惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
T
Threatpost
P
Palo Alto Networks Blog
NISL@THU
NISL@THU
O
OpenAI News
Project Zero
Project Zero
G
GRAHAM CLULEY
P
Privacy International News Feed
A
Arctic Wolf
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
D
Docker
aimingoo的专栏
aimingoo的专栏
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
云风的 BLOG
云风的 BLOG
雷峰网
雷峰网
W
WeLiveSecurity
P
Proofpoint News Feed
腾讯CDC
Cloudbric
Cloudbric
S
Secure Thoughts
C
Check Point Blog
博客园 - Franky
T
The Exploit Database - CXSecurity.com
T
Troy Hunt's Blog
GbyAI
GbyAI
Security Archives - TechRepublic
Security Archives - TechRepublic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
TaoSecurity Blog
TaoSecurity Blog
L
Lohrmann on Cybersecurity
V
Visual Studio Blog
F
Fortinet All Blogs
博客园 - 叶小钗
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
C
Cisco Blogs
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research

Sealos Blog

Build a Full-Stack App with Claude Code + InsForge — Zero Backend Code | Sealos Blog InsForge vs Supabase: Which Backend for AI-Powered Development? | Sealos Blog Kubernetes NodePort Exhaustion: SSH Gateway Solution | Sealos Blog Claude Code Metrics Dashboard: Grafana Setup (2026) | Sealos Blog What Is RustFS? Apache 2.0 MinIO Alternative (2026) | Sealos Blog Claude Code Mobile: iPhone, Android & SSH (2026) | Sealos Blog Eaglercraft Server Hosting: Fast Setup (2026) | Sealos Blog An Honest Review: Migrating a Complex Microservice App from Heroku to Sealos | Sealos Blog The Ultimate Guide to Kubernetes Audit Logging for Security and Compliance | Sealos Blog Cost Optimization Shootout: Sealos Autonomous FinOps vs. Kubecost Manual Reports | Sealos Blog For CTOs: How to Cut Your Cloud Bill by 50% Without Sacrificing Performance | Sealos Blog Building Resilient Systems: A Deep Dive into Sealos High-Availability and Auto-Failover | Sealos Blog Building a Scalable Event-Driven Architecture with Sealos Managed Kafka | Sealos Blog Beyond kubectl apply: 5 GitOps Best Practices for Production-Ready CI/CD on Sealos | Sealos Blog Advanced RAG Pipelines: Why Your Choice of Vector Database (like Milvus) Matters | Sealos Blog Advanced MLOps: How to Monitor and Evaluate LLM Applications in Production | Sealos Blog A Developer's Guide to Kubernetes RBAC: Securing Your Cluster the Easy Way with Sealos | Sealos Blog A CISO's Guide to Cloud Development: Securing the CI/CD Pipeline with Sealos DevBox | Sealos Blog What is Kubernetes Multi-Tenancy? A Guide for Platform Engineers | Sealos Blog What is Infrastructure from Code (IfC)? The Next Step After Infrastructure as Code (IaC) | Sealos Blog What is GitOps? A Beginner's Guide to "Push-to-Deploy" Workflows | Sealos Blog What is eBPF? The Future of Kubernetes Networking and Security | Sealos Blog What is an "AI-Native" Platform? (And Why You Need One for MLOps) | Sealos Blog What is an Agentic Workflow? Building the Next Generation of AI Apps | Sealos Blog What is a Kubernetes Chargeback Model (And How Does it Save You Money?) | Sealos Blog What is a "Headless" Development Environment? (And How it Works with VS Code) | Sealos Blog What is a Graph-Based Vector Database? (And When to Use It Over Milvus) | Sealos Blog What is a "Cloud Operating System"? The Next Evolution of PaaS Explained | Sealos Blog The Real Cost of EKS: How Sealos Delivers a Simpler, Cheaper Kubernetes Experience | Sealos Blog The 3 Types of Kubernetes Autoscaling (HPA, VPA, CA) and How Sealos Manages Them for You | Sealos Blog Sealos vs Vercel: Why a Cloud OS Beats a Frontend Platform for Full-Stack Apps | Sealos Blog Sealos vs. Render vs. Fly.io: A 2025 Guide to the Best Heroku Alternatives | Sealos Blog Sealos vs. OpenShift: Kubernetes for Developers vs. Kubernetes for Ops Teams | Sealos Blog Sealos vs. Netlify: When to Choose a Full Kubernetes Platform over a Static Site Hoster | Sealos Blog Sealos vs. DigitalOcean App Platform: A Head-to-Head Comparison on Cost, Features, and Scalability | Sealos Blog Sealos vs. AWS Elastic Beanstalk: The Modern PaaS for Developers Who Hate YAML | Sealos Blog Sealos DevBox vs. AWS Cloud9: Why Your CDE Should Be Platform-Agnostic | Sealos Blog For Developers: Stop Wasting Time on DevOps. A 10-Minute Guide to Shipping Faster with DevBox. | Sealos Blog Deploying n8n with Docker: From Local Setups to a Radically Simple Cloud Alternative | Sealos Blog The Impact of Prompt Bloat: How the Sealos AI Proxy Can Cache Queries and Cut LLM Costs | Sealos Blog The FinOps Playbook: How to Implement Kubernetes Chargebacks and Showbacks with Sealos | Sealos Blog Smoke Testing for ML Pipelines: Catching Data and Model Errors Before They Hit Production | Sealos Blog Optimizing PostgreSQL Performance: A Guide to Sealos Managed Database Tuning | Sealos Blog Managing Kubernetes Multi-Tenancy: How Sealos Enforces Resource Quotas and Network Policies | Sealos Blog From Days to Minutes: How to Standardize Developer Environments for Your Entire Engineering Org | Sealos Blog For Platform Engineers: How to Build a Golden Path IDP (Internal Developer Platform) with Sealos | Sealos Blog For FinOps Managers: The 5 Leakiest Buckets in Your Kubernetes Budget (And How to Plug Them) | Sealos Blog For Educators & IT Admins: How to Provide a Secure, Scalable Cloud Lab for 1000+ Students on a Budget | Sealos Blog What is a Vector Database? A Beginner's Guide to Milvus, Pinecone, and More | Sealos Blog Why Your Microservices Architecture is Failing (And How a Cloud OS Can Fix It) | Sealos Blog The Power of Autoscaling: A Deep Dive into HPA, VPA, and Cluster Autoscaler | Sealos Blog The Total Economic Impact of Cloud Development Environments (CDEs) | Sealos Blog The Illustrated Guide to the Kubernetes Control Plane | Sealos Blog The MLOps Lifecycle Explained: From Data Prep to Model Deployment | Sealos Blog Beyond Vercel's AI Cloud: The Case for an AI-Native Operating System | Sealos Blog The Architecture of a Modern AI Application: A 2025 Blueprint | Sealos Blog GitHub Codespaces is Great, But Your Workflow is Incomplete. Here's Why. | Sealos Blog The Best Heroku Alternatives in 2025 for Scalability and Cost | Sealos Blog CAST AI vs. Kubecost vs. Sealos: Choosing the Right K8s Cost Management Tool | Sealos Blog DevBox vs. Gitpod vs. Replit: An Unbiased Comparison for 2025 | Sealos Blog Unlocking Hidden Savings: A Guide to Using Spot Instances Safely in Kubernetes | Sealos Blog Can a CDE Really Replace Your MacBook Pro? A Performance Benchmark | Sealos Blog The End of "Works on My Machine": Achieving 100% Reproducible Builds with DevBox | Sealos Blog The