After successfully deploying Vault in Kubernetes with High Availability (HA) and Raft storage, securely accessing the Vault UI is the next critical step for management and usage.
This guide explains how to expose the Vault UI externally using a LoadBalancer service in Kubernetes.
Why Use a LoadBalancer Service?
- Vault UI runs on port 8200 of the Vault service.
- By default, Vault Helm chart creates a
ClusterIPservice, accessible only inside the Kubernetes cluster. - A
LoadBalancerservice provisions a cloud provider-managed external IP, enabling outside access to Vault UI. - This simplifies browser access and integration with your infrastructure.
Step 1: Create a LoadBalancer Service Manifest
Create a file vault-loadbalancer.yaml with the following content:
apiVersion: v1
kind: Service
metadata:
name: vault-loadbalancer
namespace: vault
spec:
type: LoadBalancer
ports:
- name: http
port: 8200
targetPort: 8200
- name: cluster
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: vault
Step 2: Apply the LoadBalancer Service
Apply the manifest:
kubectl apply -f vault-loadbalancer.yaml -n vault
Step 3: Get the External IP
Check the service and wait for the external IP to be assigned:
kubectl get svc vault-loadbalancer -n vault
Output will look like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
vault-loadbalancer LoadBalancer 10.x.x.x <external-ip> 8200:xxxxx/TCP 1m
Once the <external-ip> populates, you can proceed.
Step 4: Access Vault UI
Open your browser and navigate to:
http://<external-ip>:8200/ui
You’ll be greeted by the Vault UI login page.
Step 5: Login Using Vault Token
- Use the root or any valid Vault token generated during Vault initialization.
- Enter the token in the login screen to access the UI.
Optional: Secure Your Vault UI
- Enable TLS on your Vault server to encrypt UI traffic.
- Use Kubernetes Ingress with TLS termination for better control.
- Restrict access using firewall rules or VPN.
Alternative for Development
For quick access without a LoadBalancer:
kubectl port-forward svc/vault -n vault 8200:8200
Then open:
http://127.0.0.1:8200/ui
Conclusion
Using a LoadBalancer service in Kubernetes to expose Vault UI provides convenient external access for users and admins. Combine it with proper security best practices for production deployments.