Use OpenUnison For Headlamp Authentication using OIDC or Impersonation
Starting with version 1.0.44, OpenUnison adds support for Headlamp in two scenarios: clusters that support OpenID Connect (OIDC), typically on-premises environments, and cloud-managed clusters that rely on impersonation when OIDC is not available. This opens secure support for Headlamp both on-premises and in cloud hosted environments.
By default, OpenUnison's charts now ship with Headlamp. This means that deploying OpenUnison into a cluster will automatically deploy Headlamp with some additional features:
- ServiceAccount with No Permissions - Headlamp's dedicated
ServiceAccounthas no RBAC bindings, so a lostServiceAccounttoken is not a danger to your cluster - End-to-End TLS - OpenUnison has its own built in certificate automation, making sure that your sessions are encrypted from your Ingress, through OpenUnison's reverse proxy, to Headlamp and makes sure that the certificate is rotated as needed
- Hardened Deployment - OpenUnison's Headlamp
Deploymentremoves all capabilities, marks the container as read-only, and createsemptyDirvolumes where writes are needed - Who Am I? - When you're logged into Headlamp, under the cluster there's now a link for a who-am-i feature that shows you who the cluster thinks you are, this is the same information provided by
kubectl auth whoami - Namespace Listing - OpenUnison can manage which namespaces are listed by Headlamp either by listing all namespaces, testing which namespaces you have access to, or letting you write your own service to map from your user's identity to available namespaces
Additionally, the Headlamp deployment from OpenUnison supports adding plugins just as the stock deployment charts for Headlamp does.
OpenUnison supports multiple identity providers, including EntraID, Okta, and Keycloak. To deploy OpenUnison, follow the instructions per your identity provider and Ingress/Gateway. Headlamp will deploy automatically.
Integration with an Existing Headlamp
If you have an existing Headlamp deployment, you can integrate it with OpenUnison instead of using the OpenUnison-managed Headlamp instance.
NOTE: It's important to use TLS when connecting to Headlamp, since there are tokens being transmitted. If your cluster has a service mesh, you can use that instead of explicitly configuring TLS for Headlamp. If you don't have a service mesh or haven't deployed cert-manager or something similar for your Headlamp instance, you can use OpenUnison's integrated certificate manager. If you want to use OpenUnison's certificate manager, create a RoleBinding that allowes the openunison-operator ServiceAccount to create and update Secrets and Pods so that OpenUnison's certificate manager can create TLS keypairs for Headlamp and restart Headlamp Pods when those keypairs need to be renewed:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: openunison-secret-admin
namespace: headlamp
rules:
- apiGroups: [""]
resources: ["secrets","pods"]
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: openunison-operator-secret-admin
namespace: headlamp
subjects:
- kind: ServiceAccount
name: openunison-operator
namespace: openunison
roleRef:
kind: Role
name: openunison-secret-admin
apiGroup: rbac.authorization.k8s.io
Assuming you have already deployed the OpenUnison authentication portal, update your OpenUnison values.yaml, with the following changes:
# if you don't plan on using OpenUnison for kubectl access to your
# cluster, even if you're using OpenID Connect to connect to your cluster
# from kubectl, you'll probably want to use impersonation for OpenUnison
# so not to interfere with kubectl access
enable_impersonation: true
# disable the built in headlamp and integration
headlamp:
enabled: false
# configure OpenUnison to provide a frontend to Headlamp
# the OpenUnison charts will generate all the needed objects,
# including Ingress/Gateway
openunison:
