Setting up the Headlamp add-on

Headlamp is a Kubernetes dashboard that provides a graphical user interface for managing and monitoring your cluster resources. The Headlamp add-on for IBM Cloud® Kubernetes Service provides a seamless installation of Headlamp with automatic lifecycle management and integration with IBM Cloud Identity and Access Management (IAM) for authentication.

The Headlamp add-on is available in beta.

Understanding the Headlamp add-on

The Headlamp add-on is the recommended replacement for the archived kubernetes-dashboard project. Headlamp provides a modern, user-friendly interface for viewing and managing Kubernetes resources in your cluster.

Key features of the Headlamp add-on include:

  • IAM OIDC authentication: Seamlessly authenticate with your IBM Cloud account using IAM OIDC.
  • Independent lifecycle management: The add-on version is decoupled from cluster master BOM versions, allowing for independent updates.
  • Ready to Access: The add-on is automatically exposed through an Ingress resource on your cluster's default public ingress hostname with a headlamp subdomain.
  • Secure access: Each cluster receives a unique OIDC client ID to prevent authentication spoofing attacks.

Prerequisites

Before you install the Headlamp add-on, ensure that your cluster meets the following requirements:

Installing the Headlamp add-on

The Headlamp add-on is currently only available through the CLI. You cannot install or manage the add-on from the IBM Cloud console.

Installing the Headlamp add-on with the CLI

  1. Target your cluster.
    ibmcloud ks cluster config --cluster <cluster_name_or_ID>
  2. Enable the headlamp add-on.
    ibmcloud ks cluster addon enable headlamp --cluster <cluster_name_or_ID>
  3. Verify that the Headlamp add-on has a status of Addon Ready.
    ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>
    Example output:
    NAME       Version   Health State   Health Status
headlamp   0.1.0     normal         Addon Ready
  4. Verify that the Headlamp pods are running.
    kubectl get pods -n ibm-system -l app.kubernetes.io/name=addon-headlamp

Accessing the Headlamp dashboard

After you install the Headlamp add-on, you can access the dashboard through your cluster's default ingress hostname.

  1. Get your cluster's default ingress hostname.

    ibmcloud ks cluster get --cluster <cluster_name_or_ID> | grep "Ingress Subdomain"

  2. Open your browser and navigate to https://headlamp.<ingress_subdomain>, where <ingress_subdomain> is your cluster's default ingress hostname.

    Example: https://headlamp.mycluster-abc123-0000.us-south.containers.appdomain.cloud

  3. Click Sign In to authenticate with IBM Cloud IAM.

  4. If you're not already logged in to IBM Cloud, you'll be redirected to the IAM login page. After authentication, you'll be redirected back to the Headlamp dashboard.

  5. Once authenticated, you can view and manage your cluster resources through the Headlamp interface.

Migrating from kubernetes-dashboard

The Kubernetes community has archived the kubernetes-dashboard project. After you install the Headlamp add-on, you can scale down the kubernetes-dashboard deployment if it's running in your cluster.

To scale down the kubernetes-dashboard deployment after installing Headlamp:

kubectl scale deployment -n kube-system kubernetes-dashboard --replicas=0
kubectl scale deployment -n kube-system dashboard-metrics-scraper --replicas=0

Understanding Headlamp authentication

The Headlamp add-on uses IBM Cloud IAM OIDC authentication to secure access to your cluster resources.

When you enable the Headlamp add-on, the following authentication components are automatically configured:

  • Unique client ID: A unique OIDC client ID is created for your cluster and stored in a Kubernetes secret in the ibm-system namespace.
  • Hybrid private-public OIDC: Headlamp uses private IAM endpoints for backchannel requests, while frontchannel - login in the browser - happens over public IAM endpoints.
  • Token management: Authentication tokens are stored in browser cookies and automatically included in requests to the Kubernetes API server.

The authentication flow works as follows:

  1. When you access the Headlamp dashboard, you're presented with a login page.
  2. Clicking Sign In redirects you to the public IBM Cloud IAM authorization endpoint.
  3. After successful authentication, IAM redirects you back to Headlamp with an authorization code.
  4. Headlamp exchanges the authorization code for an access token over private network.
  5. The access token is used to authenticate requests to the Kubernetes API server.

