# Sample Grafana In Kubernetes

1. [Home](https://www.agilicus.com/)
2. Sample Grafana In Kubernetes

![secure-login](https://www.agilicus.com/www/c927b6be-secure-login.svg)Sample Setup

---

## Grafana In Kubernetes

In this demonstration we will use the Agilicus Connector to securely, simply expose a Grafana service running inside a Kubernetes cluster.

[CONTACT ✉](/contact-us/)

## Overview

In this demonstration we will use the Agilicus Connector to securely, simply expose a Grafana service running inside a Kubernetes cluster.

This will work for clusters that have no Ingress, no LoadBalancer, no public IP. It will allow you to add any user, from any identity provider, with a simple single-sign-on. If you push alerts via a Chat channel, you can just click on the link to get to the graph, no VPN.

First, [install](/anyx-guide/agilicus-connector/) the Agilicus Connector in your Kubernetes cluster.

Second, create the Grafana Application in the Admin web interface.

[![](https://www.agilicus.com/www/2efb2e52-image.png)](https://www.agilicus.com/www/2efb2e52-image.png)The application name will become the hostname (e.g. here we will have https://grafana.\_\_MYDOMAIN\_\_)

[![](https://www.agilicus.com/www/c0fd0742-image.png)](https://www.agilicus.com/www/c0fd0742-image.png)You may use a pattern-based name (APPNAME.\_\_MYDOMAIN\_\_), or, a specific hostname (e.g. my-grafana).

[![](https://www.agilicus.com/www/7660800f-image.png)](https://www.agilicus.com/www/7660800f-image.png)Here we will use the Kubernetes Connector we created earlier.

[![](https://www.agilicus.com/www/6cc3dfbd-image.png)](https://www.agilicus.com/www/6cc3dfbd-image.png)For this demonstration we use TLS from user to the connector in your Kubernetes cluster. If there is a desire for fine-grained audit, use the other option.

[![](https://www.agilicus.com/www/852b3630-image.png)](https://www.agilicus.com/www/852b3630-image.png)The hostname will be with respect to CoreDNS in your cluster. In this case, we have installed grafana in the 'grafana' namespace, so it is http://grafana.grafana:3000

[![](https://www.agilicus.com/www/2efc8319-image-1024x720.png)](https://www.agilicus.com/www/2efc8319-image.png)We select 'authenticated by proxy'. In this case, no traffic will hit Grafana except for authenticated, authorised users.

[![](https://www.agilicus.com/www/27b38869-image.png)](https://www.agilicus.com/www/27b38869-image.png)You may choose to allow everyone access, or create specific groups.

[![](https://www.agilicus.com/www/97faa0a1-image.png)](https://www.agilicus.com/www/97faa0a1-image.png)We are now complete. Hit APPLY, and wait 2-3 minutes, then enter https://grafana.\_\_MYDOMAIN\_\_ in your browser.

[![](https://www.agilicus.com/www/6b689de1-image-1024x746.png)](https://www.agilicus.com/www/6b689de1-image.png)## Auto-Sign-In, Auto-User-Create (Optional)

The authenticating proxy sets various headers in a trusted fashion. These include:

```
Remote_org_id: <GUID>
Remote_user: <email>
Remote_user_id: <GUID>
X-Gateway-Org: <GUID>
X-Gateway-Primary-Role: <role name>
X-Gateway-Roles: <map appname: array role name>
X-Gateway-Tokenid: <GUID>
X-Gateway-User: <GUID>
X-Gateway-User-Email: <email>
```

In Grafana, in its config, this section can be configured. if so, the end-user will auto-login (create on first use) with no provisioning.

```
[auth.proxy]
enabled = true
header_name = Remote_user
header_property = username
auto_sign_up = true
```