Kubernetes is not just a container scheduler. It is the control plane around which an entire operational ecosystem has grown. Each tool that integrates with Kubernetes fills a specific gap — orchestration, observability, security, cost, machine learning, and beyond. This article breaks down 21 of the most important combinations and explains what problem each one actually solves.
Kubernetes + Docker → Container Orchestration
Docker packages your application and its dependencies into a portable, reproducible image. Kubernetes runs those images at scale. Docker answers what to run; Kubernetes answers where, when, and how many.
Without Kubernetes, Docker containers must be managed by hand across hosts — no self-healing, no load balancing, no declarative rollouts. Kubernetes adds scheduling, health checks, rolling updates, and automatic restarts. Together they form the foundation of modern cloud-native infrastructure.
Kubernetes + Helm → Package Management
Helm is the package manager for Kubernetes. Instead of maintaining dozens of raw YAML manifests for a single application, Helm bundles them into a chart — a versioned, parameterized template that can be installed, upgraded, and rolled back with a single command.
Teams use Helm to manage third-party software (databases, ingress controllers, monitoring stacks) and to standardize their own application deployments across environments. Values files let you override defaults per environment without forking the chart.
Kubernetes + Terraform → Infrastructure Provisioning
Terraform provisions the infrastructure that Kubernetes runs on — VPCs, subnets, IAM roles, managed Kubernetes clusters (EKS, GKE, AKS), node pools, and cloud load balancers. Kubernetes then manages the workloads on top of that infrastructure.
This combination enforces infrastructure as code end-to-end: the cloud layer is declared in HCL, the application layer is declared in YAML, and both are version-controlled. Terraform also manages the Kubernetes provider itself, so cluster creation and workload deployment can be part of the same pipeline.
Kubernetes + ArgoCD → GitOps
ArgoCD implements the GitOps model: your Git repository is the single source of truth for the desired state of your cluster. ArgoCD continuously monitors that repository and reconciles the live cluster state with what is declared in Git.
This removes the need for kubectl apply in CI pipelines. Deployments become pull-request-driven. Rollbacks are git revert. Drift detection is built in — if someone manually changes a resource, ArgoCD reports the mismatch and can automatically correct it.
Kubernetes + Prometheus → Monitoring
Prometheus scrapes metrics from Kubernetes nodes, pods, and application endpoints on a configurable interval and stores them in a time-series database. It evaluates alerting rules and fires alerts when thresholds are breached.
Kubernetes exposes rich telemetry out of the box — CPU, memory, restart counts, network throughput — and Prometheus collects it all. The combination provides full-stack visibility into cluster health and application behavior without requiring agents embedded in every container.
Kubernetes + Grafana → Visualization
Grafana connects to Prometheus (and other data sources) and turns raw metrics into dashboards, graphs, and heatmaps. Where Prometheus stores and queries data, Grafana presents it in a form humans can read quickly.
Pre-built dashboards exist for Kubernetes cluster health, node utilization, pod resource usage, and more. Teams also build custom dashboards for application-level SLOs and business metrics. Grafana Alerting can complement or replace Prometheus Alertmanager for notification routing.
Kubernetes + Fluentd → Log Aggregation
Fluentd runs as a DaemonSet on every Kubernetes node, collecting logs from all containers via the node’s log files. It parses, filters, and forwards those logs to a central backend — Elasticsearch, Loki, Splunk, or a cloud logging service.
Without a DaemonSet-based log collector, logs disappear when pods are deleted. Fluentd ensures every log line is captured and routed, enabling centralized search and long-term retention across a dynamic cluster.
Kubernetes + Istio → Service Mesh
Istio injects a sidecar proxy (Envoy) into every pod and intercepts all inbound and outbound traffic. This gives the mesh mutual TLS encryption between services, fine-grained traffic policies, retries, circuit breaking, and distributed tracing — without changing application code.
In a large Kubernetes cluster with many microservices, Istio enforces zero-trust networking and provides a single control plane for traffic management. It makes service-to-service communication observable, secure, and resilient by default.
Kubernetes + NGINX Ingress → Traffic Routing
An Ingress controller is the bridge between external traffic and Kubernetes services. NGINX Ingress Controller watches Ingress resources and configures an NGINX reverse proxy to route HTTP/HTTPS requests to the correct backend service based on hostname and path rules.
It handles TLS termination, rate limiting, authentication plugins, and URL rewrites. For most teams, NGINX Ingress is the first and simplest way to expose applications to the internet while keeping routing logic inside the cluster.
Kubernetes + KEDA → Auto & Event-Driven Scaling
The Horizontal Pod Autoscaler built into Kubernetes scales based on CPU and memory. KEDA (Kubernetes Event-Driven Autoscaling) extends this to scale on any external metric — queue depth in Kafka or RabbitMQ, message count in SQS, HTTP request rate, cron schedules, or custom metrics from Prometheus.
KEDA can also scale deployments down to zero when there is no work, which is critical for cost efficiency in batch workloads and event-driven architectures. It bridges the gap between traditional autoscaling and serverless-style workload management.
Kubernetes + Vault → Secrets Management
Kubernetes Secrets are base64-encoded, not encrypted by default, and anyone with cluster access can read them. HashiCorp Vault is a dedicated secrets store with fine-grained access policies, audit logging, dynamic secret generation, and automatic rotation.
The Vault Agent Injector or the Vault Secrets Operator injects secrets directly into pods at runtime, so applications never handle secret distribution themselves. Database credentials, API keys, and TLS certificates are fetched from Vault on demand and renewed automatically.
Kubernetes + OPA → Policy as Code
Open Policy Agent (OPA) and its Kubernetes-native integration Gatekeeper enforce admission policies across every resource created or modified in the cluster. Policies are written in Rego — a declarative language — and evaluated at admission time.
Teams use OPA to enforce rules like: all pods must have resource limits, images must come from approved registries, privileged containers are forbidden, and every deployment must have an owner label. Violations are rejected before they reach the cluster, shifting policy enforcement left.
Kubernetes + Kubecost → Cost Monitoring
Kubernetes makes it easy to run workloads but difficult to understand what they cost. Kubecost allocates cloud spend to Kubernetes namespaces, deployments, labels, and teams by correlating resource consumption with real billing data.
It identifies over-provisioned nodes, idle workloads wasting money, and namespaces exceeding their cost budget. For multi-tenant clusters, Kubecost provides showback and chargeback reports so each team sees the cost of what they deploy.
Kubernetes + Crossplane → Platform Engineering
Crossplane extends Kubernetes to manage external cloud resources — databases, buckets, queues, DNS records — using the same Kubernetes API and GitOps workflows. Infrastructure is defined as custom Kubernetes resources and reconciled by Crossplane providers.
Instead of one team writing Terraform and another team deploying Kubernetes, Crossplane unifies both under the Kubernetes control plane. Platform engineering teams publish composite resource definitions that abstract cloud complexity, letting application teams provision infrastructure via kubectl apply.
Kubernetes + Cilium → Network Security
Cilium is a CNI plugin that uses eBPF to enforce network policies at the kernel level. Unlike iptables-based solutions, Cilium operates without overhead at the packet path and can enforce policies based on Kubernetes identity — not just IP addresses.
It provides fine-grained L3/L4/L7 network policies, transparent encryption with WireGuard, observability via Hubble (a network flow visualization tool), and service mesh capabilities without sidecar proxies. In security-sensitive environments, Cilium enforces zero-trust networking with minimal performance impact.
Kubernetes + Kubeflow → ML Pipelines
Kubeflow is a machine learning platform built on Kubernetes that orchestrates the full ML lifecycle: data preprocessing, distributed training, hyperparameter tuning, and model serving. Each step runs as a Kubernetes workload, benefiting from automatic scaling and resource isolation.
Kubeflow Pipelines lets data scientists define multi-step workflows as code. Katib handles automated hyperparameter tuning. Training Operators manage distributed jobs across frameworks like TensorFlow, PyTorch, and MXNet. Kubernetes provides the elastic compute that ML workloads require.
Kubernetes + MLflow → Experiment Tracking
MLflow tracks machine learning experiments — parameters, metrics, artifacts, and model versions — across training runs. When training jobs run on Kubernetes, MLflow provides the audit trail that makes experiments reproducible and comparable.
Teams deploy MLflow’s tracking server as a Kubernetes workload backed by object storage and a database. Data scientists log experiments from any training job, compare runs in the UI, and promote winning models to the model registry. MLflow is the record-keeping layer for Kubernetes-based ML infrastructure.
Kubernetes + KServe → Model Serving
KServe (formerly KFServing) is a Kubernetes-native model inference server. It supports multiple ML frameworks — TensorFlow, PyTorch, scikit-learn, ONNX, Triton — through a unified API and handles canary deployments, autoscaling to zero, and explainability out of the box.
Instead of writing a custom serving container for every model, teams define an InferenceService resource and KServe handles the rest. It scales based on inference request traffic and integrates with Knative for serverless behavior, making it suitable for both high-throughput and bursty prediction workloads.
Kubernetes + Ollama → LLM Inference
Ollama is a lightweight runtime for running large language models locally or on-premises. Deployed on Kubernetes with GPU-equipped nodes, Ollama enables teams to self-host LLMs like Llama, Mistral, and Qwen without routing prompts to external APIs.
Kubernetes manages GPU resource allocation across pods, autoscaling based on inference queue depth (using KEDA), and rolling updates when new model versions are released. This combination gives teams full control over model data, latency, and cost while keeping the operational simplicity of a containerized workload.
Kubernetes + Envoy → Traffic Management (L7)
Envoy is a high-performance L7 proxy used by Istio, Contour, and other Kubernetes infrastructure as its data plane. When used directly, Envoy provides advanced HTTP/2 and gRPC traffic management, header-based routing, circuit breaking, retries, and detailed observability via its admin API and stats sink.
Teams deploy Envoy as a standalone Ingress or sidecar where they need granular control over traffic behavior that higher-level abstractions do not expose. Envoy’s xDS API allows dynamic configuration updates without restarts, making it suitable for high-change production environments.
Kubernetes + Inference Gateway → LLM Traffic Routing
The Kubernetes Inference Gateway (part of the Gateway API working group) provides a standardized, Kubernetes-native way to route traffic to LLM inference backends. It extends the Kubernetes Gateway API with inference-specific routing — model name-based routing, backend priority, load balancing across multiple inference servers, and failover.
As organizations run multiple models (Ollama, KServe, vLLM, TGI) on the same cluster, Inference Gateway acts as the unified entry point. Teams can expose a single /v1/chat/completions endpoint and route to the correct backend based on the requested model, enabling multi-model inference infrastructure without custom proxy logic.
Putting It Together
Each of these tools solves a specific problem that Kubernetes alone does not address. The art of Kubernetes platform engineering is choosing the right subset of this ecosystem for your scale, security requirements, and operational maturity — and composing them so the entire system is observable, automatable, and maintainable.
| Category | Tool Combination |
|---|---|
| Orchestration | Kubernetes + Docker |
| Package Management | Kubernetes + Helm |
| Infrastructure | Kubernetes + Terraform |
| GitOps | Kubernetes + ArgoCD |
| Monitoring | Kubernetes + Prometheus |
| Visualization | Kubernetes + Grafana |
| Logging | Kubernetes + Fluentd |
| Service Mesh | Kubernetes + Istio |
| Traffic Routing | Kubernetes + NGINX Ingress |
| Autoscaling | Kubernetes + KEDA |
| Secrets | Kubernetes + Vault |
| Policy | Kubernetes + OPA |
| Cost | Kubernetes + Kubecost |
| Platform Engineering | Kubernetes + Crossplane |
| Network Security | Kubernetes + Cilium |
| ML Pipelines | Kubernetes + Kubeflow |
| Experiment Tracking | Kubernetes + MLflow |
| Model Serving | Kubernetes + KServe |
| LLM Inference | Kubernetes + Ollama |
| L7 Proxy | Kubernetes + Envoy |
| LLM Routing | Kubernetes + Inference Gateway |