惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
博客园 - 三生石上(FineUI控件)
S
Securelist
U
Unit 42
The Cloudflare Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
T
Tenable Blog
The Hacker News
The Hacker News
The Register - Security
The Register - Security
IT之家
IT之家
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
博客园_首页
T
Tailwind CSS Blog
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
A
Arctic Wolf
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
V
Visual Studio Blog
月光博客
月光博客
爱范儿
爱范儿
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Why Kubernetes Cluster Autoscaler Loses to Karpenter After 6 Months in Production
Muskan · 2026-05-06 · via DEV Community

Muskan

Most teams adopt Cluster Autoscaler (CA) because it ships with EKS and works on day one. Six months later, they're staring at 12 node groups nobody fully owns, a cost report showing 30% idle capacity during off-peak hours, and a backlog of scaling incidents that hit during the morning traffic ramp. The switch to Karpenter fixes those problems because the architectures are fundamentally different, not because Karpenter is a newer version of the same thing.

This post covers what we've seen in production: the specific mechanisms where CA falls behind, where Karpenter wins, and the conditions where CA is still the right call.

The Scale-Up Problem CA Never Solved

Cluster Autoscaler detects unschedulable pods by polling the Kubernetes API. The default scan-interval is 10 seconds. When CA identifies a pending pod, it calls the cloud provider API to increase the node group's desired count, then waits for the new node to bootstrap, register with the cluster, and reach Ready state. End-to-end, that process takes 3 to 5 minutes on AWS EKS with standard AMIs.

Karpenter watches Kubernetes scheduler events directly via informers. When the scheduler marks a pod as unschedulable, Karpenter receives that event in near-real-time, runs its bin-packing simulation, calls the EC2 API, and launches the node. Measured from pod-pending to node-Ready, the window is typically under 60 seconds.

The difference matters most for two workload types. Batch jobs queue up during the CA provisioning window: a job that expects to start in 30 seconds now waits 4 minutes, and that delay multiplies across hundreds of concurrent jobs. Latency-sensitive services that scale horizontally based on incoming request volume see response time spikes during the lag.

Scale-Up Step Cluster Autoscaler Karpenter
Trigger mechanism Poll Kubernetes API every 10 seconds Watch scheduler unschedulable events via informers
Detection latency Up to 10 seconds Near real-time
Next step Call cloud provider ASG resize API Run bin-pack simulation
Node bootstrap wait Yes, waits for node to register as Ready Yes, waits for node to register as Ready
Total pod-pending to node-Ready 3-5 minutes Under 60 seconds

CA's path: roughly 3-5 minutes. Karpenter's path: under 60 seconds. The gap comes from eliminating the polling loop.

CA vs Karpenter scale-up path

Node Group Sprawl Is a Configuration Tax

Cluster Autoscaler is coupled to node groups: Auto Scaling Groups on AWS. Every distinct combination of instance type, capacity type (on-demand vs spot), availability zone, and workload label requires its own ASG and a corresponding entry in CA's configuration.

A realistic production cluster after 12 months looks like this: a general-purpose on-demand group, a memory-optimized group added when the ML pipeline launched, two spot groups for different instance families, a GPU group from a proof-of-concept that's now permanent, and three "temporary" groups created during incidents that nobody deleted. That's 8 node groups, each with its own AMI reference, launch template, and IAM profile. Nobody owns the old ones. None of them get updated unless something breaks.

This is provisioner drift. The config exists, costs money to maintain, and creates incident risk because the drift happens silently.

Karpenter replaces all of that with two Kubernetes resources: a NodePool and an EC2NodeClass. The NodePool specifies scheduling constraints and instance requirements as a list: instance families, CPU and memory bounds, capacity types. The EC2NodeClass specifies the AMI family, subnet selector, and security group selector. One NodePool can match a general-purpose workload across m5, m5a, m5d, and m6i instances simultaneously, selecting whichever has available capacity at launch time.

