The module does not have any mandatory parameters.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Note that the configOverrides parameter of the InitConfiguration resource is used when installing Deckhouse, not ModuleConfig.

Set the dashboardEnabled: true or dashboardEnabled: false in the configOverrides parameter to explicitly enable or disable the module when installing Deckhouse.

Use the dashboard section of the configOverrides parameter to configure the module when installing Deckhouse.

Set the spec.enabled module parameter to true or false to explicitly enable or disable the module.

Example of enabling the dashboard module:

kind: ModuleConfig
  name: dashboard
  enabled: true

Example of disabling the dashboard module:

kind: ModuleConfig
  name: dashboard
  enabled: false

The module is configured using the ModuleConfig custom resource named dashboard (learn more about setting up Deckhouse…).

Example of the ModuleConfig/dashboard resource for configuring the module:

kind: ModuleConfig
  name: dashboard
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.


Schema version: 1

  • accessLevelstring

    The level of access to the dashboard if the user-authn module is disabled and no externalAuthentication is configured. See supported values in the user-authz documentation.

    By default, User level is used.

    Use user-authz module settings to configure access if the user-authn module is enabled or externalAuthentication is configured.

    Default: "User"

    Allowed values: User, PrivilegedUser, Editor, Admin, ClusterEditor, ClusterAdmin, SuperAdmin

  • authobject

    Options related to authentication or authorization in the application.

    • auth.allowScaleboolean

      Activate ability to scale Deployment and StatefulSet from the web interface.

      This parameter has no effect if the externalAuthentication is enabled.

    • auth.externalAuthenticationobject

      Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.

      Note! External authentication is enabled automatically if the user-authn module is enabled.

      • auth.externalAuthentication.authSignInURLstring

        The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

      • auth.externalAuthentication.authURLstring

        The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

      • auth.externalAuthentication.useBearerTokensboolean

        The dashboard must use the user ID to work with the Kubernetes API (the authentication service must return the Authorization HTTP header that contains the bearer-token – the dashboard will use this token to make requests to the Kubernetes API server).

        Default value is false.

        Caution! For security reasons, this mode only works if https.mode (global or for a module) is not set to Disabled;

    • auth.whitelistSourceRangesarray of strings

      The CIDR range for which authentication to access the dashboard is allowed.

  • highAvailabilityboolean

    Manually enable the high availability mode.

    By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.


    highAvailability: true
  • httpsobject

    What certificate type to use with the dashboard.

    This parameter completely overrides the global.modules.https settings.


      mode: CustomCertificate
        secretName: foobar
      mode: CertManager
        clusterIssuerName: letsencrypt
    • https.certManagerobject
      • https.certManager.clusterIssuerNamestring

        What ClusterIssuer to use for the dashboard. Currently, letsencrypt, letsencrypt-staging, selfsigned are available; also, you can define your own.

        Default: "letsencrypt"

    • https.customCertificateobject
      • https.customCertificate.secretNamestring

        The name of the Secret in the d8-system namespace to use with the dashboard (this Secret must have the format).

        Default: "false"

    • https.modestring

      The HTTPS usage mode:

      • CertManager — the dashboard will use HTTPS and get a certificate from the ClusterIssuer defined in the certManager.clusterIssuerName parameter.
      • CustomCertificate — the dashboard will use the certificate from the d8-system namespace for HTTPS.
      • Disabled — in this mode, the dashboard works over HTTP only.
      • OnlyInURI — the dashboard will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

      Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

  • ingressClassstring

    The class of the Ingress controller used for the dashboard.

    By default, the modules.ingressClass global value is used.

    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

  • nodeSelectorobject

    The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

  • tolerationsarray of objects

    The same as in the Pods’ spec.tolerations parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    • tolerations.effectstring
    • tolerations.keystring
    • tolerations.operatorstring
    • tolerations.tolerationSecondsinteger
    • tolerations.valuestring


user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.

Use kubectl to see password:

kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values dashboard -o json | jq '.dashboard.internal.auth.password'

Delete the Secret to re-generate password:

kubectl -n d8-dashboard delete secret/basic-auth

Note! The auth.password parameter is deprecated.