Configuration Reference¶
SLOpilot is configured through Helm values. Pass custom values using --values my-overrides.yaml when running the installer, or use helm upgrade directly after installation.
# During installation
./slopilot-install.sh --values my-overrides.yaml ...
# After installation
helm upgrade slopilot-rightsizing \
oci://ghcr.io/valuematic/charts/slopilot-rightsizing \
-n slopilot \
--values my-overrides.yaml
Ingress¶
By default, SLOpilot is only reachable via kubectl port-forward or a NodePort/LoadBalancer Service. To expose it through an Ingress, enable it and configure the host:
ingress:
enabled: true
className: nginx # or traefik, alb, etc.
hosts:
- host: slopilot.example.com
paths:
- path: /
pathType: Prefix
For TLS, add a tls block referencing an existing kubernetes.io/tls Secret in the same namespace. See the controller-specific examples below.
When SLOpilot is behind an ingress controller, configure trusted_proxy_cidrs so that forwarded client IPs are respected:
Rightsizing Mode¶
SLOpilot runs in one of three sensitivity modes — conservative, default, or aggressive — applied installation-wide to every recommendation. If unset, the mode is conservative.
See Rightsizing Modes for guidance on which mode fits your workloads.
Resources¶
Default resource requests and limits for the SLOpilot pod:
| CPU | Memory | |
|---|---|---|
| Requests | 100m | 256Mi |
| Limits | 500m | 512Mi |
For clusters with more than 200 monitored workloads, consider increasing these values.
Prometheus¶
SLOpilot deploys its own Prometheus instance by default. It is pre-configured with metric filtering, retention, and storage guardrails — no tuning is required.
If your cluster's default StorageClass does not support the default PVC size, you can override it:
Tip
Both the application and Prometheus PVCs are annotated with helm.sh/resource-policy: keep and survive helm uninstall. Your data is preserved across reinstalls.
Network Policy¶
A NetworkPolicy is created by default. It restricts traffic to the minimum required:
- Ingress: HTTP on port 8080 from all sources
- Egress (DNS): UDP/TCP port 53 to all namespaces
- Egress (Prometheus): ports 80 and 9090 within the same namespace
- Egress (Kubernetes API): TCP ports 443 and 6443
- Egress (License server): TCP port 443
Disable it with networkPolicy.enabled: false if your cluster does not use NetworkPolicies or you manage them externally.
Scheduling¶
Place SLOpilot on specific nodes using standard Kubernetes scheduling fields:
nodeSelector:
workload-type: platform
tolerations:
- key: platform
operator: Equal
value: "true"
effect: NoSchedule
affinity and topologySpreadConstraints are also supported.
Ingress Examples¶
ingress:
enabled: true
className: alb
annotations:
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:...
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
hosts:
- host: slopilot.example.com
paths:
- path: /
pathType: Prefix
Complete Custom Values Example¶
The following my-overrides.yaml combines ingress, trusted proxies, increased resources, and node scheduling:
# my-overrides.yaml
# Expose via NGINX ingress with TLS
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
hosts:
- host: slopilot.example.com
paths:
- path: /
pathType: Prefix
tls:
secretName: slopilot-tls
# Trust the in-cluster ingress controller's forwarded headers
security:
trusted_proxy_cidrs:
- "10.0.0.0/8"
# Increase application resource limits for large clusters
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
# Schedule on dedicated infrastructure nodes
nodeSelector:
workload-type: platform
tolerations:
- key: platform
operator: Equal
value: "true"
effect: NoSchedule
Apply it during installation: