KEDA Command
Design, debug, and review KEDA (Kubernetes Event-Driven Autoscaling) ScaledObject and ScaledJob resources.
Mode: generate
Write a production-ready ScaledObject or ScaledJob from a description.
Steps:
- Identify: target workload kind (Deployment / StatefulSet / Job), trigger type, and whether scale-to-zero is acceptable
- Choose the right resource kind:
- Long-running service →
ScaledObject - Batch processing per message →
ScaledJob
- Long-running service →
- Generate with:
apiVersion: keda.sh/v1alpha1scaleTargetRef.namematching the exact Deployment/StatefulSet/Job nameminReplicaCount: 0only if the service can tolerate cold-start latency; otherwiseminReplicaCount: 1
Scale-to-zero warning: Setting
minReplicaCount: 0means the Deployment will have 0 replicas when the queue/metric is empty. Cold-start latency applies — confirm this is acceptable before enabling.
pollingIntervalandcooldownPeriodsized to the workload pattern (see table inreferences/keda.md)- Trigger-specific
metadatawithactivationThreshold/activationQueueLengthset to avoid flapping on sparse events authenticationRefpointing to aTriggerAuthentication— never inline credentials in the ScaledObject- For AWS: prefer IRSA (
podIdentity.provider: aws) over static key/secret pairs
- Generate the companion
TriggerAuthenticationorClusterTriggerAuthentication - Show validation command:
kubectl describe scaledobject <name> -n <ns>and the expectedActive: truecondition
Mode: debug
Diagnose why a ScaledObject or ScaledJob is not scaling as expected.
Steps:
- Collect:
kubectl get scaledobject -n <namespace>kubectl describe scaledobject <name> -n <namespace>kubectl get hpa -n <namespace>kubectl describe hpa keda-hpa-<scaledobject-name> -n <namespace>kubectl logs -n keda -l app.kubernetes.io/name=keda-operator --tail=100kubectl logs -n keda -l app.kubernetes.io/name=keda-operator-metrics-apiserver --tail=100
- Check the ScaledObject
Conditionsblock:Active: false→ scaler is not detecting events (check trigger config and auth)Ready: false→ KEDA cannot reach the target deployment (checkscaleTargetRef.name)Fallback: true→ metric fetch is failing; KEDA is using fallback replicas
- Check HPA for
<unknown>targets — indicates metrics adapter cannot reach the external source - Work through this checklist in order:
- External source reachable from the KEDA namespace?
- TriggerAuthentication secret exists and has correct keys?
activationThresholdtoo high for current event volume?minReplicaCountpreventing scale-to-zero?- Conflicting HPA on the same Deployment?
cooldownPeriodnot yet elapsed?
- State the most likely root cause with the exact field or resource to fix
- Show the corrected spec section and the command to verify it
If you need deeper context on KEDA troubleshooting, scaling lifecycle, or scaler-specific behaviour, load references/keda.md.
Mode: review
Review an existing ScaledObject or ScaledJob for correctness, security, and operational safety.
Review in this priority order:
Correctness
- Does
scaleTargetRef.namematch an existing Deployment/StatefulSet? - Are
minReplicaCountandmaxReplicaCountconsistent with the workload SLA? - Is
pollingIntervalappropriate for the trigger type (SQS charges per API call)? - Does the trigger
metadatause the right field names for this scaler version?
Security
- Are credentials stored in TriggerAuthentication, not inlined in ScaledObject?
- Is IRSA / Workload Identity used instead of static access keys?
- Is TriggerAuthentication namespace-scoped unless cluster-wide sharing is justified?
- Does the IAM policy grant only the minimum permissions needed (read queue depth, not consume)?
Operational safety
- Is
minReplicaCount: 0justified? What is the cold-start latency? - Is
cooldownPeriodlong enough to prevent thrashing? - Is
advanced.restoreToOriginalReplicaCount: trueset if the ScaledObject may be deleted? - Are
activationThreshold/activationQueueLengthset to prevent premature activation on sparse events? - Is HPA
scaleDown.stabilizationWindowSecondsconfigured for latency-sensitive services?
GitOps safety
- Does the Flux/Argo Kustomization depend on KEDA CRDs being installed first?
- Is the TriggerAuthentication Secret rendered by External Secrets Operator (not committed to Git)?
Separate findings into:
- Critical — must fix before deploying (missing auth, wrong target, wildcard IAM permissions)
- Improvement — should fix (tune cooldownPeriod, add activationThreshold)
- Note — informational (consider IRSA, document cold-start expectations)
Mode: scale
Design the scaling strategy for a workload from requirements.
Steps:
- Ask for (or infer from context):
- Workload type: background job or synchronous service?
- Event source: queue service, stream, metrics, time-based, HTTP?
- Expected event volume range (min/max per minute)
- Acceptable cold-start latency (drives min replicas decision)
- Cloud provider (for auth pattern: IRSA vs Workload Identity vs static)
- Apply the KEDA vs HPA decision matrix from
references/keda.md - Recommend the trigger type(s) and explain why
- Size
pollingInterval,cooldownPeriod, andminReplicaCountbased on the workload pattern - Recommend the authentication pattern (IRSA preferred on AWS, no static credentials)
- If multiple triggers are needed (e.g., queue depth + cron business hours), explain the OR-max semantics
- Output the complete ScaledObject, TriggerAuthentication, and IAM policy skeleton
Rollback: kubectl delete scaledobject <name> -n <namespace> removes KEDA control. Replica behavior on deletion depends on configuration:
advanced.restoreToOriginalReplicaCount: true(explicit) → restores the pre-KEDA replica count- Default (not set) → leaves replicas at the last scaled value, which may be 0 if scale-to-zero was active
Verify: kubectl get deployment <name> -n <namespace> -o jsonpath='{.spec.replicas}' — if replicas are 0, manually scale up: kubectl scale deployment <name> -n <namespace> --replicas=<desired>.