Today, while working on a personal kubernetes project, I came across Lens - The Kubernetes IDE and was impressed by a couple of its features:
- Built-In Prometheus monitoring setup with RBAC maintained for each user so users will see only the permitted resources visualizations
- Built-In terminal which will ensure that it matches the Kube APIServer version with the version of kubectl.
I felt daily administration and interaction with the EKS cluster can really be simplified with these 2 features. I decided to onboard one of my AWS EKS clusters on it but I was not able to find any documentation for Lens with AWS EKS. Although it only requires a kubeconfig - whether you paste it or upload it, the outcome is that it will connect to your cluster and authenticate with it to load all the objects into the Lens. Therefore, I decided to document the steps to make it easier for Lens users.
For AWS EKS, Lens can be treated as just another client which requires kubectl access. You will need to download the kubeconfig file and save it in ~/.kube folder so lens can read the file and then contact the Kube-ApiServer and aws-auth get the access to the EKS cluster. The process is well documented in AWS under Cluster Authentication section along with the steps and they work fine for both Windows and Linux. Even though I just tried Lens for Windows but I have authenticated kubectl client running on Linux servers numerous time to say confidently that it should work.
I will describe the steps performed below even though they are documented to ensure you do not have to move between different documentation pages:
1. Install aws-iam-authenticator on Windows using chocolatey
Install command:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
If there are no errors on the above command, run the below command to show the chocolatey version which means its correctly installed:
choco
- Install aws-iam-authenticator using chocolatey
Open a PowerShell terminal window and install the aws-iam-authenticator package with the following command:
choco install -y aws-iam-authenticator
Test that the aws-iam-authenticator works:
aws-iam-authenticator help
2. Ensure AWS CLI is installed
If not, then browse through this documentation. Once it is installed, please add the installation directory to your PATH environment variable using this link as Lens will throw an error otherwise.
3. Configure the AWS CLI with the desired role or user
Use aws configure command as shown in this documentation. Please ensure that the user or role has the permissions to use the eks:DescribeCluster API action otherwise you will not be able to update the kubeconfig file using AWS CLI in the next step.
4. Create Kubeconfig file for AWS EKS
The steps are taken from official AWS Documentation which I have tested successfully
- Confirm that you are using the correct role or user:
aws sts get-caller-identity
- Generate the kubeconfig file automatically
aws eks --region region-code update-kubeconfig --name cluster_name
Note: replace the following with your desired values:
region-code = Region where EKS cluster is located such as ap-southeast-1
cluster_name = Name of the cluster in that region
The kubeconfig should be located under C:\Users<YOUR-WIN-USER>.kube\config. Please replace the path "C:\Users" with the that of the current logged in user to get to the .kube folder
5. Upload the kubeconfig file in Lens
Click on + button on the top left corner which will give you an option to upload kubeconfig or paste it manually. Once you have selected the kubeconfig file, it will ask you to select the context, select the required context and then click on button at the bottom "Add cluster(s)" which will then start the authentication and add the objects into lens for your consumption.
The above steps should get you to onboard your EKS cluster into lens but please note, the steps will be different if you are not using AWS EKS. I hope this will help everyone using AWS EKS.
Top comments (2)
Hi @himwad05 can you list the permissions needed to use Lens on an AWS account? I can use kubectl on a single cluster and in a single namespace, but I can not list all namespaces / clusters. So I guess I need more permissions. What does Lens need?
kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "-----" cannot list resource "namespaces" in API group "" at the cluster scope
Thanks brother, I have another problem, because I connect through an ssh tunnel and make a proxy with socks5, how do I connect in this way. try configuring direct proxy in kubeconfig:
proxy-url: socks5://localhost:8443And from the lens interface but in neither case was it satisfactory.