A pod with no CPU limit can consume every core on a 32-core node. It will pass your linter, pass your code review, and pass your CI pipeline. The first time you see it is on the cloud bill , three weeks after it deployed. Admission controllers fix this at the source. OPA Gatekeeper and Kyverno sit inside the Kubernetes API server request path. They evaluate every create and update request against a set of policies before the object reaches etcd. A pod that violates a policy never gets scheduled. No compute consumed, no overspend, no post-incident cleanup. The Pod That Ate Your Budget Passed Every Code Review Cost problems in Kubernetes enter through three gaps: missing resource limits, missing cost allocation labels, and unpinned image tags. None of these trigger a compilation error. None fail a unit test. All three show up in your FinOps review. Missing CPU and memory limits are the most expensive gap.…