spot and on-demand instances.
Organizations migrating from Cluster Autoscaler to Karpenter report 15–30% reduction in compute waste and dramatically improved scaling responsiveness. Salesforce, for example, migrated their fleet of 1,000 EKS clusters to Karpenter and achieved significant cost and operational improvements.
apiVersion: karpenter.sh/v1
kind: NodePool
metadata:
name: default
spec:
template:
spec:
requirements:
# Allow a broad range of instance types for best bin-packing
- key: karpenter.k8s.aws/instance-category
operator: In
values: ["c", "m", "r"]
- key: karpenter.k8s.aws/instance-generation
operator: Gt
values: ["5"]
- key: "karpenter.sh/capacity-type"
operator: In
values: ["spot", "on-demand"]
- key: "kubernetes.io/arch"
operator: In
values: ["amd64", "arm64"] # Consider Graviton for savings
nodeClassRef:
group: karpenter.k8s.aws
kind: EC2NodeClass
name: default
# Budget controls to prevent runaway scaling
limits:
cpu: "1000"
memory: "2000Gi"
disruption:
consolidationPolicy: WhenEmptyOrUnderutilized
consolidateAfter: 60s
---
apiVersion: karpenter.k8s.aws/v1
kind: EC2NodeClass
metadata:
name: default
spec:
amiSelectorTerms:
- alias: al2023@latest
subnetSelectorTerms:
- tags:
karpenter.sh/discovery: my-cluster
securityGroupSelectorTerms:
- tags:
karpenter.sh/discovery: my-cluster
instanceStorePolicy: RAID0
The consolidationPolicy: WhenEmptyOrUnderutilized setting is where the real cost savings happen. Karpenter continuously evaluates whether it can consolidate workloads onto fewer or cheaper nodes, and acts automatically — no manual intervention required.
Strategy 3: Spot Instances for Kubernetes Node Pools
How to Use Spot Safely in Production Kubernetes
Spot instances (called "Spot VMs" on Azure and "Preemptible VMs" on GCP) offer 60–90% savings over on-demand pricing but can be reclaimed with short notice. The key to using them safely in Kubernetes is proper architecture:
- Diversify instance types: Use multiple instance families and sizes. The risk of simultaneous termination drops dramatically when you spread across 10+ instance types in multiple availability zones.
- Use Pod Disruption Budgets (PDBs): Ensure critical workloads maintain minimum availability during spot terminations.
- Separate node pools: Run a small on-demand node pool for critical system workloads (control plane components, monitoring, stateful services) and route everything else to spot.
- Implement graceful shutdown: Handle the termination notice (2 minutes on AWS, 30 seconds on GCP) to drain connections and save state.
# Pod Disruption Budget for safe spot usage
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: api-service-pdb
spec:
minAvailable: 2 # At least 2 replicas always running
selector:
matchLabels:
app: api-service
---
# Node affinity to prefer spot but tolerate on-demand
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-service
spec:
replicas: 5
template:
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: api-service
tolerations:
- key: "kubernetes.azure.com/scalesetpriority"
operator: "Equal"
value: "spot"
effect: "NoSchedule"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 90
preference:
matchExpressions:
- key: karpenter.sh/capacity-type
operator: In
values: ["spot"]
What to Run on Spot vs. On-Demand
| Workload Type | Recommended Capacity | Why |
|---|---|---|
| Stateless APIs (multi-replica) | Spot | Losing one replica is fine with proper PDBs |
| Batch jobs and data pipelines | Spot | Retryable by nature, perfect for interruptions |
| CI/CD runners | Spot | Ephemeral, easily retried |
| Dev/staging environments | Spot | Low blast radius, big savings |
| ML training (with checkpointing) | Spot | Fault-tolerant with proper checkpointing |
| Databases and stateful workloads | On-Demand / Reserved | Data consistency requirements, hard to recover |
| Critical single-replica services | On-Demand | No redundancy to absorb a termination |
| Cluster system components | On-Demand | CoreDNS, monitoring agents need high availability |
Strategy 4: Cost Allocation and Showback for Multi-Tenant Clusters
You Can't Optimize What You Can't Attribute
Many organizations run shared Kubernetes clusters serving multiple teams or products. Without cost allocation, nobody owns the cost, and nobody optimizes. Implementing showback (showing teams what they spend) or chargeback (actually billing teams internally) creates the accountability needed to drive optimization behavior.
I've seen this play out dozens of times — the moment teams can see their own spend, behavior changes almost overnight.
