Exposing the Dashboard

    A sample ingress definition is:

    This exposes the dashboard at dashboard.example.com and protects it with basic auth using admin/admin. Take a look at the ingress-nginx documentation for details on how to change the username and password.

    A more secure alternative to basic auth is using an authentication proxy, such as .

    For reference on how to deploy and configure oauth2-proxy in kubernetes, see this blog post by Don Bowman.

    Where the oauth2-proxy secret would contain the required such as, client-id client-secret and cookie-secret.

    Once setup, a sample ingress would be:

    A sample ingress definition is:

    This exposes the dashboard at and protects it with basic auth using admin/admin. Take a look at the Traefik documentation for details on how to change the username and password.

    Note that this protection also covers the .

    The ingress-nginx config above uses the nginx.ingress.kubernetes.io/upstream-vhost annotation to properly set the upstream header. Traefik on the other hand doesn’t offer that option, so you’ll have to manually set the required Host as explained below.

    If your HTTP client (Ingress or otherwise) doesn’t allow to rewrite the Host header, you can change the validation regexp that the dashboard server uses, which is fed into the linkerd-web deployment via the enforced-host container argument.

    If you’re managing Linkerd with Helm, then you can set the host using the enforcedHostRegexp value.

    If you want to completely disable the header check, use an empty string for -enforced-host.