diff --git a/jsonnet/kube-prometheus/components/k8s-control-plane.libsonnet b/jsonnet/kube-prometheus/components/k8s-control-plane.libsonnet
index dbf3474bc1ec6502480240cf1eb8bca65957caea..475a3e5a266a7d5a0c7149032c12451fac285a1f 100644
--- a/jsonnet/kube-prometheus/components/k8s-control-plane.libsonnet
+++ b/jsonnet/kube-prometheus/components/k8s-control-plane.libsonnet
@@ -120,6 +120,23 @@ function(params) {
               regex: 'container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s)',
               action: 'drop',
             },
+            // Drop cAdvisor metrics with no (pod, namespace) labels while preserving ability to monitor system services resource usage (cardinality estimation)
+            {
+              sourceLabels: ['__name__', 'pod', 'namespace'],
+              action: 'drop',
+              regex: '(' + std.join('|',
+                                    [
+                                      'container_fs_.*',  // add filesystem read/write data (nodes*disks*services*4)
+                                      'container_spec_.*',  // everything related to cgroup specification and thus static data (nodes*services*5)
+                                      'container_blkio_device_usage_total',  // useful for containers, but not for system services (nodes*disks*services*operations*2)
+                                      'container_file_descriptors',  // file descriptors limits and global numbers are exposed via (nodes*services)
+                                      'container_sockets',  // used sockets in cgroup. Usually not important for system services (nodes*services)
+                                      'container_threads_max',  // max number of threads in cgroup. Usually for system services it is not limited (nodes*services)
+                                      'container_threads',  // used threads in cgroup. Usually not important for system services (nodes*services)
+                                      'container_start_time_seconds',  // container start. Possibly not needed for system services (nodes*services)
+                                      'container_last_seen',  // not needed as system services are always running (nodes*services)
+                                    ]) + ');;',
+            },
           ],
         },
         {
diff --git a/manifests/kubernetes-serviceMonitorKubelet.yaml b/manifests/kubernetes-serviceMonitorKubelet.yaml
index 9e3ec0d56c2b973fdefa71c4a9b1eaef63a8b85b..ea0502742e41ab2a90f84f7e9449668d01cbccac 100644
--- a/manifests/kubernetes-serviceMonitorKubelet.yaml
+++ b/manifests/kubernetes-serviceMonitorKubelet.yaml
@@ -60,6 +60,12 @@ spec:
       regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s)
       sourceLabels:
       - __name__
+    - action: drop
+      regex: (container_fs_.*|container_spec_.*|container_blkio_device_usage_total|container_file_descriptors|container_sockets|container_threads_max|container_threads|container_start_time_seconds|container_last_seen);;
+      sourceLabels:
+      - __name__
+      - pod
+      - namespace
     path: /metrics/cadvisor
     port: https-metrics
     relabelings: