Installation
Headlamp can be deployed in a Kubernetes cluster, or run as a desktop application.
Authentication / Log-in
Currently you can log in Headlamp by using a client-certificate (as you may have configured with e.g. minikube), or a bearer token.
Headlamp uses RBAC for checking whether and how users can access resources. This means that the recommended way to log in into Headlamp is to use a Service Account token.
Create a Service Account token
As an example, you can create a service account for using Headlamp and retrieve its token to authenticate:
- Create a Service Account:
kubectl -n kube-system create serviceaccount headlamp-admin
- Give admin rights to the account (check the :
Check RBAC docs if you want to set more restrictive permissions)
kubectl create clusterrolebinding headlamp-admin --serviceaccount=kube-system:headlamp-admin --clusterrole=cluster-admin
- Create the token using the following command:
- Kubernetes 1.24+
- Older versions
kubectl create token headlamp-admin -n kube-system
export HEADLAMP_SECRET=$(kubectl get secrets --namespace kube-system -o custom-columns=":metadata.name" | grep "headlamp-admin-token")
kubectl get secret $HEADLAMP_SECRET --namespace kube-system --template=\{\{.data.token\}\} | base64 --decode
Otherwise, run the following command to get the token associated with the service account:
Once you have the Service Account token, paste it when prompted by Headlamp.
Use OIDC
For OpenIDConnect, please see the in-cluster installation docs.