Concern Cluster Autoscaler Karpenter
Adding a new instance family New ASG + CA config update + rollout Add entry to NodePool instanceFamily list
AMI updates Update launch template per node group Set amiFamily: AL2023; Karpenter resolves latest
Spot + on-demand mix Separate node groups or mixed-instance policy Single NodePool with capacityType: [spot, on-demand]
Config ownership Flags in CA Deployment manifest NodePool and EC2NodeClass CRDs in Git
Node group count after 12 months (typical) 8-15 1-3

The operational difference is not just convenience. The Karpenter model is auditable: every NodePool lives in version control, has a clear owner, and describes its own intent. CA node groups accumulate because creating them is easy and deleting them is risky.

Consolidation: Why CA Leaves Money on the Table

Scale-down in CA requires a node to sustain low utilization for a continuous 10-minute window. "Low utilization" means the sum of all pod resource requests falls below 50% of the node's allocatable capacity. If any pod spikes its CPU or memory request during that 10-minute window, the timer resets.

This design prevents thrashing, which is a valid concern. The side effect is that lightly-loaded nodes persist for hours during off-peak periods. A cluster that scales out to 40 nodes at 14:00 will still have 35 nodes at 22:00 because individual timers keep resetting on different nodes. The idle cost accumulates.

CA also cannot consolidate across node group boundaries. A pod running on an m5.xlarge node group cannot be a trigger to reclaim a node in the m5.2xlarge group, even if the 2xlarge node is running one small pod and could be emptied. The groups are siloed.

Node Group Instance Type Nodes Utilization CA Consolidation Karpenter Consolidation
Group 1 m5.xlarge 3 60% Cannot move pods to other groups Evaluates all nodes together in bin-pack simulation
Group 2 m5.2xlarge 1 15% Idle node persists; timer resets on any pod activity Replaces idle node with smaller type or drains to existing nodes
Group 3 r5.xlarge 2 40% Siloed from other groups; no cross-group drain Included in unified consolidation pass

CA siloed groups vs Karpenter unified view

Karpenter's consolidation controller runs every 15 seconds and evaluates two scenarios: can the workloads on this node fit on other existing nodes (empty-node consolidation), and can replacing this node with a cheaper instance type accommodate the same workloads (replace consolidation). It simulates the bin-packing before acting and respects PodDisruptionBudgets during drain.

Teams we've worked with measure 20-40% reduction in EC2 node-hours after switching, because Karpenter's consolidation runs continuously rather than waiting for a 10-minute idle streak that traffic patterns rarely allow.

Spot Instances: Where the Gap Becomes Expensive

Running spot instances with CA requires a dedicated spot node group. The instance type pool is limited to whatever the ASG's mixed-instance policy covers, typically 3-5 types. Narrow pools mean higher interruption probability when EC2 capacity is constrained in a given availability zone.

When spot instances are interrupted, CA relies on the AWS Node Termination Handler (NTH) as a separate DaemonSet to catch the 2-minute interruption notice and drain the node. That's two components to deploy, configure, and monitor.

Karpenter handles spot interruption natively. It listens to EC2 Fleet interruption notices directly and begins cordon-draining the node before the 2-minute termination window expires. The multi-family NodePool allows specifying a wide instance pool: 10 or more compatible instance families. Karpenter selects the cheapest available spot option at launch time, and that wider pool means EC2 can usually fulfill the request even during regional capacity crunches.

Concern Cluster Autoscaler Karpenter
Spot node group setup Separate ASG per instance family Single NodePool, list instance families
Typical capacity pool size 3-5 instance types 8-15 instance types
Interruption handling AWS Node Termination Handler (separate) Native, built into Karpenter controller
Time to detect interruption notice NTH polling interval (varies) Event-driven, typically under 5 seconds
Spot + on-demand fallback Manual node group priority config weight field on NodePool capacity types

The economics follow from pool size. A spot node group drawing from 12 instance families in 3 AZs has roughly 36 capacity pools to source from. Interruption rates drop because EC2's scheduler has more options to place your instances when it needs to reclaim capacity.

For teams running spot instances with Karpenter on EKS, the graviton (arm64) instance families add another dimension: m7g, c7g, and r7g instances are typically 15-20% cheaper than x86 equivalents for the same workload, and Karpenter can select them automatically if the application tolerates arm64.

The 6-Month Production Timeline

CA works well in months 1 and 2. The cluster is small, the node group count is manageable, and scale-up latency isn't a problem because peak loads are predictable.

