Enabling external access to the Kubecost UI requires exposing access to port 9090 on the kubecost-cost-analyzer service. There are multiple ways to do this, including Ingress or port-forwarding.
As of Kubecost 2.2, the frontend has an option for haMode which changes the service name that the ingress needs to target. When using the helm ingress template, the correct service is automatically set based on this flag.
Please exercise caution when exposing Kubecost via an ingress controller especially if there is no authentication in use. Consult your organization's internal security practices.
Common samples below and others can be found on our GitHub repository.
Helm ingress template
This is recommended unless you have specific needs that a typical ingress template do not address. The advantage to this method is that the service name is automatically configured.
An example of using the Helm ingress using cert-manager:
ingress:annotations:cert-manager.io/cluster-issuer:letsencrypt-httpclassName:nginxenabled:truehosts: - kubecost.your.comtls: - hosts: - kubecost.your.com# letsencrypt automatically creates the secret, just need to give it a name:secretName:kubecost-tls
# https://kubernetes.github.io/ingress-nginx/examples/auth/basic/apiVersion:v1data:auth:Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAKkind:Secretmetadata:name:basic-authnamespace:defaulttype:Opaque---apiVersion:networking.k8s.io/v1kind:Ingressmetadata:name:kubecost-ingress-tlsannotations:# type of authenticationnginx.ingress.kubernetes.io/auth-type:basic# name of the secret that contains the user/password definitionsnginx.ingress.kubernetes.io/auth-secret:basic-auth# message to display with an appropriate context why the authentication is requirednginx.ingress.kubernetes.io/auth-realm:'Authentication Required - kubecost'spec:ingressClassName:nginxrules: - host:kubecost.your.comhttp:paths: - path:/pathType:Prefixbackend:service:name:kubecost-cost-analyzerport:number:9090tls: - hosts: - kubecost.your.comsecretName:kubecost-tls # Use any cert tool/cert-manager or create manually: kubectl create secret tls kubecost-tls --cert /etc/letsencrypt/live/kubecost.your.com/fullchain.pem --key /etc/letsencrypt/live/kubecost.your.com/privkey.pem
To deploy Kubecost to a non-root path use the below configuration.
Note: When deploying Grafana on a non-root URL, you also need to update your grafana.ini to reflect this. More info can be found invalues.yaml.
apiVersion:networking.k8s.io/v1kind:Ingressmetadata:name:kubecost-ingressannotations:kubernetes.io/ingress.class:nginxnginx.ingress.kubernetes.io/enable-cors:"true"# remove path prefix from requests before sending to kubecost-frontendnginx.ingress.kubernetes.io/rewrite-target:/$2# add trailing slash to requests of indexnginx.ingress.kubernetes.io/configuration-snippet:| rewrite ^(/kubecost)$ $1/ permanent;spec:rules: - host:demo.kubecost.iohttp:paths:# serve kubecost from demo.kubecost.io/kubecost/ - path:/kubecost(/|$)(.*)pathType:ImplementationSpecificbackend:service:name:kubecost-cost-analyzer# should be configured if another helm name or service address is usedport:number:9090
ALB Example
Once an AWS Load Balancer (ALB) Controller is installed, you can use the following Ingress resource manifest pointed at the Kubecost cost-analyzer service:
