Connect a Cluster
K8Cost supports two methods for connecting Kubernetes clusters. Choose the one that best fits your network topology and security requirements.
Method 1: Agent Push (Recommended)
The agent is a CronJob that runs inside your cluster and pushes data outbound to the K8Cost API.
Best for:
- Production clusters behind firewalls
- Clusters in private VPCs or air-gapped environments (with HTTPS egress)
- Multi-cluster setups where each cluster manages its own data collection
- Organizations with strict network policies
How it works:
Your Cluster K8Cost API
+-------------------+ HTTPS +------------------+
| k8cost-analyzer | ----------> | /api/v1/cronjob/* |
| (CronJob) | outbound | |
| | only | Stores results, |
| Collects metrics | | runs anomaly |
| Evaluates rules | | detection |
+-------------------+ +------------------+
The agent needs only outbound HTTPS access to k8cost.com (or your self-hosted API endpoint). No inbound connections, no VPN tunnels, no exposed ports.
See the Install the Agent guide for deployment instructions.
Method 2: Kubeconfig Pull
The K8Cost API connects directly to your cluster's API server using a kubeconfig file that you upload.
Best for:
- Quick evaluation and testing
- Clusters where you cannot deploy workloads (managed/restricted namespaces)
- Single-cluster setups with direct API server access
How it works:
K8Cost API Your Cluster
+-------------------+ HTTPS +------------------+
| K8s client | ----------> | kube-apiserver |
| | inbound | |
| Collects metrics | required | |
| Evaluates rules | | |
+-------------------+ +------------------+
To connect via kubeconfig:
- Navigate to Cluster Settings in the dashboard
- Select Kubeconfig as the sync method
- Upload your kubeconfig file or paste the contents
- K8Cost connects and begins collecting data
Security considerations:
- The kubeconfig is encrypted at rest using AES-256-GCM
- Use a ServiceAccount with read-only permissions (the same ClusterRole as the agent)
- The cluster's API server must be reachable from the K8Cost API (public endpoint or VPN)
- Rotate the ServiceAccount token periodically
Which Method Should You Choose?
| Criteria | Agent Push | Kubeconfig Pull |
|---|---|---|
| Network direction | Outbound only | Inbound required |
| Firewall changes | None | API server must be reachable |
| Setup complexity | Deploy a CronJob | Upload a file |
| Cluster requirements | Can deploy to a namespace | API server accessible |
| Recommended for prod | Yes | No |
| Offline/air-gapped | Yes (with HTTPS egress) | No |
For production environments, we strongly recommend the agent push model. It requires no inbound network access to your cluster, works behind any firewall that allows outbound HTTPS, and keeps all credentials local to the cluster.
Adding Multiple Clusters
Each cluster connection is independent. You can mix methods -- use the agent for production clusters and kubeconfig for dev environments. All clusters appear in a unified dashboard with a global cluster selector.
Your plan determines how many clusters and nodes you can connect. See Pricing for details.