OptiPod — GitOps-Safe Kubernetes Resource Optimization
Kubernetes Operator · GitOps-safe by design · Safe by default
OptiPod makes explainable recommendations for CPU/memory requests and limits. It applies changes only when you opt in, and stays GitOps-safe with the webhook strategy (SSA optional).
Safe by default: start in Recommend mode. Nothing mutates without opt-in.
The Challenge
Most clusters suffer from guesswork, automation fear, and GitOps conflicts
The result is indefinite over-provisioning or disabled optimization entirely
So teams respond by:
- Over-provisioning indefinitely to stay safe
- Disabling automation entirely to avoid surprises
- Accepting waste as the cost of stability
- Choosing manual tuning that never scales
CPU and memory requests guessed once and never revisited
VPA conflicting with GitOps workflows
Fear of memory tuning due to OOMKills and restarts
Lack of explainability and auditability in tools
Design Philosophy
Designed for trust, not surprises
OptiPod takes a fundamentally different approach to resource optimization: safe by default, GitOps-safe with the webhook strategy, and built around explainable recommendations and policy-driven safety.
GitOps-safe by design
Uses the webhook strategy to apply only CPU/memory changes at admission time while GitOps controllers remain the source of truth.
Explainable recommendations
Every recommendation includes usage data and margins, with rationale visible before any action is taken.
Policy-driven safety
Conservative defaults, configurable bounds, controlled change rates, and memory safeguards.
Adopt gradually
Start in Recommend mode, then enable Auto only when you're ready.
What OptiPod Will Not Do
Clear boundaries and safety guarantees. OptiPod is designed with explicit constraints to ensure predictable, safe behavior in production environments.
Will not mutate workloads
Unless explicitly configured in your policy
Will not override GitOps
GitOps controllers remain the source of truth
Will not blindly reduce memory
Memory safeguards prevent dangerous reductions
Will not require a SaaS backend
Runs entirely inside your cluster
How It Works
A Kubernetes-native control loop
OptiPod runs entirely inside your cluster, evaluates real usage, and makes reversible, auditable changes when you allow it.
Discovers workloads
Matching your policy selectors and workload type filters.
Collects metrics
Real-time and historical resource usage from metrics-server or Prometheus.
Evaluates usage
Using strategies like P50, P90, P99 percentiles.
Generates recommendations
Explainable recommendations with policy-driven safety applied.
Applies changes
Via the webhook strategy (GitOps-safe) or Server-Side Apply when you opt in.
Records actions
For auditing and review.
Capabilities
Core capabilities
A toolkit built for platform teams who need precision, control, and trust in every optimization.
Continuously computes recommendations to right-size CPU and memory - applies changes only when you opt in.
Mutating admission applies OptiPod recommendations without fighting GitOps controllers.
Recommend, Auto, or Disabled — adopt automation at your pace.
Min/max bounds, safety margins, change-rate limits, and intelligent resize handling.
Metrics-server and Prometheus fully supported; per-policy provider selection planned.
Target specific workload types (Deployment, StatefulSet, DaemonSet) with include/exclude filters.
Namespace and label-based workload selection with allow/deny lists and policy weight prioritization.
Prometheus metrics, Kubernetes events, and per-workload recommendation annotations.
Configure CPU and memory limit multipliers to automatically calculate limits from recommendations.
Extensive unit, integration, and property-based testing.
Clear rationale for every change, with data visibility.
Comparison
Why choose OptiPod over VPA?
