Installation / Deployment
Headlamp can be deployed in a Kubernetes cluster , or run as a desktop application.
Please check the guides in this section for installing the desktop application or deploying Headlamp in your cluster .
Authentication / Log-in
Currently you can log in Headlamp by using a client-certificate (as you may have configured with e.g. minikube), or a bearer token.
Headlamp uses RBAC for checking whether and how users can access resources. This means that the recommended way to log in into Headlamp is to use a Service Account token.
Create a Service Account token
As an example, you can create a service account for using Headlamp and retrieve its token to authenticate:
- Create a Service Account:
kubectl -n kube-system create serviceaccount headlamp-admin
- Give admin rights to the account (check the RBAC docs if you want to set more restrictive permissions):
kubectl create clusterrolebinding headlamp-admin --serviceaccount=kube-system:headlamp-admin --clusterrole=cluster-admin
- If you are running Headlamp in a Kubernetes cluster with version greater than 1.24, create the token using the following command:
kubectl create token headlamp-admin -n kube-system
Otherwise, run the following command to get the token associated with the service account:
export HEADLAMP_SECRET=$(kubectl get secrets --namespace kube-system -o custom-columns=":metadata.name" | grep "headlamp-admin-token")
kubectl get secret $HEADLAMP_SECRET --namespace kube-system --template=\{\{.data.token\}\} | base64 --decode
Once you have the Service Account token, paste it when prompted by Headlamp.
Use OIDC
For OpenIDConnect, please see the in-cluster installation docs.