Label Everything
The foundation of cost allocation is a consistent labeling strategy. Enforce these labels on all workloads using admission controllers (OPA Gatekeeper or Kyverno):
# Kyverno policy to enforce cost allocation labels
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-cost-labels
spec:
validationFailureAction: Enforce
rules:
- name: require-labels
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
- CronJob
validate:
message: >-
All workloads must have cost-center, team, and
environment labels for cost allocation.
pattern:
metadata:
labels:
cost-center: "?*"
team: "?*"
environment: "?*"
Tooling: OpenCost and Kubecost
OpenCost is the CNCF-backed open source project for Kubernetes cost monitoring. It provides real-time cost allocation per namespace, deployment, pod, and label — with no vendor lock-in. Install it alongside Prometheus for a complete cost visibility stack:
# Install OpenCost via Helm
helm install opencost opencost/opencost \
--namespace opencost \
--create-namespace \
--set opencost.prometheus.internal.enabled=true \
--set opencost.ui.enabled=true
# After installation, access the API for cost data
kubectl port-forward -n opencost svc/opencost 9090:9090
# Query cost allocation by namespace for the last 48 hours
curl "http://localhost:9090/allocation/compute?window=48h&aggregate=namespace"
Kubecost (now part of IBM/Apptio) offers a more feature-rich commercial solution with cloud bill reconciliation, savings recommendations, and governance features. It integrates with AWS Cost Explorer, Azure Cost Management, and GCP Billing to provide a unified view. Kubecost reconciles Kubernetes-level allocation with the actual cloud bill so teams see accurate, non-estimated costs.
If you're early in your FinOps journey, start with monthly team-level showback using resource requests. As maturity grows, layer in actual usage-based chargeback, anomaly detection, and unit economics tracking.
Strategy 5: Network and Storage Cost Optimization
Cross-AZ Traffic: The Hidden Cost Killer
In AWS, cross-AZ data transfer costs $0.01/GB in each direction ($0.02/GB round-trip). That sounds trivial until you realize a busy microservices architecture with hundreds of inter-service calls can generate terabytes of cross-AZ traffic monthly. A single chatty service doing 10 Gbps of cross-AZ traffic costs roughly $26,000 per month in data transfer alone.
Yeah, let that number sink in for a second.
Mitigation strategies:
- Topology-aware routing: Use Kubernetes topology-aware hints (formerly "topology-aware traffic routing") to keep traffic within the same AZ when possible:
apiVersion: v1
kind: Service
metadata:
name: api-service
annotations:
service.kubernetes.io/topology-mode: Auto
spec:
selector:
app: api-service
ports:
- port: 80
targetPort: 8080
- Service mesh locality: If you use Istio or Linkerd, enable locality-aware load balancing to prefer same-zone endpoints.
- Consider single-AZ for non-critical workloads: Dev and staging environments rarely need multi-AZ redundancy. Running them in a single AZ eliminates cross-AZ transfer costs entirely.
Storage Right-Sizing
Persistent volumes are often provisioned generously and never resized. It's one of those "set it and forget it" things that quietly bleeds money. Audit your PVCs regularly:
# Find PVCs with low utilization
kubectl get pvc --all-namespaces -o json | jq -r \
'.items[] |
.metadata.namespace + "/" + .metadata.name + " " +
.spec.resources.requests.storage'
# Check actual disk usage inside pods
for pod in $(kubectl get pods -o name); do
echo "=== $pod ==="
kubectl exec "$pod" -- df -h /data 2>/dev/null
done
Also consider using gp3 volumes instead of gp2 on AWS — gp3 provides the same performance at 20% lower cost with independently configurable IOPS and throughput. It's one of the easiest wins out there.
Strategy 6: Cluster Architecture Decisions That Impact Cost
ARM-Based Nodes (Graviton, Ampere)
AWS Graviton3 instances offer approximately 20% lower cost than equivalent x86 instances with comparable or better performance for most workloads. If your container images support multi-architecture (or can be rebuilt for arm64), this is a straightforward cost reduction. Karpenter makes this particularly easy — just include arm64 in the architecture requirements and let it choose the most cost-effective option automatically.
