Installation / Deployment

    Headlamp can be deployed in a Kubernetes cluster , or run as a desktop application.

    Please check the guides in this section for installing the desktop application or deploying Headlamp in your cluster .

    Authentication / Log-in

    Currently you can log in Headlamp by using a client-certificate (as you may have configured with e.g. minikube), or a bearer token.

    Headlamp uses RBAC for checking whether and how users can access resources. This means that the recommended way to log in into Headlamp is to use a Service Account token.

    Create a Service Account token

    As an example, you can create a service account for using Headlamp and retrieve its token to authenticate:

    1. Create a Service Account:
    kubectl -n kube-system create serviceaccount headlamp-admin
    1. Give admin rights to the account (check the RBAC docs if you want to set more restrictive permissions):
    kubectl create clusterrolebinding headlamp-admin --serviceaccount=kube-system:headlamp-admin --clusterrole=cluster-admin
    1. If you are running Headlamp in a Kubernetes cluster with version greater than 1.24, create the token using the following command:
    kubectl create token headlamp-admin -n kube-system

    Otherwise, run the following command to get the token associated with the service account:

    export HEADLAMP_SECRET=$(kubectl get secrets --namespace kube-system -o custom-columns="" | grep "headlamp-admin-token")
    kubectl get secret $HEADLAMP_SECRET --namespace kube-system --template=\{\{.data.token\}\} | base64 --decode

    Once you have the Service Account token, paste it when prompted by Headlamp.

    Use OIDC

    For OpenIDConnect, please see the in-cluster installation docs.