Ultimate Guide to GPU Provisioning and Management in Kubernetes | Sealos Blog The 2025 Guide to Kubernetes Cost Optimization: 10 Strategies to Cut Your Bill in Half | Sealos Blog FinOps for Startups: How to Build a Cost-Conscious Culture from Day One | Sealos Blog How to Onboard a New Developer in Under 5 Minutes with Sealos DevBox | Sealos Blog Calculating Kubernetes Costs: A Breakdown of EKS, GKE, and AKS Pricing Models | Sealos Blog Case Study: How We Reduced Our Kubernetes Bill by 87% with Sealos | Sealos Blog Are You Overpaying for Managed Kubernetes? The True Cost of Vendor Lock-in | Sealos Blog Beyond Monitoring: How Sealos Autonomously Optimizes Your Cloud Spend | Sealos Blog A Practical Guide to Kubernetes Security: Hardening Your Cluster in 2025 | Sealos Blog A Secure-by-Design Development Workflow with Isolated Cloud Environments | Sealos Blog Setting Up a Collaborative Python Data Science Environment with DevBox | Sealos Blog Using the Sealos AI Proxy to Manage and Cache LLM API Calls | Sealos Blog Migration Guide: Moving Your Node.js & Postgres App from Heroku to Sealos in Under an Hour | Sealos Blog Serving Machine Learning Models at Scale: A Guide to Inference Optimization | Sealos Blog Headless Development with Sealos: Using Your Local VS Code with a Powerful Cloud Backend | Sealos Blog How to Build and Deploy a RAG Pipeline with Llama 3 and Milvus on Sealos | Sealos Blog From Localhost to Production in 15 Minutes: A Full-Stack CDE Workflow with Sealos DevBox | Sealos Blog GitOps on Autopilot: Implementing a CI/CD Pipeline with Sealos and GitHub Actions | Sealos Blog Fine-Tuning Open-Source LLMs on a Budget with Sealos | Sealos Blog From Docker Compose to Kubernetes: A Simple Migration Path with Sealos | Sealos Blog Building an AI Agentic Workflow with LangChain and Sealos | Sealos Blog What is Helm for Kubernetes? The Ultimate Package Manager Explained | Sealos Blog What is a Custom Resource Definition (CRD) in Kubernetes? | Sealos Blog What is a Kubernetes StatefulSet? A Practical Guide | Sealos Blog What is a Kubernetes Ingress Controller? A Guide to Smart Traffic Routing | Sealos Blog What is a Kubernetes Operator? Automating Complex Applications | Sealos Blog What is a Kubernetes Service? A Simple Guide for Developers | Sealos Blog Streamlining Your CI/CD Pipeline with a DevBox Build Environment | Sealos Blog Why Standardized Development Environments Are Key to Team Velocity | Sealos Blog What Is GitHub Codespace? | Sealos Blog DevBox Install? Skip It Entirely. Get a Ready-to-Code Environment in One Click with Sealos DevBox. | Sealos Blog How to Set Up a DevBox: The Ultimate Guide to 1-Click Cloud Development | Sealos Blog Empowering Indie Devs and Startup Teams: How Sealos DevBox Accelerates Agile Development | Sealos Blog From Chaos to Consistency: How Sealos DevBox Transforms Enterprise Development Workflows | Sealos Blog From Campus Labs to Cloud Freedom: How Sealos DevBox Supercharges Student Development | Sealos Blog How Sealos DevBox Cut Container Commit Time from 15 Minutes to 1 Second | Sealos Blog DevBox vs Codespaces: Which Remote Dev Environment Fits You Best? | Sealos Blog
Rightsizing Kubernetes Workloads: How to Stop Wasting Money on CPU and Memory Requests | Sealos Blog
Sealos · 2025-09-11 · via Sealos Blog