# if you're going to use OpenUnison's certificate management to create TLS for headlamp,
# uncomment below and update for your environment. We're assuming you're deploying
# headlamp into the headlamp namespace.
# See: https://openunison.github.io/knowledgebase/certificates/#how-do-i-include-additional-keys-and-certificates
# keys:
# - name: headlamp-tls
# import_into_ks: keypair
# tls_secret_name: headlamp-tls
# replace_if_exists: true
# create_data:
# ca_cert: true
# key_size: 2048
# server_name: headlamp.headlamp.svc
# target_namespace: headlamp
# delete_pods_label:
# - app.kubernetes.io/name=headlamp
apps:
- name: headlamp
label: Headlamp
#do not change
org: b1bf4c92-7220-4ad2-91af-ee0fe0af7312
# The URL you want to serve headlamp from
badgeUrl: https://headlamp.mydomain.com/
# Tells OpenUnison to inject the user's identity
injectToken: true
# the URL where Headlamp is running
proxyTo: https://headlamp.headlamp.svc:80${fullURI}
# authorized groups from your identity provider
az_groups: []
# Badge icon
icon: iVBORw0KGgoAAAANSUhEUgAAANIAAADwCAYAAAB1/Tp/AAAH8XpUWHRSYXcgcHJvZmlsZSB0eXBlIGV4aWYAAHja7ZdNdiM5DoT3PMUcgf8Aj0MSxHtzgzn+fEzJniqXe1HVy2nJVqaYKRJEABGR4fzn3x7+xSuLxlCbaB+9R1511JEnJxpfr/l8plifz+dl+X0t/Twe/D0eM0OFY3l91f6+/2M8fU7wOkzO2g8T6X5fWD9fGPU9v36Z6B1RuRHdc3tPNN4Tlfy6kN4TzNe2Yh8qP25hnfcWP3air/9wP6r+HPYv34XsWWOdkvMpqUQ+c9FXAOX+t1AmFzKfsVRuTGVwXkp7RvJ7MhLyXZ4+X+Mm+4Zav73pJ1RO/B6tj7PwFa2a37eUL0nun8dvx0NqXy6Uz3XyjytXfZ/ln8f13I3diL5k//67m/qzZ3YxayfV/b2pj608Z9y3WOIurYHQehT+G1PI8x68larelILFHRfvnUbKwOWpJkszeTrPcadNiDWfkIWTnHcuz6AWySPvcvGr9508C0haUbDdwF4YzZ+xpGfZEXd4VlNWtsStOTHZLYfffoff/YH7bYWU4jv558E355tswrjI3U9uA5Hk76S2J8Ef76+vi2sBwXazfFtkkNj1mmK19D8mKA/QhRsbx1cPJrH3BKSIpRvBpAICoJZKSz1FyVlSIpEKQJPQMz2zQCC1lo0gcy2lg43muzQ/kfTcmltmODAOmYFEK70I2NBrgFVro36kKjU0W2m1tdabNG2jzV567a33Lv2S4pQiNUiTLiIqQ6YWrdq0q6jq0DnyKJBmG33I0DHGnKw5mXny68kNc668yqqrhdWXLF1jzU357Lrb7lu27rGnZSsGf1g3MbVh86RDKZ162ulHjp5xplNqXoJXb95dXH34/EQtvdv26/s3UEtv1PKD1L1RPlFjVORjinTppF3MACyHmkBcLgQUdL6YRU215ovcxSyOfHkuE2S7mFm6iIFgPSk3Tx/YhfxC9CL3t3ALUn/CLf8pcuFC95vI/Yrbd6jZlaH9IPbqwpvUWOg+rh+dWecVu1+O4a8u/O7xn4n+zyda4jV6FAr05IT8UutdSjq0zJZ6m6D1VGfZVqTThGNZolHxjEuPmsdyckP7V8vDRYuNeqLOM3t0rQ0hVeihJXXra7e5dqWhtazczWGG20w2vMAHzauF6h517bIK9DeSiuU11LqcKAhrXH2s4gPq6r2MbakuxcNB073b9BZvtxMuAkkUKs2vlvW7v3RGpOWOjV3bOMg8Id3W7H0YLNLUUXJDmVe1rvuVqGDIU238Xfv4p0c07prRNHLX6bW6Njtxk7xosNg5JxU3+LCMU4Ux7Vf7uKNlaV1WhpqSZDDoYcouxgzT8LHKnq1harQ64jiSVVkmaxm8wwanNDir9BXnZu1HjGdHMfUEm6mxyRbnvYAtHnk5WZUDZJJGK2N2r0fVa07Vaur62pNE1Pa9u9bDOlaOCTBftodMe60dhzMSFSCeMNYJhoYrfRJW1EoZjK6jSvc+XYzhrg2jpWOiGYj+dUqxr7ViGdo6vsvHjEQzYW9DG9ocnth5qyNiBvXww7wsk9QRXPM+pGikdVanqmqnMuspM5tQxNCyaYPHr4UbYN/39nIaMkQlvTdZ0bU/xZw+sn4cCbqeMWnYa6stZrWGj+2G37FUALjjO8lrG4adiVtk+lgLa9oRC/PUbVxHiYgW9KUHSRkhI0fxWrqGCEliz8kOC3dbw3ie03O22A2meUYIY3sCiz8cw3OS9nE1qU0ROY+n7Z0y4NkgrwB6kCxK0GzR22Z7db5SfUYnTl8ocgprFhpyabm3Im6Hwt7XvKwrk2VvtuHjBi9x9xsp6x0i3QshPnuf/jRbYELQ/mNKO6gtuTQH/mrk1273s757ufSC5tLeXklwKTuKLO/QgLQBD25KBCZ6wmxQIQClFGzH6SqHvi2NYPdis4tt3JnsVSYQmP1lHUSZifXCAKIL541sYALoVhXHEXndF0FMElTcFyXoygPGjbw7wZF5GPlQHgTXJFzjC0akFqdig7bQIeeQy/aCG5ZI38D9PfxfL2C9Z9vrgRoKSP5ALSRhYndSmxsSZ0kM3MSM2d4zTHyL36rNt/2AoPEbSpDuyzQZOFPDGfrLcrsPgj4ntptSKTvBVslpjamQ/7geDs4nGFzkwMdfLmG2+wC9lSHK8YJ0vs33HrlW7QGqoYZ5zJ8lV1gDHnVKeaVE2yMEa7A/7xRFTtFhgz2GLKnOxyq0AFp2sKlhd6JbB528O1q4wmRlEnChgWnIdB8UF0lYxz0nmpaGjqgnnDaJlFvaoUBQ2hxvkZIhg2qfU/2DY8CLT/jucgpPkfnBjH6jcwkTuSRf2NHSmuRefM152MLOdovvoLjYXTtcDbUfrZSmrrmmerwFhwK2yWlRz4jtRoDhKjkSi7HFvkoGBLYEC99nWGcOfDYp8b1mVX80xhE1klbkmoG5kvEcvCosRN+jcFE8X4NQXCdgFGQD6hsxYDuMX2PW12inYM8Xe11+7XzFi0exeqgT7DWM/vw483ji9yvqNztW4XJMuEsreaFT45KOHmHCZ5VE4WAY8tq9oTyKp/FC6yK3+WD5waadRvFX8mW7honWFKoY61JJb/bdKJeaN7pIiQE5PmLQKOQowyROiXDCg2uHDdNusASaw+O6UXMIHdJNKckp8OYk4IIcrJm2NQrDq+pkoZLuIxAEUR98uYWp9lPg4W+5kB+O/0z0z0TvAaTGRvgvf4BHYNfZpMEAAAGDaUNDUElDQyBwcm9maWxlAAB4nH2RPUjDQBzFX1OLIhUHO4gIZqjiYEFUxFGrUIQKoVZo1cHk0i9o0pCkuDgKrgUHPxarDi7Oujq4CoLgB4i74KToIiX+Lym0iPHguB/v7j3u3gFCvcw0q2Mc0HTbTCXiYia7Kna+IowQgCGMyswy5iQpCd/xdY8AX+9iPMv/3J+jR81ZDAiIxLPMMG3iDeLpTdvgvE8cYUVZJT4nHjPpgsSPXFc8fuNccFngmREznZonjhCLhTZW2pgVTY14ijiqajrlCxmPVc5bnLVylTXvyV8Yzukry1ynOYgEFrEECSIUVFFCGTZitOqkWEjRftzHP+D6JXIp5CqBkWMBFWiQXT/4H/zu1spPTnhJ4TgQenGcj2Ggcxdo1Bzn+9hxGidA8Bm40lv+Sh2Y+SS91tKiR0DvNnBx3dKUPeByB+h/MmRTdqUgTSGfB97P6JuyQN8t0L3m9dbcx+kDkKaukjfAwSEwUqDsdZ93d7X39u+ZZn8/UnZymvbpaK8AAA0caVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pgo8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA0LjQuMC1FeGl2MiI+CiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogIDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCiAgICB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIKICAgIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiCiAgICB4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iCiAgICB4bWxuczpHSU1QPSJodHRwOi8vd3d3LmdpbXAub3JnL