Artifacts

The complete Kubernetes agent setup uses Helm charts for deployment, ensuring consistent and reproducible installations across environments.

To set up the agent in your cluster, there are three key parts:

  1. Deployer – A one-time job that installs all required components.

  2. Agent – A continuously running service consisting of Exporter, Prometheus and OpenCost.

  3. Updater - Maintain and patches the agent as and when new updates are available.

Everything listed here is accessible so you can review, audit, and verify what’s being installed in your environment.

To download container images hosted on Amazon ECR Public, run the following command to authenticate your Docker client:

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/w7k6q5m9

1. OneLens Deployer

The OneLens Deployer is a one-time Kubernetes job designed to onboard your EKS cluster seamlessly. Deployed using a Helm chart, it sets up all necessary OneLens agent components on your cluster.

  • Deployment: One-time Kubernetes job deployed via Helm.

  • Function: Installs the full OneLens agent stack on the EKS cluster.

  • Permissions: Temporarily adopts the following RBAC permissions to deploy required resources. These permissions grant cluster-wide, unrestricted access across all API groups, resources, and actions. This is necessary because the job handles setup tasks that may span multiple namespaces, involve multiple resource types (e.g., ConfigMaps, Secrets, CRDs), and require administrative-level control.

    • rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

  • Lifecycle: No OneLens resource will have these RBAC permissions after onboarding the agent.

  • Cleanup Post-Onboarding: Once onboarding is complete, the onelensdeployer job automatically deletes itself. You can verify this behavior by referring to the final line of the installation script.

  • Source Code

  • Full Package

  • Container Image

    • ECR Public Image: 

      public.ecr.aws/w7k6q5m9/onelens-deployer

2. OneLens Agent

The OneLens Agent is a set of components deployed on your Kubernetes cluster to collect cost and usage metrics.

  • Source Code

    • OneLens Exporter

      • Hourly job that collects cost and usage metrics from Prometheus and uploads them to S3.

      • Repository: GitHub Link

    • Prometheus

      • Uses the open-source Prometheus for metrics collection.

      • Repository: GitHub Link

    • OpenCost

      • Uses the open-source OpenCost for Kubernetes cost visibility.

      • Repository: Github Link

  • Full Package

  • Container Image

    • ECR Public Image: 

      public.ecr.aws/w7k6q5m9/onelens-agent

3. OneLens Updater

The OneLens Updater is responsible for daily maintenance and patching of the OneLens agent. It runs automatically every day at 2:00 AM UTC.

  • Deployment: Deployed during initial onboarding.

  • Function: Checks patches. looks for user's approval and applies them to the OneLens agent.

  • Permissions: Uses RBAC permissions to read resource states, verify configurations, and apply patches.

    rules:
  # Read access needed to inspect current deployments and resources
  - apiGroups: ["", "apps", "autoscaling", "batch", "extensions", "policy", "rbac.authorization.k8s.io", "networking.k8s.io"]
    resources: ["deployments", "replicasets", "pods", "services", "configmaps", "secrets", "persistentvolumeclaims", "statefulsets", "horizontalpodautoscalers", "ingresses", "networkpolicies", "roles", "rolebindings", "serviceaccounts", "daemonsets", "jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "patch", "update"]

  # Write access to perform patching and upgrades
  - apiGroups: ["", "apps", "autoscaling", "batch", "extensions", "policy", "rbac.authorization.k8s.io", "networking.k8s.io"]
    resources: ["deployments", "replicasets", "pods", "services", "configmaps", "secrets", "persistentvolumeclaims", "statefulsets", "horizontalpodautoscalers", "ingresses", "networkpolicies", "roles", "rolebindings", "serviceaccounts", "daemonsets", "jobs", "cronjobs"]
    verbs: ["create", "get", "list", "patch", "update", "watch"]

  # Namespace discovery
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch", "patch", "update"]

  # Read access to RBAC resources
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
    verbs: ["get", "list", "watch", "patch", "update"]

  # Read access to limitranges
  - apiGroups: [""]
    resources: ["limitranges"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to nodes
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to persistentvolumes
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to resourcequotas
  - apiGroups: [""]
    resources: ["resourcequotas"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to StorageClasses
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch", "patch", "update"]

  • Lifecycle: Remains active post-onboarding to support automated daily updates.

PreviousOnboarding a K8s ClusterNextEnable Split Cost Allocation for EKS

Last updated