If your cloud bill keeps climbing while your apps sit mostly idle, you’re not alone. Kubernetes makes it easy to scale and isolate workloads, but it’s just as easy to overspend by overprovisioning CPU and memory. The cure is rightsizing: continuously tuning resource requests and limits so pods get what they need—no more, no less.

This guide demystifies how resource requests and limits really work, how to measure what your workloads actually use, and exactly how to set sane values. You’ll learn a pragmatic process you can apply today, with examples, queries, and automation tips that work in any cluster.

Whether you run a few services or thousands, a smart rightsizing strategy can unlock significant cost savings while improving reliability and performance.


Rightsizing is the practice of setting resource requests and limits for your containers based on observed usage, performance requirements, and risk tolerance. The goal is to:

  • Reduce waste from inflated requests that block bin-packing and inflate your node count
  • Avoid throttling and OOMKills that cause performance issues and incidents
  • Improve scheduling efficiency and autoscaling behavior
  • Align resource guarantees with your service-level objectives (SLOs)

In practical terms, rightsizing means:

  • Choosing CPU and memory requests based on historical usage percentiles plus a safety margin
  • Setting limits only when they protect the platform from misbehaving apps (especially memory)
  • Automating recommendations and applying them safely (e.g., with Vertical Pod Autoscaler in recommendation mode)

  • Cost: In most clouds, you pay for the nodes your pods reserve. Overstated requests waste money because the scheduler reserves capacity you’ll never use, which forces more nodes.
  • Reliability: Understated requests can cause noisy-neighbor issues, preemption, or frequent evictions under pressure. Misaligned limits can lead to CPU throttling or OOMKills.
  • Performance: Well-tuned requests improve HPA scaling signals, reduce tail latencies, and allow the cluster autoscaler to add/remove nodes more efficiently.
  • Fairness and multi-tenancy: Accurate requests support fair scheduling across teams and products, reducing surprise incidents.

If you’re using a platform like Sealos (sealos.io) to run multi-tenant Kubernetes, rightsizing pairs naturally with per-namespace quotas and cost visibility. It helps teams understand their footprint and stay within budget while maintaining SLOs.


Before tuning, it’s essential to understand how Kubernetes interprets resource requests and limits.

Requests vs. Limits

  • Request: A guaranteed amount of a resource that informs scheduling. The scheduler ensures the node has at least this much available. CPU requests also set cgroups CPU shares (relative priority).
  • Limit: A hard cap enforced by cgroups. CPU limits translate to CFS quota; memory limits cap resident memory; exceeding memory limits triggers OOMKill.

QoS Classes

Kubernetes assigns a Quality of Service (QoS) class based on your requests/limits:

  • Guaranteed: Every container in the pod has memory and CPU requests equal to limits. Highest eviction priority.
  • Burstable: At least one container has a request, and some requests are less than limits. Medium eviction priority.
  • BestEffort: No requests or limits. Lowest priority, first to be evicted under pressure.

Setting requests matters even if you don’t set limits. Avoid BestEffort for anything important.

CPU vs. Memory Semantics

  • CPU is compressible: An app can be throttled with minimal safety impact; it simply runs slower. CPU requests define scheduling and shares; limits cap usage and can cause throttling.
  • Memory is not compressible: If a container exceeds its memory limit, the kernel kills it (OOMKill). Memory requests determine scheduling and, together with limits, control QoS/eviction behavior.

A common, cost-effective pattern is:

  • Set accurate CPU requests and avoid CPU limits unless you need strict caps (e.g., noisy libraries or batch jobs).
  • Set memory requests close to expected usage and memory limits high enough to avoid frequent OOMKills, but low enough to prevent runaway memory.

Eviction and Node Pressure

Under memory pressure, the kubelet evicts Pods based on QoS and usage. BestEffort pods go first, then Burstable, while Guaranteed pods are protected longest. Right-sized memory requests (with reasonable limits) reduce surprise evictions.


Here’s a battle-tested, repeatable process you can apply to any cluster.

1) Define SLOs and Observation Window

  • Determine critical performance metrics (latency SLOs, throughput, error budgets).
  • Select a representative observation window that includes traffic patterns: typically 7–14 days.
  • Separate weekday/weekend or seasonal differences if significant.

