Artifacts

The complete Kubernetes agent setup uses Helm charts for deployment, ensuring consistent and reproducible installations across environments.

To set up the agent in your cluster, there are three key parts:

Deployer – A one-time job that installs all required components.
Agent – A continuously running service consisting of Exporter, Prometheus and OpenCost.
Updater - Maintain and patches the agent as and when new updates are available.

Everything listed here is accessible so you can review, audit, and verify what’s being installed in your environment.

To download container images hosted on Amazon ECR Public, run the following command to authenticate your Docker client:

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/w7k6q5m9

1. OneLens Deployer (job)

The OneLens Deployer is a one-time Kubernetes job designed to onboard your EKS cluster seamlessly. Deployed using a Helm chart, it sets up all necessary OneLens agent components on your cluster.

Deployment: One-time Kubernetes job deployed via Helm.
Function: Installs the full OneLens agent stack on the EKS cluster.

Permissions: Temporarily adopts the following RBAC permissions to deploy required resources. These permissions grant cluster-wide, unrestricted access across all API groups, resources, and actions. This is necessary because the job handles setup tasks that may span multiple namespaces, involve multiple resource types (e.g., ConfigMaps, Secrets, CRDs), and require administrative-level control.

# Bootstrap permissions (TEMPORARY - auto-deleted after installation)
rules:
  # Namespace creation
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["create"]
  # StorageClass creation
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["create"]
  # ClusterRole creation
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles"]
    verbs: ["create"]
  # ClusterRoleBinding creation
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterrolebindings"]
    verbs: ["create"]

Lifecycle: No OneLens resource will have these RBAC permissions after onboarding the agent.
Cleanup Post-Onboarding: Once onboarding is complete, the onelensdeployer job automatically deletes itself. You can verify this behavior by referring to the final line of the installation script.
- Installation Script
Source Code
- Repository: GitHub Link
Full Package
- Helm Chart: Package Link

Container Image

ECR Public Image:

public.ecr.aws/w7k6q5m9/onelens-deployer

2. OneLens Agent

The OneLens Agent is a set of components deployed on your Kubernetes cluster to collect cost and usage metrics.

Source Code
- OneLens Exporter
  - Kind : Cronjob
  - Hourly job that collects cost and usage metrics from Prometheus and uploads them to S3.
  - Repository: GitHub Link
- Prometheus
  - Kind: Deployment
  - Uses the open-source Prometheus for metrics collection.
  - Repository: GitHub Link
- OpenCost
  - Kind: Deployment
  - Uses the open-source OpenCost for Kubernetes cost visibility.
  - Repository: Github Link

Permissions: Access is limited to workload metadata (Pods, Deployments, Nodes, HPAs) required for cost attribution and optimization recommendations. The agent has no access to sensitive data such as Secrets, ConfigMaps, or application payloads

rules:
# Core API resources
- apiGroups: [""]
  resources: ["nodes", "pods", "namespaces"]
  verbs: ["get", "list"]

# Apps API resources
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets", "statefulsets"]
  verbs: ["get", "list"]

# Batch API resources
- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "list"]

# Autoscaling API resources
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["get", "list"]

# Allow API discovery for DynamicClient
- nonResourceURLs: ["/api", "/api/*", "/apis", "/apis/*"]

Full Package
- Helm Chart: Package Link
Container Image
- ECR Public Image:
  public.ecr.aws/w7k6q5m9/onelens-agent

3. OneLens Updater

The OneLens Updater is responsible for daily maintenance and patching of the OneLens agent. It runs automatically every day at 2:00 AM UTC.

Deployment: Deployed during initial onboarding as a Cronjob.
Function: Checks patches. looks for user's approval and applies them to the OneLens agent.

Permissions: Uses RBAC permissions to read resource states, verify configurations, and apply patches.

rules:
  # Full control ONLY within onelens-agent namespace
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    # Scoped to onelens-agent namespace only via RoleBinding

  # Manage ONLY OneLens-owned cluster resources (restricted by resourceNames)
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["*"]
    resourceNames: ["onelens-sc"]

  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles", "clusterrolebindings"]
    verbs: ["*"]
    resourceNames:
      - onelens-agent-workload-reader
      - onelens-agent-workload-reader-binding
      - onelens-agent-prometheus-server
      - onelens-agent-kube-state-metrics

  # Cluster-wide READ-ONLY for monitoring
  - apiGroups: [""]
    resources: ["nodes", "pods", "services", "namespaces"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments", "daemonsets", "statefulsets"]
    verbs: ["get", "list", "watch"]

Lifecycle: Remains active post-onboarding to support automated daily updates.

PreviousOnboarding a K8s Cluster NextEnable Split Cost Allocation for EKS

Last updated 5 days ago

hashtag1. OneLens Deployer (job)

hashtag2. OneLens Agent

hashtag3. OneLens Updater

1. OneLens Deployer (job)

2. OneLens Agent

3. OneLens Updater