3 minute read

Admissions Controller banner

Ever wish you could see costs of a deployment as it rolls out? You now can directly via kubectl with Kubecost!

Admission Controller output

We recently released the Kubecost Prediction API, which anticipates workload costs before you deploy your Kubernetes resources (if you didn’t catch our announcement, you can learn more here). Today, we’re announcing an integration with kubectl via the Kubecost Admission Controller, which leverages the Kubecost Predict API to show you expected future costs for changes you make to your workloads. This foresight provides valuable cost information before you make any major changes.

How it works

Admission Controller diagram

Kubecost provides this prediction through the installation and use of a ValidatingAdmissionWebhook to send back cost data on every update you make to deployments in your Kubernetes cluster. The Predict API (which powers Cost Prediction) determines the differences in cost, then provides that information to you in an easy-to-read table right in your terminal! Currently, the Admission Controller provides predictions on changes in CPU and RAM usage, with support for GPU and PV coming soon!

Quickstart install guide

The following command will install a quickstart controller to your existing Kubecost application:

helm upgrade --install kubecost \
  --repo https://kubecost.github.io/cost-analyzer/ cost-analyzer \
  --namespace kubecost --create-namespace \
  --set kubecostAdmissionController.enabled=true

You may need to wait several minutes for the controller to activate. The Admission Controller will be installed by default in the kubecost namespace.

You can check the status of the Admission Controller with kubectl get service -n kubecost. Look for webhook-server to confirm a successfull install.

Once installed, when a deployment is updated, the Kubernetes API will send requests containing deployment information to the Kubecost pod which will then be read for number of replicas, CPU requests, and RAM requests to calculate a monthly estimate. That estimate will be reported back to the client making the update. If the Kubecost pod is unable to respond to this request, the deployment will be added to the cluster without any information being sent back.

To validate, you can run kubectl edit deployment -n kubecost, and modify the CPU or RAM requests to see estimated monthly prices and the cost difference (diff column).

Please note that this version bundles an SSL cert/key pair with Kubecost that is publicly available. This is so the Admission Controller can operate over HTTPS, which is required by Kubernetes. For deploying to production, we recommend going through the steps in the following section. For more information on Admission Controller CA certs, see here.

Deploying to production and namespaces other than kubecost

When deploying the Admission Controller in another namespace, you will want to mint your own SSL key, attach it as a secret to the cost-analyzer pod, and configure the ValidatingWebhookAdmissionsController to use that SSL key. We’ve made that easy by providing a script in the cost-analyzer-helm-chart library.

git clone https://github.com/kubecost/cost-analyzer-helm-chart.git
cd cost-analyzer-helm-chart/cost-analyzer/scripts
./create-admission-controller-tls.sh <namespace-to-install-kubecost-in>

This will create a TLS secret in the supplied namespace. It will also update the values.yaml file in the Helm chart with the SSL public key associated with that TLS secret. Uncomment the kubecostAdmissionController block in values.yaml, then use those values to deploy Kubecost.

helm upgrade kubecost kubecost/cost-analyzer -n <namespace-to-install-kubecost-in> -f cost-analyzer-helm-chart/cost-analyzer/values.yaml

Enterprise functionality

Kubecost’s Enterprise plan allows for advanced functionality of the Admission Controller. With Enterprise, you can:

  • Implement controllers that actively block or modify deployments based on budget
  • Receive predictive alerts that let you know when you exceed projected budgets, before you’ve already spent

If you want to make greater use of the Admission Controller, consider enrolling in a Kubecost Enterprise plan! For more information about kubectl predict and the Admission Controller, see our kubectl-cost repo here.


The Admission Controller is Kubecost’s next foot forward in enabling predictive analytics when it comes to cost spending. We hope this tool will become indispensable for managing your Kubernetes resource usage.