2) Collect Usage Data

Use a combination of:

  • kubectl top (quick view via metrics-server)
  • Prometheus (recommended for quantiles and long windows)
  • Container runtime metrics and APM (language-specific memory behaviors, GC patterns)

Quick commands:

  • kubectl top pods -n your-namespace
  • kubectl top pod your-pod -n your-namespace --containers

PromQL examples for a single container (adjust labels to your environment):

Note: container_memory_working_set_bytes is often a better proxy for “active” memory than usage, but validate for your stack.

3) Choose Targets and Headroom

A sensible baseline for many services:

  • CPU request ≈ 50–70th percentile of CPU usage, averaged over 1–5 minute intervals
  • Memory request ≈ 95th percentile of working set
  • Memory limit ≈ 110–150% of memory request, depending on risk tolerance
  • Avoid CPU limits unless you must enforce fairness or control bursting

This balances cost with performance. For latency-critical services, raise CPU request percentiles; for batch or bursty tasks, widen headroom.

4) Translate Measurements to Requests/Limits

Example calculation:

  • Observed CPU P70 = 350 millicores (0.35 vCPU)
  • Observed Memory P95 = 700 MiB
  • Choose headroom: CPU +15%, Memory +25% for limit

Then:

  • cpu.request = 0.35 * 1.0 = 350m (no headroom needed if using HPA, see below)
  • memory.request = 700Mi
  • memory.limit = 700Mi * 1.25 ≈ 875Mi (round to 900Mi or 1Gi for simplicity)
  • cpu.limit: omit unless required

5) Validate Safely

  • Roll changes behind a canary or a small percentage of replicas.
  • Watch p95 latency, error rates, throttling, and OOM events.
  • Compare cost (node count or vCPU/GB-hour) before/after.

6) Automate Recommendations

  • Vertical Pod Autoscaler (VPA) can provide recommendations and optionally apply them.
    • Start in Off mode (recommendations only)
    • Consider Initial mode (set on first schedule), or Auto for memory in steady workloads
  • Goldilocks (by Fairwinds) uses VPA to visualize suggested requests per namespace.

7) Combine with HPA and Cluster Autoscaler

  • Horizontal Pod Autoscaler (HPA) scales replicas based on metrics (CPU, memory, custom).
  • Best practice:
    • Use HPA for scale-out on CPU or QPS metrics
    • Use VPA for rightsizing requests (often memory) and to inform CPU baselines
  • Avoid conflicts: Do not let VPA and HPA both control CPU aggressively in the same workload. Use VPA in “Off” or “Initial” when HPA is active, or configure VPA to exclude CPU.
  • Cluster Autoscaler reacts to pending pods whose requests don’t fit; accurate requests yield efficient node scaling.

8) Enforce Defaults with Policies

  • Use LimitRange to ensure every container has requests/limits.
  • Use ResourceQuota to cap total namespace consumption.
  • Provide team guardrails without breaking workloads (sane defaults, generous quotas, and clear escalation paths).

A well-sized Deployment

Notes:

  • No CPU limit to avoid throttling in latency-critical paths (validate for your workload).
  • Memory limit set with headroom; Go’s GOMEMLIMIT aligns GC behavior with the container limit.

LimitRange and ResourceQuota for Guardrails

These defaults prevent BestEffort pods and set rational bounds. Adjust to your org’s norms.

HPA for Scale-Out + VPA for Recommendations

Use a dashboard (e.g., Goldilocks) to view recommendations and adjust requests periodically.


To rightsize, you need actionable metrics. Track:

  • CPU usage cores (rate of container_cpu_usage_seconds_total)
  • CPU throttling (container_cpu_cfs_throttled_seconds_total, if available)
  • Memory working set and RSS (container_memory_working_set_bytes, container_memory_rss)
  • OOMKills and restarts (kube_pod_container_status_last_terminated_reason, kube events)
  • Latency SLOs and throughput (from your APM)

PromQL snippets:

If you lack Prometheus, at minimum use kubectl top and logs/events to catch OOMKills:

  • kubectl describe pod -n prod
  • kubectl logs -n prod --previous

You pay for reserved capacity at the node level. The high-level cost of waste is:

  • Wasted CPU cost ≈ sum over pods of max(0, requestedCPU − actualCPU) × pricePerCPUHour
  • Wasted memory cost ≈ sum over pods of max(0, requestedMem − actualMem) × pricePerGBHour

Rightsizing reduces the gap between requests and usage so the scheduler can pack pods densely, allowing Cluster Autoscaler to remove nodes.

