Headlamp

Last updated March 27, 2026

Headlamp is a web-based interface for managing a cluster. It allows you to view cluster resources, manage them, and monitor application status without using kubectl.

Installation
Copy link

  1. Go to the Kubernetes section and click on the cluster.
  2. Navigate to the Addons tab and select Headlamp.
  3. Enable Advanced setup and adjust the configuration for your needs. For example, you can set up:
    • the domain where the interface will be available;
    • ingress settings;
    • OIDC configuration.
  4. Click Install.

To verify that the add-on is installed correctly, run:

kubectl get pod -n headlamp

If the installation was successful, you will see a pod with the Running status.

Authentication
Copy link

After installation, the Headlamp icon will appear in the cluster dashboard.

D2492951 3acf 406b 9ac5 04a276e82d10

Click it to open the interface. If you are not authenticated, you will need to provide a token.

You can obtain the token from the Dashboard tab by clicking Copy next to Dashboard token:

Dd656c47 9ad0 4ca1 A263 6f7a7f96a915

After authentication, the Headlamp interface will be displayed.

6454a333 1712 4216 Ad93 808ab30dced1.png

Headlamp interface

Main sections are:

  • Cluster: cluster information and status
  • Map: visualization of resources and their relationships
  • Workloads: management of workloads (Pods, Deployments, StatefulSets)
  • Storage: PVCs, PVs, and storage classes
  • Network: services, ingress, and network policies
  • Gateway: Gateway API resources
  • Security: roles, service accounts, and access policies
  • Configuration: ConfigMaps, Secrets, and other settings
  • Custom Resources: custom resources (CRDs)
  • Create: create resources via the interface

Configuring Authentication
Copy link

If the Headlamp interface is exposed externally, it is recommended to configure additional basic authentication.

Headlamp does not support username and password authentication directly. Instead, basic authentication is configured at the ingress level.

Create a file with a username and password:

htpasswd -c auth admin

Here, admin is the username. You will be prompted to enter the desired password twice.

This command creates a file named auth.

If the htpasswd utility is not available, install the apache2-utils package.

Next, create a secret in the headlamp namespace using the generated file:

kubectl create secret generic headlamp-basic-auth \
  --from-file=auth \
  -n headlamp

Go to the Addons section in the cluster dashboard and open the installed Headlamp add-on.

Enable advanced setup and locate the following block:

ingress:
 enabled: true
 annotations: {}

Remove {} next to annotations and add the required annotations:

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: headlamp-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"

Click Save and wait for the add-on to be updated.

After that, when accessing Headlamp, you will first be prompted for a username and password, and then for a token.

To change the password, create a new auth file and update the secret in the cluster.