While cost monitoring provides visibility, proactive governance provides control. Moving from analyzing billing reports to programmatically enforcing financial discipline is the final and most significant step in building a sustainable AI platform. Governance policies are the automated guardrails that prevent resource misuse, enforce budget constraints, and ensure that cost-optimization strategies are applied consistently across all teams and projects.

Implementing these controls requires a layered approach, integrating policies at the cloud provider level, within the Kubernetes orchestrator, and through specialized policy engines. This creates a defense-in-depth model that guides developers toward efficient resource usage without stifling their agility.

Cloud-Level IAM and Service Control Policies

The first layer of governance operates at the cloud provider level. Before a user can even attempt to provision a resource in Kubernetes, their permissions are checked by the cloud's Identity and Access Management (IAM) service. For ML workloads, this is your first opportunity to place broad limits on resource consumption.

You can implement policies that:

Restrict access to expensive instance families: Not every data scientist needs access to the latest, most powerful p5 or h100 GPU instances. You can use IAM conditions or Service Control Policies (SCPs) in AWS Organizations to limit the provisioning of high-cost instance types to specific roles or projects that have a demonstrated need and budget.
Enforce tagging: Mandate the presence of specific tags (e.g., project-id, cost-center, owner) on newly created resources like virtual machines or storage buckets. This is not just a suggestion; it becomes a prerequisite for resource creation, directly feeding the cost attribution models from the previous section.
Limit geographic regions: To control data transfer costs and comply with data residency requirements, you can restrict resource creation to specific geographic regions.

These top-level controls act as a coarse-grained filter, setting the maximum possible boundary for what teams can provision.

Kubernetes-Native Resource Controls

Within the perimeter set by cloud IAM, Kubernetes provides its own powerful set of tools for managing resource consumption at the cluster level. These controls are typically scoped to Namespaces, making them an excellent way to enforce budgets and fairness for different teams or projects sharing a single cluster.

ResourceQuotas

A ResourceQuota object sets hard limits on the total amount of resources that can be consumed within a namespace. This is the primary mechanism for enforcing a team's or project's budget at the infrastructure level. You can define quotas for CPU, memory, storage, and, importantly for ML, the quantity of specific resources like NVIDIA GPUs.

Consider a ResourceQuota for a data science experimentation team's namespace:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: ds-team-exp-quota
  namespace: ds-team-exp
spec:
  hard:
    requests.cpu: "100"
    requests.memory: 200Gi
    limits.cpu: "200"
    limits.memory: 400Gi
    requests.nvidia.com/gpu: "8"
    pods: "50"
    persistentvolumeclaims: "20"

This policy ensures the ds-team-exp namespace cannot consume more than 8 GPUs or 200Gi of memory in total requests, preventing a single runaway experiment from impacting the entire cluster.

LimitRanges

While ResourceQuotas control aggregate consumption, LimitRanges govern the resource allocation of individual pods. A LimitRange can enforce minimum and maximum resource requests, set default request and limit values if a user doesn't specify them, and control the ratio between requests and limits. This prevents users from submitting pods with no resource requests (which can be difficult for the scheduler to place) or pods that request an entire node's resources.

Example of a LimitRange to enforce sane defaults:

apiVersion: v1
kind: LimitRange
metadata:
  name: default-resource-limits
  namespace: ds-team-exp
spec:
  limits:
  - default:
      memory: 1Gi
      cpu: 500m
    defaultRequest:
      memory: 512Mi
      cpu: 250m
    type: Container

With this policy, any container created in the ds-team-exp namespace without explicit resource definitions will automatically receive these baseline values, improving cluster stability and predictability.

PriorityClass and Preemption

In a shared ML platform, not all workloads are created equal. A production inference service has higher business importance than an ad-hoc data exploration notebook. PriorityClass objects allow you to define the relative importance of pods. When the cluster is out of resources, the Kubernetes scheduler can preempt (evict) lower-priority pods to make room for higher-priority ones.

This is a powerful governance tool for both reliability and cost. You can map high-priority classes to more expensive, on-demand instances and low-priority classes to cheaper spot instances.

Define PriorityClasses:

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: high-priority-prod
value: 1000000
globalDefault: false
description: "For critical production inference services."

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: low-priority-exp
value: 1000
globalDefault: false
description: "For experimental jobs that can be preempted."

Assign to Pods:

apiVersion: v1
kind: Pod
metadata:
  name: inference-pod
spec:
  containers:
  - name: server
    image: my-model-server
  priorityClassName: high-priority-prod # Assign high priority

This ensures your most important workloads remain available, even under heavy cluster load, by sacrificing less important, and likely less expensive, jobs.

Advanced Governance with Policy as Code

For the most fine-grained and customizable control, you can use a dedicated policy engine like Open Policy Agent (OPA) Gatekeeper or Kyverno. These tools integrate with the Kubernetes API server as admission controllers, allowing you to validate, mutate, or block any resource creation or update request based on custom logic written as code.

This approach allows you to enforce organizational conventions that are not covered by native Kubernetes objects.

Example Policies with OPA Gatekeeper:

Enforce Cost-Attribution Labels: A policy can reject any Pod or Deployment that is missing a cost-center label. This makes cost attribution non-negotiable.
Restrict StorageClass Usage: A policy could prevent the use of a high-performance io2 Block Store StorageClass unless the pod also has a tier: production label.
Limit Public Container Registries: You could enforce a policy that all container images must be pulled from your organization's private, scanned registry, enhancing security and governance.

The diagram below illustrates how an admission controller intercepts a request.

The admission control workflow. A user's request is intercepted by the policy engine before being persisted in the cluster's state store, etcd.

This "policy-as-code" approach is powerful because the policies themselves can be stored in Git, versioned, and rolled out through CI/CD pipelines, just like any other piece of critical infrastructure code.

Balancing Agility and Control

Effective governance is not about building an inescapable cage of rules. Overly restrictive policies can frustrate developers and slow down innovation. The objective is to establish guardrails that make the "right" (i.e., most cost-effective and compliant) way of doing things the easiest way.

This requires:

Clear Communication: Teams must understand why policies exist and how to work within them. Documentation and training are essential.
Well-Defined Exception Processes: There will always be valid reasons to bypass a policy. Having a clear, time-bound process for requesting exceptions is important.
Feedback Loops: Use audit logs from your policy engine to identify which policies are being frequently violated. This may indicate that the policy is too restrictive or that teams need better tools or training.

By combining cloud-native controls, Kubernetes objects, and policy-as-code engines, you can construct a comprehensive governance framework. This framework transforms financial accountability from a reactive, manual process into a proactive, automated system that is built into the very fabric of your AI platform.

Was this section helpful?

References

Resource Quotas, Kubernetes Authors, 2024 - Official Kubernetes documentation explaining how to manage aggregate resource consumption within namespaces.
Limit Ranges, Kubernetes Authors, 2024 (The Linux Foundation) - Official Kubernetes documentation detailing controls for resource allocation for individual pods and containers.
Pod Priority and Preemption, Kubernetes Authors, 2025 (The Linux Foundation) - Official Kubernetes documentation describing pod prioritization and preemption mechanisms for managing workload importance.
Open Policy Agent Gatekeeper Documentation, Open Policy Agent Community, 2024 (Cloud Native Computing Foundation (CNCF)) - Official documentation for Open Policy Agent Gatekeeper, covering custom policy enforcement in Kubernetes clusters via admission controllers.
Service Control Policies (SCPs), Amazon Web Services (AWS), 2024 - Official AWS documentation on Service Control Policies, which are used for centralized, high-level permission management across AWS accounts.