Tip: Tools like Kubecost can attribute costs per namespace/workload. Platforms like Sealos can pair quotas and policy with visibility for multi-tenant clusters.


Multi-Container Pods and Sidecars

  • Sum requests/limits across all containers. Don’t forget init containers and sidecars.
  • Common pitfall: a logging/metrics sidecar with no requests can distort QoS and eviction behavior.
  • For service meshes, reserve CPU/memory for the proxy; measure its usage separately.

Language Runtimes and Memory

  • Java: Align -Xmx with memory limits; allocate headroom for metaspace, threads, off-heap (e.g., set -XX:MaxRAMPercentage, -XX:MaxDirectMemorySize).
  • Go: Use GOMEMLIMIT or GOGC tuning to manage working set under container limits.
  • Node.js/Python: Account for V8/heap and native buffers; consider --max-old-space-size for Node.

CPU Limits and Latency

CPU limits can cause throttling that inflates tail latencies, especially under bursty load. Many teams remove CPU limits for latency-critical web services and rely on requests for fair sharing while retaining limits for batch or potentially runaway jobs. Measure before and after.

Ephemeral Storage

Logs and temporary files can evict pods if ephemeral-storage limits are exceeded. If you use emptyDir or write logs to disk:

  • Set requests/limits for ephemeral-storage
  • Use log rotation and sidecar configurations

Example:

Node Sizing and Bin Packing

  • Smaller nodes give the scheduler more flexibility to pack disparate workloads; larger nodes can be more cost-effective if your workloads are homogenous.
  • Align pod sizes (sum of requests) to node shapes. Avoid “fragmentation” where pods don’t fit into leftover gaps.

Pod Priority and Preemption

Critical system workloads should have higher priority. For app workloads, accurate requests reduce the chance of preemption and avoid starvation of lower-priority pods.

Pod Overhead

If you use RuntimeClass with pod overhead defined, Kubernetes accounts for per-pod overhead in scheduling. This matters for very small pods or high pod densities.


Assume you’ve collected 14 days of metrics for the “payments” deployment:

  • CPU usage (5m rate) P70 = 220m, P95 = 450m
  • Memory working set P50 = 400Mi, P95 = 780Mi, P99 = 900Mi
  • No CPU throttling observed; occasional GC spikes in memory
  • Latency SLO: p95 < 150ms

Decisions:

  • CPU request = 250m (slightly above P70)
  • No CPU limit (latency-sensitive service)
  • Memory request = 800Mi (round up near P95)
  • Memory limit = 1.2Gi (≈ 150% of request to avoid P99 spike OOMs)

YAML:

Roll out to 10% of replicas, watch error budgets and OOMs for a week, then apply to all.


  • Anti-pattern: No requests at all (BestEffort). Result: Unpredictable scheduling and eviction under pressure. Fix: Enforce a LimitRange with sensible defaults.

  • Anti-pattern: CPU requests at 1 vCPU “just in case.” Fix: Use usage percentiles; start at P50–P70 and adjust.

  • Anti-pattern: Memory limits far below P95 working set. Fix: Set request near P95 and limit with enough headroom to avoid OOMs under normal peaks.

  • Anti-pattern: HPA and VPA both trying to manage CPU aggressively. Fix: Use HPA for CPU-based scaling; use VPA in Off/Initial or control only memory.

  • Anti-pattern: Ignoring sidecars. Fix: Measure and request resources for each container.

  • Anti-pattern: Assuming dev/stage usage equals prod. Fix: Observe in production with canaries; production traffic patterns are unique.


