Skip to main content


Headlamp can be deployed in a Kubernetes cluster, or run as a desktop application.

Authentication / Log-in

Currently you can log in Headlamp by using a client-certificate (as you may have configured with e.g. minikube), or a bearer token.

Headlamp uses RBAC for checking whether and how users can access resources. This means that the recommended way to log in into Headlamp is to use a Service Account token.

Create a Service Account token

As an example, you can create a service account for using Headlamp and retrieve its token to authenticate:

  1. Create a Service Account:
kubectl -n kube-system create serviceaccount headlamp-admin
  1. Give admin rights to the account (check the :

Check RBAC docs if you want to set more restrictive permissions)

kubectl create clusterrolebinding headlamp-admin --serviceaccount=kube-system:headlamp-admin --clusterrole=cluster-admin
  1. Create the token using the following command:
kubectl create token headlamp-admin -n kube-system

Otherwise, run the following command to get the token associated with the service account:

Once you have the Service Account token, paste it when prompted by Headlamp.


For OpenIDConnect, please see the in-cluster installation docs.