Namespace Quotas and LimitRanges
Prevent runaway resource consumption by setting namespace-level guardrails:
apiVersion: v1
kind: ResourceQuota
metadata:
name: team-alpha-quota
namespace: team-alpha
spec:
hard:
requests.cpu: "20"
requests.memory: "40Gi"
limits.memory: "60Gi"
pods: "100"
---
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
namespace: team-alpha
spec:
limits:
- default:
memory: "256Mi"
defaultRequest:
cpu: "100m"
memory: "128Mi"
type: Container
The LimitRange is particularly important — it sets default resource requests for pods that don't specify them, preventing pods from being scheduled as "best-effort" QoS class (which leads to unpredictable scheduling and eviction behavior).
Scheduling Off-Hours Workloads
Dev, staging, and test environments often run 24/7 but are only used during business hours. Scaling these to zero outside working hours can cut their cost by 65–70%. Tools like kube-downscaler make this straightforward:
# Install kube-downscaler
helm install kube-downscaler deliveryhero/kube-downscaler \
--set arguments="{--default-uptime=Mon-Fri 07:00-19:00 UTC}"
# Or annotate specific deployments
kubectl annotate deploy my-staging-app \
downscaler/uptime="Mon-Fri 07:00-19:00 America/New_York"
Strategy 7: Building a Kubernetes FinOps Practice
Key Metrics to Track
A mature Kubernetes FinOps practice tracks these metrics continuously:
- Cluster utilization rate: (Actual resource usage / total allocatable resources) x 100. Aim for 60–75% — that's a healthy balance between cost efficiency and leaving room for spikes.
- Resource request efficiency: (Actual usage / requested resources) x 100. Below 50% indicates significant over-provisioning.
- Cost per namespace/team: Allocated cost broken down by organizational unit for showback and budgeting.
- Cost per request/transaction: Unit economics tying infrastructure cost to business output. This is where things get really interesting from a business perspective.
- Spot instance coverage: Percentage of workloads running on spot. Target 60–80% for fault-tolerant workloads.
- Idle resource cost: Resources allocated but not used — the purest form of waste.
Building the Optimization Flywheel
Effective Kubernetes cost optimization isn't a one-time project. It's a continuous practice that follows the FinOps Inform-Optimize-Operate lifecycle:
- Inform: Deploy cost visibility tools (OpenCost, Kubecost). Establish labeling standards. Build dashboards showing cost by team and environment. Share showback reports monthly.
- Optimize: Deploy VPA in recommendation mode. Right-size based on data. Adopt Karpenter for node provisioning. Move appropriate workloads to spot. Implement KEDA for event-driven workloads. Optimize network topology.
- Operate: Enforce resource quotas and labeling via admission controllers. Set cost anomaly alerts. Include cost review in sprint retrospectives. Tie cost targets to team OKRs.
The organizations that see sustained savings — not just a one-time cut followed by gradual drift — are the ones that embed cost consciousness into engineering culture. When developers can see their team's cloud spend in real time and understand its trajectory, they naturally make more cost-aware decisions.
Quick Reference: Savings by Strategy
| Strategy | Typical Savings | Effort to Implement | Risk Level |
|---|---|---|---|
| Right-sizing resource requests | 30–50% | Medium | Low |
| Spot instances for eligible workloads | 60–90% per node | Medium | Medium |
| Karpenter consolidation | 15–30% | Medium | Low |
| KEDA scale-to-zero | 40–70% per workload | Low | Low |
| Off-hours scheduling | 65–70% on non-prod | Low | Low |
| ARM/Graviton migration | 20% | Medium-High | Low |
| Network topology optimization | Varies widely | Low | Low |
| Storage right-sizing (gp3 migration) | 20% | Low | Low |
Conclusion: Start with Measurement, Scale with Culture
Kubernetes cost optimization isn't about finding one silver bullet. It's about layering multiple strategies — right-sizing, autoscaling, spot instances, cost allocation, and architectural choices — to compound savings across your entire container infrastructure.
Start with measurement. Deploy OpenCost or Kubecost and let it collect two weeks of data. You'll almost certainly discover that your clusters are significantly over-provisioned. Then tackle right-sizing first, because it delivers the highest return for the least risk. Layer in spot instances and Karpenter next for infrastructure-level savings. Finally, build the organizational muscle — showback reports, cost-aware deployment policies, and team-level accountability — that prevents waste from creeping back in.
The companies that consistently spend the least on Kubernetes aren't the ones with the most sophisticated tooling. They're the ones where every engineer understands that a resource request is a spending decision, and where cost is treated as a first-class engineering concern — right alongside performance, reliability, and security.
With the strategies in this guide, a 30–60% reduction in Kubernetes spend is realistic for most organizations. The only question is whether you start measuring today or keep paying for resources you're not using.