OptiPod is built for GitOps-safe, Recommend mode first workflows with policy-driven safety and clear explainability.
| Feature | OptiPod | Kubernetes VPA |
|---|---|---|
| GitOps-safe (Webhook strategy) Webhook strategy applies resources at admission time without conflicting with GitOps reconciliation. Show detailsOptiPod: Uses a mutating webhook to apply recommendations at admission time while GitOps controllers continue to own manifests. VPA: Uses traditional kubectl apply/patch, can override entire resource specifications, often conflicts with GitOps reconciliation. | ✅ | ⚠️ |
| Safe by default (Recommend mode) Clear separation: Recommend (no mutations) → Auto (opt-in) with safety constraints. Show detailsOptiPod: Recommend mode records recommendations for review. Auto applies changes only when you explicitly opt in. VPA: Recommendation-only usage is possible, but adoption can be less predictable in GitOps workflows depending on configuration. | ✅ | ⚠️ |
| Explainable recommendations Shows usage data, percentiles, safety margins, and recommendation rationale. Show detailsOptiPod: Shows actual usage data and percentiles, explains safety margin calculations, documents bound enforcement rationale, provides historical recommendation tracking. VPA: Provides recommendations, but the rationale and rollout behavior can be harder to reason about depending on configuration. | ✅ | ⚠️ |
| Policy-driven safety Configurable bounds, safety margins, change-rate limits, memory protection. Show detailsOptiPod: Configurable min/max resource bounds, safety margins to prevent resource starvation, change-rate limits to prevent disruption, memory decrease protection, workload type filtering. VPA: Basic min/max bounds only, limited change-rate control, can cause disruptive pod restarts, less sophisticated safety logic. | ✅ | ⚠️ |
Legend: ✅ supported, ❌ not supported, ⚠️ supported with caveats.
Built For
Built for platform teams
OptiPod is designed for teams who care about stability, auditability, and control.
Platform Engineering teams
Build and maintain internal developer platforms with optimized resource usage
Site Reliability Engineers (SRE)
Ensure system reliability while optimizing infrastructure costs
FinOps and cloud cost governance teams
Control and optimize cloud spending with data-driven recommendations
Organizations running GitOps-managed Kubernetes clusters
Maintain GitOps workflows while automating resource optimization
Start safely in Recommend mode
In Recommend mode, no resources are changed and no pods are restarted.
Step 1: Install OptiPod
Install with Helm to deploy the controller, CRDs, and webhook.
Step 2: Create a policy
Start in Recommend mode and review recommendations before opting in to Auto.
Ready!
OptiPod runs entirely inside your cluster, with no external SaaS dependency.
Install with Helm:
# Omit --version to install the latest chart.
VERSION=<latest> # see https://github.com/Sagart-cactus/optipod/releases/latest
helm install optipod oci://ghcr.io/sagart-cactus/charts/optipod \
--version "${VERSION}" \
--namespace optipod-system \
--create-namespaceOptiPod runs entirely inside your cluster, with no external SaaS dependency. Both metrics-server and Prometheus are fully supported.
Create a policy in Recommend mode:
apiVersion: optipod.optipod.io/v1alpha1
kind: OptimizationPolicy
metadata:
name: safe-recommendations
namespace: default
spec:
mode: Recommend
selector:
workloadSelector:
matchLabels:
optimize: "true"
metricsConfig:
provider: metrics-server
rollingWindow: 24h
percentile: P90
safetyFactor: 1.2
resourceBounds:
cpu:
min: "100m"
max: "4000m"
memory:
min: "128Mi"
max: "8Gi"
updateStrategy:
allowInPlaceResize: true
allowRecreate: false
updateRequestsOnly: trueAs long as spec.mode: Recommend, OptiPod will not change workload specs.
Open Source
Open source first
Transparent. Auditable. Extensible. OptiPod is open source and Kubernetes-native with a clear roadmap and contribution model.
Contributing · Governance · Code of Conduct
Current development
Active development focuses on expanding metrics provider support:
- • Custom metrics provider plugin architecture
- • Enhanced workload type filtering capabilities
- • Improved observability and debugging tools
See the ROADMAP.md for complete implementation status and future plans.
Ready to optimize Kubernetes resourceswithout breaking trust?
Start safely in Recommend mode. Nothing mutates without opt-in.