Kubernetes FinOps
Most Kubernetes cost tools either ignore one cloud, demand a Helm chart you don't want to maintain, or stop at cluster-level totals. Lumicost unifies GKE and EKS in a single allocation view, pulls pod telemetry from CloudWatch Container Insights and GCP Monitoring (no DaemonSet), and ships a tag intelligence engine that scores your tagging policy and pinpoints the unallocated spend that platform teams get blamed for.
Platform engineering teams own the Kubernetes spend whether they like it or not. Engineering managers blame the platform when the cluster bill spikes; finance blames the platform when 30% of the namespace cost shows up as 'untagged'. Lumicost is built for that role: we discover GKE clusters via GcpKubernetesAdapter and EKS clusters via EksKubernetesAdapter using read-only credentials, pull workload telemetry from each cloud's managed metrics surface (Container Insights on AWS, Cloud Monitoring on GCP), and run a TagIntelligence policy engine that publishes a coverage score, a list of issues, and PR-ready remediation suggestions. The result is one dashboard where the platform team can answer 'who is paying for what, why, and is the tagging clean enough to defend it'.
GcpKubernetesAdapter calls the GKE Cluster API and Cloud Monitoring; EksKubernetesAdapter calls the EKS API and CloudWatch Container Insights. Both feed the same KubernetesProvider port and produce homogenous KubernetesResourceResponse rows — same allocation model, same rightsizing logic, same chargeback views. One query, both clouds. AKS is on the roadmap but not yet shipped — we'll tell you in the Honesty Banner, not surprise you mid-quarter.
Per-pod p95 CPU and memory utilization vs requests over a 14-day lookback, surfaced via cloud-managed metrics — no DaemonSet, no Prometheus exporter, no kube-state-metrics scrape, no token to inject. The platform team avoids owning yet another cluster-side dependency, and InfoSec reviews exactly one read-only IAM role / service account per cloud.
Cluster cost is allocated to namespaces and labels by weighting the on-demand or RI/Savings Plan/CUD price of each node by the observed pod CPU and memory usage. Roll up across all GKE + EKS clusters in the org, filter by team label, export CSV/JSON for the finance system. The same allocation feeds the engineering view ('what does my namespace cost?') and the finance view ('what does this team owe?').
Define required tags (team, env, cost-center, owner) and allowed values per key. TagIntelligenceController publishes a tenant-scoped score, a list of issues (missing tag, disallowed value, normalization drift) and per-issue PR-ready suggestions. GET/PUT /api/v1/tag-intelligence/policy lets the platform team version-control the policy itself. Untagged spend stops being a quarterly fire drill.
GCP via Workload Identity Federation (no service-account keys), AWS via IAM Role + per-tenant external-id (no static access keys). The IAM policies are published verbatim — eks:ListClusters, eks:DescribeCluster, container.clusters.list/get on GCP, monitoring read on both. No mutation APIs in the SDK code, no kubectl client, no Terraform apply. The platform team's standard cluster-admin RBAC is not required and not requested.
Three differences. (1) Multi-cloud unified — Kubecost requires a separate install per cluster and stops at the cluster boundary; Lumicost rolls up GKE + EKS in one tenant view. (2) Agentless — no Helm chart on every cluster, no Prometheus to maintain, no token to rotate. (3) Tag intelligence — Kubecost scores cost; we score the tagging policy that determines whether that cost is allocatable in the first place. Many platform teams run both: OpenCost for the in-cluster operator audience, Lumicost for the cross-cluster finance + platform audience.
We weight the node's effective hourly price (on-demand or amortized RI/Savings Plan/CUD) by each pod's observed p95 CPU and memory usage over the lookback window, then aggregate to namespace, label, and team. The same allocation feeds both the chargeback report and the engineering view, so the numbers reconcile by construction. We expose the lookback window and the weighting basis in the Honesty Banner so platform teams can defend the math to finance.
Fargate and Karpenter on EKS — yes. CloudWatch Container Insights publishes pod-level metrics for both, and we tag the recommendation with the compute backend so you can decide whether to rightsize requests, tune Karpenter consolidation, or move a workload off Fargate. GKE Autopilot — supported for allocation; rightsizing recommendations are limited because Autopilot manages requests itself, and we surface that explicitly rather than show fabricated savings.
It turns 'we should tag stuff' into a versioned policy with measurable enforcement. You declare requiredTags (e.g. team, env, cost-center) and allowedValues per key via PUT /api/v1/tag-intelligence/policy. The engine then scores coverage per required tag, lists issues (missing, disallowed, drifted) and emits per-issue suggestions you can paste into a Terraform PR. No more 30% 'unallocated' bucket the finance team can't reconcile — the platform team owns the score and the trend.
Connect read-only credentials, get your first insights in 24 hours.