LogoLogo
  • Getting Started
    • Introduction to OneLens
    • Operational Cost of OneLens
    • Onboarding Guide
    • Accessing OneLens
  • Integrations
    • Cloud Services
      • Connect to AWS
    • Kubernetes
      • OneLens Agent
        • Onboarding a K8s Cluster
        • Artifacts
      • Enable Split Cost Allocation for EKS
  • User Guide
    • Observe ( Visibility and Insights)
      • Cost Analyzer
        • Saved Views
      • Cost Watcher
        • Cost Anomaly
      • Data Transfer Cost Reports
    • Optimize (Cost Savings & Recommendations)
      • Saving Dashboard
        • About Potential Savings
        • View Potential Savings
        • About Achieved Savings
        • View Achieved Savings
      • Policy Violations
        • Drill Down into Policy Violations
      • S3 Optimization
        • Detailed View of Buckets
        • Cost & Usage Breakdown
        • S3 Insights
    • Automate
      • Workflows & Automation
        • Triggers
        • Actions
        • Usecases
          • Automating Periodic Cloud Cost Reports
          • Automatically Create Jira Issues for New Tickets
          • Email Notifications of New Tickets
          • Configure Periodic Digests for Pending Tickets
          • Automating Cost Anomalies Email Alerts
          • Escalation of High-Value Pending Tickets
      • Remediations (Runbooks)
        • Install Runbooks
        • Runbook Catalog
          • Delete CloudWatch Alarms in Insufficient State
          • Delete EBS Snapshots for which corresponding volumes are not in use
          • Delete Idle ElastiCache/Memcached Cluster
          • Delete RDS Snapshots older than a specified period of time
          • Delete idle Classic/Application Load Balancers
          • Delete unused EBS Volumes
          • Delete unused Elastic IP
          • Delete unused NAT Gateway
          • Migrate EBS Volumes from gp2 to gp3
          • Set retention period for CloudWatch Logs
        • Execution Logs
    • Govern ( Control & Governance)
      • Cost Optimization Policies
  • Facts & FAQs
    • FAQs
      • Connect Slack Private Channels to OneLens
Powered by GitBook
On this page
  1. Integrations
  2. Kubernetes
  3. OneLens Agent

Artifacts

PreviousOnboarding a K8s ClusterNextEnable Split Cost Allocation for EKS

Last updated 1 month ago

The complete Kubernetes agent setup uses Helm charts for deployment, ensuring consistent and reproducible installations across environments.

To set up the agent in your cluster, there are three key parts:

  1. Deployer – A one-time job that installs all required components.

  2. Agent – A continuously running service consisting of Exporter, Prometheus and OpenCost.

  3. Updater - Maintain and patches the agent as and when new updates are available.

Everything listed here is accessible so you can review, audit, and verify what’s being installed in your environment.

To download container images hosted on Amazon ECR Public, run the following command to authenticate your Docker client:

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/w7k6q5m9

1. OneLens Deployer

The OneLens Deployer is a one-time Kubernetes job designed to onboard your EKS cluster seamlessly. Deployed using a Helm chart, it sets up all necessary OneLens agent components on your cluster.

  • Deployment: One-time Kubernetes job deployed via Helm.

  • Function: Installs the full OneLens agent stack on the EKS cluster.

  • Permissions: Temporarily adopts the following RBAC permissions to deploy required resources. These permissions grant cluster-wide, unrestricted access across all API groups, resources, and actions. This is necessary because the job handles setup tasks that may span multiple namespaces, involve multiple resource types (e.g., ConfigMaps, Secrets, CRDs), and require administrative-level control.

    • rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

  • Lifecycle: No OneLens resource will have these RBAC permissions after onboarding the agent.

  • Cleanup Post-Onboarding: Once onboarding is complete, the onelensdeployer job automatically deletes itself. You can verify this behavior by referring to the final line of the installation script.

  • Source Code

    • Repository:

  • Full Package

    • Helm Chart:

  • Container Image

    • ECR Public Image: 

      public.ecr.aws/w7k6q5m9/onelens-deployer

2. OneLens Agent

The OneLens Agent is a set of components deployed on your Kubernetes cluster to collect cost and usage metrics.

  • Source Code

    • OneLens Exporter

      • Hourly job that collects cost and usage metrics from Prometheus and uploads them to S3.

    • Prometheus

      • Uses the open-source Prometheus for metrics collection.

    • OpenCost

      • Uses the open-source OpenCost for Kubernetes cost visibility.

  • Full Package

  • Container Image

    • ECR Public Image: 

      public.ecr.aws/w7k6q5m9/onelens-agent

3. OneLens Updater

The OneLens Updater is responsible for daily maintenance and patching of the OneLens agent. It runs automatically every day at 2:00 AM UTC.

  • Deployment: Deployed during initial onboarding.

  • Function: Checks patches. looks for user's approval and applies them to the OneLens agent.

  • Permissions: Uses RBAC permissions to read resource states, verify configurations, and apply patches.

    rules:
  # Read access needed to inspect current deployments and resources
  - apiGroups: ["", "apps", "autoscaling", "batch", "extensions", "policy", "rbac.authorization.k8s.io", "networking.k8s.io"]
    resources: ["deployments", "replicasets", "pods", "services", "configmaps", "secrets", "persistentvolumeclaims", "statefulsets", "horizontalpodautoscalers", "ingresses", "networkpolicies", "roles", "rolebindings", "serviceaccounts", "daemonsets", "jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "patch", "update"]

  # Write access to perform patching and upgrades
  - apiGroups: ["", "apps", "autoscaling", "batch", "extensions", "policy", "rbac.authorization.k8s.io", "networking.k8s.io"]
    resources: ["deployments", "replicasets", "pods", "services", "configmaps", "secrets", "persistentvolumeclaims", "statefulsets", "horizontalpodautoscalers", "ingresses", "networkpolicies", "roles", "rolebindings", "serviceaccounts", "daemonsets", "jobs", "cronjobs"]
    verbs: ["create", "get", "list", "patch", "update", "watch"]

  # Namespace discovery
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch", "patch", "update"]

  # Read access to RBAC resources
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
    verbs: ["get", "list", "watch", "patch", "update"]

  # Read access to limitranges
  - apiGroups: [""]
    resources: ["limitranges"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to nodes
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to persistentvolumes
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to resourcequotas
  - apiGroups: [""]
    resources: ["resourcequotas"]
    verbs: ["list", "watch", "patch", "update"]

  # Read access to StorageClasses
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch", "patch", "update"]

  • Lifecycle: Remains active post-onboarding to support automated daily updates.

Repository:

Repository:

Repository:

Helm Chart:

Installation Script
GitHub Link
Package Link
GitHub Link
GitHub Link
Github Link
Package Link