3htcC8iCiAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyIKICAgIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIKICAgeG1wTU06RG9jdW1lbnRJRD0iZ2ltcDpkb2NpZDpnaW1wOjMyNDFlMDI2LWM3ZWQtNDRkNi05MDQ2LTUyMDgyYjc5MzAxNyIKICAgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpmMDY2NTg5OC1hNTJjLTQwNGYtYWEwYy1lMDNmMGI0ZTA2MzciCiAgIHhtcE1NOk9yaWdpbmFsRG9jdW1lbnRJRD0ieG1wLmRpZDoxNGM5NjliNi0xZDBmLTQ1YjEtOTIwZi03MTFjYTA4NDY3NGIiCiAgIGRjOkZvcm1hdD0iaW1hZ2UvcG5nIgogICBHSU1QOkFQST0iMi4wIgogICBHSU1QOlBsYXRmb3JtPSJNYWMgT1MiCiAgIEdJTVA6VGltZVN0YW1wPSIxNzY0ODk0OTAyNjYwMDkyIgogICBHSU1QOlZlcnNpb249IjIuMTAuMjgiCiAgIHRpZmY6T3JpZW50YXRpb249IjEiCiAgIHhtcDpDcmVhdG9yVG9vbD0iR0lNUCAyLjEwIj4KICAgPHhtcE1NOkhpc3Rvcnk+CiAgICA8cmRmOlNlcT4KICAgICA8cmRmOmxpCiAgICAgIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiCiAgICAgIHN0RXZ0OmNoYW5nZWQ9Ii8iCiAgICAgIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6YjliN2M5NTktNmQzZC00ZWQ0LWIyZDMtMDkyNmUxMzllNWE4IgogICAgICBzdEV2dDpzb2Z0d2FyZUFnZW50PSJHaW1wIDIuMTAgKE1hYyBPUykiCiAgICAgIHN0RXZ0OndoZW49IjIwMjUtMTItMDRUMTk6MzU6MDItMDU6MDAiLz4KICAgIDwvcmRmOlNlcT4KICAgPC94bXBNTTpIaXN0b3J5PgogIDwvcmRmOkRlc2NyaXB0aW9uPgogPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgIAo8P3hwYWNrZXQgZW5kPSJ3Ij8+Ffb0sAAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+kMBQAjAl8W65QAAByASURBVHja7Z1pcxxXlp6f3GoFCjuIlatIcWlKlCj1aBlJ3W73jHs80zNh+9/5k784wg6HPeHw2NPt9vSmpSV1S2RTpCiKFEGCILGvBdSWiz/ck6wURFIAKRUqq84TcSMLIEEiM8+b59z33rwXFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRFEVRlP1i6SV4KuxE6yTCRFNUSN8rOeAIcBI4IV9HHRAHVeAW8CVwR75W9oirl2Df5IHTwM+BvwYGgCDl5+QAa8AvgP8JLKqQVEitKOsyQBHoBwodcl6RnFOmA0vWlgSFsv+Ai6Qf4XfQeflyTlEHlKoqJEVRISmKCklRFBWSoqiQFEWFpCgqJL0EiqJCUhQVkqKokBRFUSEpigpJUVRIiqJCUhRFhaQoKiRFUSF1EPFLfZGem6JCejpywAgwBvR12PWz5ZzG5Bxzerv3jqOX4LFYElwOZm2LHuAocBF4E/iBBFwnrXsRL8VVT7T4WuiKU98SLMqjyQPDwDgwBRzGLMN1DHgOmABKHfQwCoBN4D5wE5gB7gFz8r37wDywpaGhQnpSWeMCWSlpClLinADOAuflOCwCc+jsBSIDoIZZousmcE3a58AssI1ZrqsGNEj/cmQqpO+IAjAKHAeex6xbdxg4hFm3bgCz9Fa2y65LQzLQOrAKLIiQbmIWkrwlWWtDhdSdZKVjPQAMSfl2WDLQKWmjkn2UJnVgBfhKxBSXgHMitBU5Vugy58/qknO0E8ZBQUyC56Rke1EENCbCyUpzUVdzNxFm/bu6lHVVEc4scBW4BHwm/amylHxxqRipkNJNRvo205J1jspxQtqU/LnavU9vUqwDD0RQsyKkOclWccaqqJDSdT5ewjDoldLtWMI0eF7Ek6Np66q9++yZKh7IbYhJcRu4IlnqOrCEcQUrwI5ktFCF1J7nkhGD4ARwRtoJKeX6pPVq3+d7x8c4exuSrZbFlEg6gHdFVKEKqT3Ktj4Ryqj0c6alfIu3XZmSv6ccHKGI6S5wA+P43ca4gEvSVkR8KqQWmQautIwI6ATwgpgG52iO9WSkzPO0bGuL0i+QTFWjOUZ1W0yKy3KcFQMjHpsK0pKx0hRgnvR3joh4jku2GcPY1+OSlbIat6kxKdYwezHF5sQ9EdPthEmxrUJ6tt/LxezX04uZ5xY7b2fENPiB9IdykqnUMEhnpopLvzpfn0lxVcrA+5hB4S0RVaMds1S7Bp6HGSw9B7yEcdwOJ0yDXmkZFU9H0cA4emUxKpakX3UN4/5dle+13W6C7TpzuSiGwVvAj2k6bzrW09l4NN3VSclSp+T+9yf6WCqkPdKDGft5VVpOM0/XCmtUhFWT/tMd6VepkPZAvE9rQbKT0p1YNKd1FTBGkt2uAdvOHdGQDhr9Vp6aOA7adr6eTspUFBWSoqiQFEWFpCiKCklRVEiKokJSFBWSoigqJEVRISmKCklRVEiKoqiQFEWFpCgqJEVRISmKokJSFBWSoqiQFEWFpCiKCklRVEgJokRTFNo9Htp1XbsMUKKrVla1yOcsRkegULDIeOB5Fo486sIQGn5EowE7lYjlVdja6qpnTU5iwlMh7T1LDmBWWh3oKKlY4LqQz0Ehb5HLQS5nkc9a5As2pR6H/n6bQsEmmzFichyzwGwQGhHV6hE7OyEbmyGbWwE7OyGVakStGlGpGpFVquA3IIw66CljYuEoMIhZNDJQIT0eD7PDxHngImarlo5ZqjiKYGjQ4fxZhxPHXI5Mu4wdchjod8h4FrZt4bgWjmNhW2DbYFmW/GxEFJnMFAQRfhARBhENP2JjI2BhKeDOrM9XMwFXr/vcudvW6yk+DUOYTRUuYParvYtZxliF9JinzkXM4vkvysVLdQYaG7UYH7OYGLMZHnIYHPAYH/OYmnQ5MuUyPuYwOODgeom4t752+EZHIfn3fB/WNwIWFgLu3vM5fszn3GmflbUGKysBDxZCHsyHzD2ICNO7Zq0lZd0p4G3MThU7IqhQhfT1C1XEbB72N3KxSunPQBbPn/R4+UKGVy5kOTLtUSrZ5HKmdMvnLXI5i2zGwrZNxtqvUD0XHMehWLAZH3e58EJEtRpS3g6ZnfP59M81/vRpjQeLPmGY+tWfe4DXJRPdEzFttIOY2kVIHvAc8A7wmvSPUlvSvfSCw7kzHqdPZZgYcxk75HH8qMfoiEMhb+E4zVIv5mliPP75jGeR8Sz6Ss1/q1qLGB5y6e9zeP5khh+/1eDGzTpXrzf48I+pLftcYAJ4BbOrXwX4VI5dLyRHSrq3gL/HbG2ZqvEty4JsBoaHLI4fdTh/LsurF/NcvJBlZMghkzHB7rpPl3n2Kyzz+1iMH3IYGrRpNLKsrgV8+ucaA/1VioUqN78KWFk1xkQKE9Uk8HeYDcnmpMSrH3QQHzTjwI+kpHsVsxNf6gaKJycc/uHf5vj5z4q89mqeM6cyTI67lHptslkjIstqrbhd1yKTMbZ6Pm/TV3KYmnQ5ecJjoN9ieTVicSmVmcmTMs8SAS1KideVQrKlX/Qy8B+Av8BsKuWk5W66Lhw/avHaKx7vvJnjrTcKvPJSnhPHMgwPOXhea8XzxBvtWpR6jeExPOSQzzkUizA8GGHbERubEUF6MlO8x3AvZt+kOWAes6Nf1G1CKgAvAD+VNk2bDrY9jokxi1dfzvDjt4v87KdFzp3OMDDgkMs1+0HtFHm2bcalclmLkWGH6UmXYtEhiiJWV0PWN1KVnSwgjxmorWA2a146qBLvoG63B0wBPwP+CnheLkpqeP2HDj95x2Shly/kOHnCY7DfwXHaJws9ruRzHIti0aan6FDI2/SXHEZGLLKZkNt3UtVhsjG7+OUwGznfE0EF3SAkBzPo+grw76Wky5MSl66vBKdO2LzzZp633yjyyks5jh3xyOXsVPmMUWT6UP0lm8FBh76SQwSUywH1OlSqqTkVBxiWUm8RWBMTIuxkIcXjRW8A/w74oVyE1ITgxRcdfv6zIm++VuDcmSyHRl0KeePGpQ3bAtcz41jFgk2p12Zo0GZj02fmbmoykyUVTlzmrWE2ba53spB6pYz7W2mH0mIu5HNmfOit1005d/Z0lrFRh2w2/TOYHMcMDPf02BTyNmEUYVshq6sRtXpqTiMnD+WyGA9btHAKkdPiJ8dJjEP3E8wExGxa7tLxIzb/5qcF/lIy0ehwe7lyz3xzbEtmW9iUeh2yGZid89Nkj9uYtwaKEld3pdSzOklIGcxA61vAz4GzcsKpCMML523efC3LW68XOH82x+ioceY6CUsyk+dZFPI2tm1h2QAB9+ZSIyZHqp4csAysS4YKOkVIRRHR34jJMJQGEdm2ed3hx29l+cvXi1x4Icf0lEsm01ki2l3mZbMWnmfjeRaVSsDtmQDfT8UMCEse2hnMeNImMNOKEq9VQurF2Nw/wsyVSsV40WC/xXMnHH7yToG338gzNemRz6XTWNjfA8SIKZ+z2N