By month 3, the first friction appears. A new team needs a memory-optimized instance type for their service. That means a new node group, a CA config change, a deployment rollout, and a docs update explaining what the new group is for. The process takes a few days.

By month 4, someone adds a spot group to cut costs. A separate NTH deployment goes in. The spot group needs its own draining logic tested. The cluster now has 6 node groups.

Month 5 is when consolidation gaps show up in cost reports. The finance team flags that EC2 spend at 22:00 is 80% of peak spend, but request volume is 20% of peak. The CA nodes are not scaling down because something is always keeping the timers alive.

Month 6: an incident. A pod from a deprecated node group can't schedule because the AMI reference in the launch template points to an image that's been deregistered. The on-call engineer spends two hours tracing which of the 10 node groups is broken.

CA operational debt timeline

Timeline Node Group Count Symptoms Trigger
Months 1-2 3 Works fine; scaling is predictable Initial setup
Months 3-4 6 Group sprawl begins; new teams need custom instance types New workload requirements
Months 5-6 8-12 Consolidation gaps in cost reports; AMI drift incidents; broken launch templates Config debt compounds

Karpenter's NodePool model doesn't eliminate all operational work, but the drift pattern is different. NodePool configs are version-controlled CRDs. AMI selection is declarative (specify the family, Karpenter resolves the latest). The expireAfter field forces node replacement on a schedule, which rotates AMIs automatically. The node group count stays at 2 or 3 regardless of how many workload types the cluster serves.

For teams working through right-sizing Kubernetes node groups, switching to Karpenter often resolves the right-sizing problem by design: Karpenter selects instance types per workload requirement rather than per static group definition.

When CA Still Makes Sense (and When Karpenter Breaks)

Karpenter is not the right answer for every cluster. These are the conditions where CA is still valid.

CA works when the cluster runs on a cloud provider where Karpenter has no stable integration. Karpenter has production-grade support for AWS and is in active development for Azure. GKE users have node auto-provisioning. CA remains the portable choice for multi-cloud environments or on-premises clusters with custom cloud providers.

CA also works for small, stable clusters with 5 or fewer node groups and predictable scaling patterns. The operational overhead of learning NodePool design, testing consolidation behavior, and tuning disruption budgets is not worth it if CA is meeting SLOs today.

Karpenter's consolidation breaks for stateful workloads that don't have PodDisruptionBudgets. If Karpenter consolidates a node running a stateful pod with no PDB, it will drain that pod. For databases or caches running on Kubernetes, the consolidationPolicy: WhenEmpty setting (which only consolidates truly empty nodes) is safer than the default WhenUnderutilized policy. For deeper context on vertical vs horizontal Kubernetes autoscaling tradeoffs, the stateful workload concern applies there too.

Karpenter also requires correct IAM configuration. The controller needs ec2:RunInstances, ec2:TerminateInstances, and several other EC2 permissions. In organizations with strict IAM policies, getting those approved takes time. CA requires fewer permissions because it only calls ASG resize APIs.

Cluster Profile Recommended Autoscaler
EKS, mixed instance types, cost optimization priority Karpenter
EKS, heavy spot usage, batch workloads Karpenter
GKE or AKS Native node auto-provisioning / VMSS autoscale
Multi-cloud or on-premises Cluster Autoscaler
Small cluster (under 10 nodes), stable workload Cluster Autoscaler
EKS with stateful workloads and no PDBs CA until PDBs are in place

The EKS cost comparison across managed Kubernetes platforms shows that node autoscaling strategy is one of the top three drivers of per-cluster cost variance. Karpenter's advantage compounds as cluster size and workload diversity increase: the larger the instance selection pool and the more varied the workload requirements, the more bin-packing simulation gains over static node groups.

For teams already running event-driven autoscaling with KEDA, Karpenter pairs well because KEDA scales pods and Karpenter scales nodes in response, both event-driven, both operating below the 60-second threshold. CA's polling delay breaks that tight loop.

The switch from CA to Karpenter is not a drop-in replacement. It requires NodePool design, PDB audits, and IAM work. The teams that do it stop managing a catalog of node group configs and start managing two or three composable, auditable resources. After 6 months, that operational difference is larger than the scale-up latency improvement.