Your access to cluster resources is determined by your IBM Cloud IAM roles and Kubernetes RBAC permissions enforced by the Kubernetes API server.

Updating the Headlamp add-on

The Headlamp add-on is automatically updated when new versions are released. You can check the current version and health status of the add-on at any time.

To check the add-on version:

ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>

Disabling the Headlamp add-on

If you no longer need the Headlamp dashboard, you can disable the add-on.

When you disable the Headlamp add-on, the following resources are removed:

  • Headlamp deployment and pods
  • Headlamp service and ingress resources
  • OIDC client ID and associated secrets

Disabling the Headlamp add-on with the CLI

  1. Disable the Headlamp add-on.
    ibmcloud ks cluster addon disable headlamp --cluster <cluster_name_or_ID>
  2. Verify that the add-on is removed.
    ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>

Accessing Headlamp over private ingress on VPC clusters

Configure your VPC cluster to access Headlamp through private ingress instead of public ingress for enhanced security.

When you choose to access Headlamp from private networks, like over a VPC VPN, you can reconfigure your cluster with the following steps:

  1. Disable your cluster's public ALB.

    ibmcloud ks ingress alb disable --cluster <cluster_name_or_ID> --alb <public_ALB_ID>

  2. Enable private ingress.

    ibmcloud ks ingress alb enable vpc-gen2 --cluster <cluster_name_or_ID> --alb <private_ALB_ID>

  3. Register a domain to the private ALB.

    ibmcloud ks ingress domain create --cluster <cluster_name_or_ID> --hostname $<private_ALB_ID_hostname>

  4. Set the new domain as the default.

    ibmcloud ks ingress domain default replace --cluster <cluster_name_or_ID> --domain <new_domain>

The IBM Cloud backend updates headlamp in approximately 5 minutes. When the update completes, the dashboard is available on the new default ingress hostname, with headlamp. subdomain.

Kubernetes resources created by the addon

The Headlamp addon creates several Kubernetes resources in your cluster that require proper network configuration.

If you have a custom firewall or network settings, you need to configure that to allow communication between the following resources:

  • 2 Ingress resources
    • private with private-iks-k8s-nginx ingressClass
    • public with public-iks-k8s-nginx ingressClass
  • 1 Service (ClusterIP on port 80 → 4466)
  • 1 Deployment
    • headlamp container (port 4466)
    • nginx sidecar container

Troubleshooting the Headlamp add-on

Use the following information to troubleshoot common issues with the Headlamp add-on.

Cannot access the Headlamp dashboard

If you can't access the Headlamp dashboard, verify the following:

  1. Check that the add-on is installed and healthy.
    ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>
  2. Verify that the Headlamp pods are running.
    kubectl get pods -n ibm-system -l app.kubernetes.io/name=addon-headlamp
  3. Check that the ingress resource is configured correctly.
    kubectl get ingress -n ibm-system
  4. For VPC clusters, verify that your security group allows outbound HTTPS connections to IAM endpoints.

Authentication fails

If authentication fails when accessing the Headlamp dashboard:

  1. Verify that you have the necessary IAM permissions to access the cluster.

  2. Check that your browser can access https://iam.cloud.ibm.com.

  3. Clear your browser cookies and try again.

  4. Verify that the OIDC client ID secret exists in your cluster.

    kubectl get secret clientid-secrets -n ibm-system

Pods are not running

If the Headlamp pods are not running:

  1. Check the pod status and events.
    kubectl describe pods -n ibm-system -l app.kubernetes.io/name=addon-headlamp
  2. Check the pod logs for errors.
    kubectl logs -n ibm-system -l app.kubernetes.io/name=addon-headlamp
  3. For VPC clusters, verify that your cluster has a public gateway attached and can reach external endpoints.

Limitations

The Headlamp add-on has the following limitations:

  • Beta release: The Headlamp add-on is currently in beta. Features and functionality may change.
  • Public access only by default: In the beta release, the Headlamp dashboard uses the default public ingress hostname unless you manually configure private ingress access.
  • VPC network requirements: VPC clusters require a public gateway and security group configuration to allow access to IAM endpoints.
  • Browser requirements: You must use a modern web browser with JavaScript enabled and cookie support.