6O2NgK2KmEbJXT8zyQUu8BcAkzufV7xW3hiQ1KJkrNzIXjx2z+9Y/yXDifZXrKpadoEUXf31y5dqKQtxgfczl/LsvGZki1GjL3wE+TkIZovgRIpwgpTrtWGko6y5JXIJ7z+Fdv5/nB2Qy5rEW3kctanD2dwbIivppp8PsPQhwnJAja/ldveay5KN+gpwhv/IXLi+dzTE169Pc7OHZ3ZKKYKDJ9xFKvzeS4x6sv59gqB/zy/9VY29AY+UY5rJfgmwwPWly8kOX82Sx9JfvhAiTdSm+vzQvnsrz8YpZDoxoyKqQ9VgXDwy5nn89y9nSGvpJeomLB5ugRl2NHMkyMu11Z5qqQ9skL52wuvphhatJjeMjuaKt7r3ge9JVspiY8fngxx8ULjgaKCunJnDnl8MrLOYaHnIcr+CjGEj806vDDi1lOn9KutQrpcQWdZcq6I4c9fnA2w6FR53t9LTxtxoNlmaXEThzzmBz3AAtXE5MKaTc9BYvDUzbjhzymJlz6SjaakL7+oCkWzQuBo6MuL7/o0t+nF0iFtIuhIbh4wWNoyEwBsvXKPFJMnmdxaMTlwvkMQ0MqJBXSLoaHLM6fM8tnuY6WdI8r8TzPYnrK5fw5j2EV0kO01ygM9tucPukxPeXiqVP3WDIeTE+5rKx6DA7oddKMtIveHpvxMZeRYQfPtTQjPSYjOY5FX6/N4IBDT9F5WPKpkLTuByx6em36SjbFgvaPvu16ZTIWuZxNqdclm1NTRoWEmU82PWXTV3JbvohjmvFci6FBl/NnHLXBVUjgODA1YdPf5zzci0jZQ+fahaFBm7FDNq72tFVIrgOjwzYD/RoQ+zMdLIYGHYaHbM1IKqTmk3VowCxmouxRSBmLoUGbwQF9AKmQJCP1lSz6+mw8V4W05z6SZ9HfZwwaR4WkQrJtKBRsikVLn6z7Mhugp2hcTkddThWSbZtXqnM5W82GfRAvKpnNWjpLXoXUnD9mNkNWgew5cBzTT/L0uqmQjJBMSee6OkK/r8CRB5DndtC28yqkZ0OnAykqpGcWUYTvQ6ORyr1UD4wwhEY9otGI9EGkQoIwgkYjot6IVEj7IAihXo/MA0iFpEKKQqjWIqrViEAjYu9CCiIq1YhqTTOSCgkIAihvh2yVQ/yGBsReaTRgcyukXI4IAlWSCimAjc2QjY2Ahq8BsVfqjYi1jZD1zRA/0OvR9ULyA1hdDVlbD/EbKqQ9Z6R6xOpqwOqa2fJFhdTtQvJhcSlidS2goQGxdyH5ESurIcvLoQpJhWTcpzuzIWvrAb7W+vvoI0WsrAXcn1chqZAw4yHziyFbWwF+IyRU526PfcuI1TWfy5+FBDpsoEIy1m3EVjlgYzN2oTQwnnS9qrWI7R1j0ECo428qpCabWyF37/nMLxr3TufdfRPLAt+PWFsLWFwK2N7WJ44KaReraxFffNng3n2fRkOF9DjqjYjZuYAvbzVYXdMyWIW0i+WViMuf1ZkTIelo/aMzUqMBd+81uHSlztKKXiQV0iMy0qU/N1hb96nVdd7d4/pHvh+xvBJw+UqDFRXSQ/TlamF7B7Z3Qh4sNLg355PL2vT12TgWaLgYEZW3I+YXAxYWGly9HmDbemU0Iz2Gm1/5/OlSjfvzPmEQ6VtrUtKFISws+nx2rc7MbAPQrK0Z6Ql88aXPYH+Nc6czhKGnF+RhRjIl3SeXqtz4UkdgNSN9C9dvhMZ0eNBgZTWgVtPypdGA9Y2QuQc+H39S4+NPNRWpkPbAwmLAJ5drfHK5xvqGBs3GZshnn9e5eq3G/fkA7TUefGmXih7H+nrER3+q0VdyOHbEo6/PJuN13wL7UWT6RusbAVeumgfLympqHiwtvVutykgR0ADqaXicVarw/oc+N76scm+uwepqiN+F7yqFoclGD+Z9PrtW5Z9+2WB7Ox3PAIm1RqvirVVCCoBlYEFOrr0DSC79Fzd9fvtehc+/qFGtdddsB9uGWj3i+o06v/+gwuc3TEymZIJqA1iUmGvJPKZW7SPgAAWgD5gEetNQ5q2tw63bAZMTNmOjLvm8RSbTHSXezk7E/Qc+v3u/wn/9Hzt8NRNQqaYmGy0CvwfeA76S7NQRQgqBFXk6HAMGgWy7i8kPYKsMpd6IKLIYGHAY7Lex7c5Wku9H3Lnn8/5HVT74qML7HzYol1MxbSoEtoBrwH8RIW3J9ztGSDuScl1gABgnJeNYlWqEH0T0l2wKBdOyntVx3pVlQa0WMb9gzIVf/26HTy7VuXc/NXMPG8Bl4H8DvwVmWyGiVgoppiaZqQ84ChQP4HfYNxubEY16gGVFOI7F0IBDvmBh251T5kWReX3czKOr8YePq/zm3SpXr6fGpWsA8yKifwTutKKkOygh+UBFSrocMAr0p+EubZahXg9l9wqbfM6it8fG7YA9leL3jObnA65dr/PehxU++KjCZ9fCNL3keB/4DfAL4BKwTQsd4oPIBj5QlSfIODACeLT54HAYmkVSAomsTNaikLfJZe3UGhCWZVqlYiajXrte58M/VvjtexXe+zBIi4hCoCzi+UfgY2CpVSXdQQopkhPfBkrSX4rNh7anVo3Y2Ayo1EJ836KvZFPqtbGs9IkpLufm7pupP+++v83v3qtw63bETiU1p1EBbgK/Bv4JuEuLLO+DFlIspqoYEBngiIiq7ftL1RrML0ZUKiG+Hz/0LPI5k5lsu/23h4l/v/J2yM1bPp/+ucb7H1b44I81Pv4kTJOIwkS/6J+BL6QfTrcIKb4Iy3KclMzUQ0qmEa2tRywvB8zc9QnDiIH+uMQzJkS7br4VBFCtRmyVQ2bnfH79boV//tUOf/ioxuc3wjS9GRxhjKtLwH8DPpDsFHWbkCLpL9UlMw1LZkrFuwtRZMaYHsxHQEC5HLBTMbMf8nljRrQj5e2Qu7M+f7pc47fvVvjDR1UuXfGZmU3d6/U+8CHw3+XY8n5RuwjpYbcD2JTSblSOmTT1M2buhrz/UUA+F2JhEUVm4ckosnAccF3rYce+1UaCWWchYqscMb/gc+t2gyvXavzm3Qr/8T9VuHrdZ3MrdSNiFeAW8Evg/wD3aKHV3a5CCkRMAWaAdkLMB0jR+6muG1EuB9yfb3D7js/mVvhwb1pXBm+jqDWCiiJTwgVBRL1u3iWauWum+/ziX7b54KMKV66aVYBSuIZfhBlo/ZW0K2JcHez9b6MnzDXMfLzYeBghRW/w+j7cmom4NeOTyYasrAVsbvocOZzh0KjLyLDD6IjDyJAjO4GbkIgSwf8sxkHyc60OKysBi8sBS8s+i0s+s3MNPrlU4/cf+Cwtp/YdqwDYkFj5FWYWQ1vMR2+3J/4E8A/A3wGvkZLB2t3YNmQ86CtZjI85PH/S46UXspw743HiqEdPj43jWLiu2czY88xnx9l7torfFWr4Ztc834/wfZNhtndCZu40uPZFg0tXaly/UWf2XsD6RkStnuotPssinv8F/GeM1d0eFUmbXagV4P8CeeCwHLNpu9thaGzy6lLEwlLAVjlkba3BjZsOh0Zd+vpc+ksuw8MOYyMOo6MOA/02xX1MOwpDM5C6tmFWPV1YDFhaDljf8FnfCFhc8pl7EPDVTMDN21EnbFkTSHz8C2b2wnJblfZtdrFqwAzG0ryMed1iilSv5RNx63bErdshsUl5ZNrh9CmHE8dcjky7TE44DA869BRtnIfGhGVO2mr2DCJJRcbMiNjeMXsU3Z8PuDPr89VMg+s3Ar681XGvg0fAKvA58AlwAzMOqUJ6UncDY2XeAE5jxpg65r0F245YWQ24cjVg5k6Dnh4oFizyOfOuUyZj5u+5roXrmAyFBWEYl27mWK+H1OuRLGgfUS7DVjlicwscpyM3AljFOHXz0qcOVUjf/vTJY6zwHjpsZbkwNAstlrd5TNawHh5zOchnjZBq9YidneTPdN2r7z0SE7l2E1G7CsnBDM6ekmOX0RRKrQq1Wrfq5htPlwHMS6EjmHHGRjtdlXabyGJjLPBRjA3eRxevdWrGnqTR9RSAQxhnd6jdkkC7CSkjfaLDIiJdd0/ZXd4dlpZVIT2ePHBSUnhG40Z5RFfkmMRIXoW0NyHpwtvKbjzMEgUnxXRQIT2GIvAcKZoFrrQ8I03Jg7akQvomllykfhHRGCl4yU9pOY4YDZMYQ6pIm5hR7SSkIUnbw9KRVKNBeVSc2Ji3A2Ir3FYhff1JMwk8j3HrFOVJ9GJmvUy1S+XSLkKy5aKcloukKE+iRHP6mGakXZ3IScxsBhWS8m30ACckZrIqpGbdW8SMWB/BjGArypPIi4gmpCvgqpCao9UTko3UrVP2QgGzwOixdqhi2kFIfVLvpmZRfaUtsDDDJKdpgzep20FIA8AZEZJa3sp+hDQusaNCEiGdlqeLpfGh7CN2RzEG1eBBx85BCsnCTEwdBo5jBmRVSMp+4mcQM4g/Kn0muxuF5Elqnpas5KmQlKcQU4mmWeV1o5Ay8jQ5jlreytOTxTh3xznAMSX7gC/Ac5iBtazGg/IMcXS824UUXwB9iU95lsrmuDyQc90opBJmJsMk+u6R8mx97XhWzIEtT3AQ/2m8IsxhzGIWPehsBuXZYjiPcX+PYpw8uxuEZIuATmEsbx2EVb4LBiSmDnEA7u9BZaS2GZFWOoZ+mlPNuiYjqZCU75o+DnCq2UEIKU9z1m6P3n/lO6JXYmoCMy5pdbKQ8nKi8ebL6tYp3xUOxgmO4yvfyULqwQzCTtJm65IpHUFGhPRcq6udVgup7d61VzoKW2LrNC1e9+4ghHRGhaR8z0I606lCsmgu7nccM+1dhaR8H/E8SvO1HKdVpkOrgnn3Cpktd1WUrsCSvvewxNowLZo10yoheZgpQSdoszWblY6kV7LSNC1yhlslpHjx88PoAidKa+LtsMSc20lCivtIAbAG7Oi9Vr4ndiTGglb2kVqVHXxgEbgqJzgtfaa81LRZaZnEUWeEK48ilHiqAXU51oAqsA0sA7PAdYk5v1WZolVmQwkzH6pHBNSD2U0gHokelzYp3y89QkxqUHQX0SNEtAOsAgvAPPAAmBPx3Ac2RFBl+bwpD++OENLjysp+Ec0oxmEZxkyDH8G8V1KSjmNvQoh96KyITscHtkQEm/I5/noFWJLjimSgBck+S5KlWs5BCine68aRlvycx8zFO0RzjefYrDhCcw8lN/EzyX9Hx6jaP9OE0oJE84EGsC7ZZRa4J5/vS/aZT2SZ3T8fcEAbwLdzqZSR8q/nERlpQNqIiO2QZLUh+X5eY7WtCSTDrEomWdiVVdYSZVmckcpy3BEBtRVp6XNYu0rCnJR+cZ9qSrJWLKhBEVM+YWjk5LPOOG+dWGIToCqfKyKEzUQ/575knTn5PC+CCXdllygtAZomLBFE7PLlEp8L0vcaE4FNi+Di8nCAr2+taSWOamY8nRkQJT6HiT7OQqIci02Bu5J1NkVgSectduKCNAZkJ5JLlH7DUvINyddx+deXKBf7pZXQAeP9UJMSbC1Rjm0kjIDVXW1ZRLSRRrF0o5CshOmQbK6IZTSRpeJlk6elTOyXv5dsXsLI6KasFSZMgN2tIqbAHHBHMs1colRbFeMgSJRpyc+RCindxMs3FROtJ5GdBmna8GMitDHJZt20dFgkpVdsCMwnyrRF+X7Smo4NgXgMp9FNQaV9gq/j0RwoHqNpvU/I1/3y57EACyLK+JhG270h2WVbjvHnLSnX4nGaONvENvS6lHaRho0K6XEloZcwMzKJzz2SreIxrelEeZjcutNOmBfWARsZSRMg2tVqIpa4HLtPc5bAPRFRbAA05Bh/9lVEKqRnuV49ifIvNi52f91Pc7xrUI7FA/qdA5p286oIZz3x9XrCGFiT44p8rugtVyF931kreXQwlvpAIkPFWSo2MoZETN5j2tPei2iXIdBIZI2q9FfmJcPMJkq0Wenr7MjPJTNWRxoCKqT0kEn0mQoJU6NXstQw33QMx+X7Tzt/0KdpOcfjNsnpNCs0ZwSU5bgj/aCqikWFlDbyNCfpjiVENCbi6hfBJZ3EHhGYJX2VMl93xralbItNgaS79gAzZrOuYlEhdRLxpNzd41NxFhuhOd0pbtOSrWwRS2wCJFtcnsUzAhqJEs+nwwY+VUjKt1GkOctiIHHskfu0kzAK4uO6lG2KCklJ3Ivd8/6S34t2GQCRGgKKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoiiKoihKmvn/rsgGwMM9TS0AAAAASUVORK5CYII=
The integration does not deploy the OpenUnison plugin for Headlamp, so the who-am-i and namespace listing functions are not present. Otherwise, you'll have the same access as if using OpenUnison's native Headlamp.
Using OpenUnison for Headlamp, but not kubectl
If you want to securely access Headlamp, but don't want to change how users login to Kubernetes for your cluster, you can deploy OpenUnison to just support Headlamp. These configuration changes can be used if you want to deploy OpenUnison's hardened Headlamp configuration or if you want to use your existing Headlamp deployment:
# tells OpenUnison to use impersonation, this works
# even if your cluster is configured to use OpenID Connect
enable_impersonation: true
# disables OpenUnison's kubectl integration and
# doesn't deploy the kube-oidc-proxy
openunison:
kubeAuth:
enabled: false
Once OpenUnison is (re)deployed, the tokens badge will be gone, but the Headlamp badge will still be there.