  • Vertical Pod Autoscaler (VPA)
    • Pros: Builds recommendations from historical usage; can apply automatically
    • Use cases: Memory-heavy workloads, steady baselines, suggestions for human review
  • Goldilocks (Fairwinds)
    • Pros: Visualizes VPA recommendations across namespaces; helpful dashboards
  • Horizontal Pod Autoscaler (HPA)
    • Pros: Reactive scale-out on CPU/memory/custom metrics
    • Use cases: Front-end/web services, event-driven workloads
  • KEDA
    • Pros: Scale on external metrics (Kafka lag, queue length, etc.)
  • Kubecost (or similar)
    • Pros: Cost allocation per namespace/workload; track savings from rightsizing
  • Sealos
    • Pros: For multi-tenant Kubernetes, Sealos provides a cloud-native platform to manage clusters, namespaces, and quotas with a consistent UI and policy framework. Pair rightsizing with per-team quotas and cost governance for sustainable operations. See sealos.io.

Should I always set CPU limits?

No. CPU limits can cause throttling, increasing tail latencies. Many teams omit CPU limits for latency-sensitive services but keep reasonable CPU requests. Use CPU limits when you must prevent runaway CPU (e.g., batch jobs) or enforce strict multi-tenancy.

How do I pick memory limits?

Start with memory request near the P95 of working set, then set limit 10–50% higher based on risk tolerance and spike behavior. Validate to avoid OOMKills.

Can I use both HPA and VPA?

Yes, but avoid conflicts. A common pattern is HPA for CPU-based scaling and VPA in “Off” for recommendations or controlling only memory.

How often should I revisit requests?

Monthly is a good cadence for most services. Also revisit after major code changes, traffic shifts, or dependency upgrades.

What if my workload is extremely bursty?

  • Consider higher CPU requests to avoid slow starts (or pre-warmed pods)
  • Use HPA with a lower cooldown and scale-to-zero where appropriate (with KEDA)
  • Provide generous memory headroom if bursts affect heap/allocations

DimensionBaseline TargetNotes
CPU RequestP50–P70 of CPU usage (5m rate)Raise for latency-critical services
CPU LimitOften omit; use only if necessaryPrevents runaway but can cause throttling
Memory RequestP95 of working setRound up; account for runtime overhead
Memory Limit110–150% of memory requestChoose headroom based on spike patterns
Ephemeral StoreRequest/limit based on logs/temp peakAdd rotation; avoid surprise evictions
HPA Target60–75% average CPU utilizationTune per service; validate scaling stability

  1. Instrument and collect: Ensure metrics-server and Prometheus are available; label workloads.
  2. Baseline: Choose 7–14 days of representative traffic; compute percentiles.
  3. Propose: Translate P70 CPU and P95 memory into requests; add sensible memory limits.
  4. Test: Apply to a canary subset; watch throttling, OOMs, and SLOs.
  5. Roll and monitor: Gradually apply cluster-wide; track cost and performance deltas.
  6. Automate: Use VPA for recommendations; Goldilocks for visibility; HPA for scale-out.
  7. Govern: Apply LimitRange and ResourceQuota; standardize defaults per namespace.
  8. Iterate: Review monthly; adjust for seasonality and code changes.

For multi-tenant platforms like Sealos, combine this playbook with per-tenant quotas, namespaces, and dashboards to balance autonomy with governance.


Rightsizing is one of the highest-ROI optimizations you can make in Kubernetes. By aligning CPU and memory requests with how your workloads actually behave, you:

  • Cut waste that drives up node count and cloud spend
  • Improve performance by reducing throttling and surprise evictions
  • Enable more predictable autoscaling and fair multi-tenancy

Start with data: measure, pick sane percentiles, add headroom, and validate with canaries. Automate recommendations with VPA and visualize with tools like Goldilocks, then let HPA handle scale-out. Enforce good defaults with LimitRange and ResourceQuota so you never slip back into BestEffort chaos.

Do this well, and you’ll ship faster, sleep better, and pay only for the compute your apps really need.