# Artifacts

The complete Kubernetes agent setup uses **Helm charts** for deployment, ensuring consistent and reproducible installations across environments.

To set up the agent in your cluster, there are three key parts:

1. **Deployer** – A one-time job that installs all required components.
2. **Agent** – A continuously running service consisting of Exporter, Prometheus and OpenCost.
3. **Updater** - Maintain and patches the agent as and when new updates are available.  &#x20;

Everything listed here is accessible so you can review, audit, and verify what’s being installed in your environment.

{% hint style="success" %}
To download container images hosted on Amazon ECR Public, run the following command to authenticate your Docker client:

```bash
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/w7k6q5m9
```

{% endhint %}

{% hint style="info" %}

### 1. OneLens Deployer (job)

The OneLens Deployer is a one-time Kubernetes job designed to onboard your EKS/AKS cluster seamlessly. Deployed using a Helm chart, it sets up all necessary OneLens agent components on your cluster.

* **Deployment:** One-time Kubernetes **job** deployed via Helm.
* **Function:** Installs the full OneLens agent stack on the EKS/AKS cluster.
* **Permissions:** Temporarily adopts the following RBAC permissions to deploy required resources. These permissions grant cluster-wide, unrestricted access across all API groups, resources, and actions. This is necessary because the job handles setup tasks that may span multiple namespaces, involve multiple resource types (e.g., ConfigMaps, Secrets, CRDs), and require administrative-level control.
  * ```yaml
    # Bootstrap permissions (TEMPORARY - auto-deleted after installation)
    rules:
      # Namespace creation
      - apiGroups: [""]
        resources: ["namespaces"]
        verbs: ["create"]
      # StorageClass creation
      - apiGroups: ["storage.k8s.io"]
        resources: ["storageclasses"]
        verbs: ["create"]
      # ClusterRole creation
      - apiGroups: ["rbac.authorization.k8s.io"]
        resources: ["clusterroles"]
        verbs: ["create"]
      # ClusterRoleBinding creation
      - apiGroups: ["rbac.authorization.k8s.io"]
        resources: ["clusterrolebindings"]
        verbs: ["create"]
    ```
* **Lifecycle:** No OneLens resource will have these RBAC permissions after onboarding the agent.
* **Cleanup Post-Onboarding**: Once onboarding is complete, the `onelensdeployer` job **automatically deletes itself**. You can verify this behavior by referring to the final line of the installation script.
  * [Installation Script](https://github.com/astuto-ai/onelens-installation-scripts/blob/master/install.sh)
* **Source Code**
  * Repository: [GitHub Link](https://github.com/astuto-ai/onelens-installation-scripts/tree/master/charts/onelensdeployer)
* **Full Package**
  * Helm Chart: [Package Link](https://github.com/astuto-ai/onelens-installation-scripts/blob/master/onelensdeployer-0.1.0.tgz)
* **Container Image**
  * ECR Public Image:&#x20;

    ```
    public.ecr.aws/w7k6q5m9/onelens-deployer
    ```

{% endhint %}

{% hint style="info" %}

### 2. OneLens Agent

The OneLens Agent is a set of components deployed on your Kubernetes cluster to collect cost and usage metrics.

* **Source Code**
  * **OneLens Exporter**&#x20;
    * Kind : Cronjob
    * Hourly job that collects cost and usage metrics from Prometheus and uploads them to S3/GCS.
    * Repository: [GitHub Link](https://github.com/astuto-ai/onelens-installation-scripts/tree/master/charts/onelens-agent)
  * **Prometheus**&#x20;
    * Kind: Deployment&#x20;
    * Uses the **open-source Prometheus** for metrics collection.
    * Repository: [GitHub Link](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
  * **OpenCost**&#x20;
    * Kind: Deployment&#x20;
    * Uses the **open-source OpenCost** for Kubernetes cost visibility.
    * Repository: [Github Link](https://github.com/opencost/opencost)
* **Permissions:** Access is limited to workload metadata (Pods, Deployments, Nodes, HPAs) required for cost attribution and optimization recommendations. The agent has no access to sensitive data such as Secrets, ConfigMaps, or application payloads
  * ```yaml
    rules:
    # Core API resources
    - apiGroups: [""]
      resources: ["nodes", "pods", "namespaces"]
      verbs: ["get", "list"]

    # Apps API resources
    - apiGroups: ["apps"]
      resources: ["deployments", "daemonsets", "statefulsets"]
      verbs: ["get", "list"]

    # Batch API resources
    - apiGroups: ["batch"]
      resources: ["jobs", "cronjobs"]
      verbs: ["get", "list"]

    # Autoscaling API resources
    - apiGroups: ["autoscaling"]
      resources: ["horizontalpodautoscalers"]
      verbs: ["get", "list"]

    # Allow API discovery for DynamicClient
    - nonResourceURLs: ["/api", "/api/*", "/apis", "/apis/*"]

    ```
* **Full Package**
  * Helm Chart: [Package Link](https://github.com/astuto-ai/onelens-installation-scripts/blob/master/onelens-agent-0.1.1-beta.3.tgz)
* **Container Image**
  * ECR Public Image:&#x20;

    ```
    public.ecr.aws/w7k6q5m9/onelens-agent
    ```

{% endhint %}

{% hint style="info" %}

## 3. OneLens Updater&#x20;

The OneLens Updater is responsible for daily maintenance and patching of the OneLens agent. It runs automatically **every day at 2:00 AM UTC**.

* **Deployment:** Deployed during initial onboarding as a **Cronjob**.
* **Function:** Checks patches. looks for user's approval and **applies** them to the OneLens agent.
* **Permissions:** Uses **RBAC permissions** to read resource states, verify configurations, and apply patches.

  ```yaml
  rules:
    # Full control ONLY within onelens-agent namespace
    - apiGroups: ["*"]
      resources: ["*"]
      verbs: ["*"]
      # Scoped to onelens-agent namespace only via RoleBinding

    # Manage ONLY OneLens-owned cluster resources (restricted by resourceNames)
    - apiGroups: ["storage.k8s.io"]
      resources: ["storageclasses"]
      verbs: ["*"]
      resourceNames: ["onelens-sc"]

    - apiGroups: ["rbac.authorization.k8s.io"]
      resources: ["clusterroles", "clusterrolebindings"]
      verbs: ["*"]
      resourceNames:
        - onelens-agent-workload-reader
        - onelens-agent-workload-reader-binding
        - onelens-agent-prometheus-server
        - onelens-agent-kube-state-metrics

    # Cluster-wide READ-ONLY for monitoring
    - apiGroups: [""]
      resources: ["nodes", "pods", "services", "namespaces"]
      verbs: ["get", "list", "watch"]
    - apiGroups: ["apps"]
      resources: ["deployments", "daemonsets", "statefulsets"]
      verbs: ["get", "list", "watch"]
  ```
* **Lifecycle:** Remains active post-onboarding to support automated daily updates.
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onelens.cloud/integrations/kubernetes/onelens-agent/artifacts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.