Quick Start with Kubernetes

Manage your Kubernetes clusters with Meshery. Deploy Meshery in Kubernetes in-cluster or outside of Kubernetes out-of-cluster. Note: It is advisable to install Meshery in your Kubernetes clusters

Prerequisites

Install the Meshery command line client, mesheryctl.
Install kubectl on your local machine.
Access to an active Kubernetes cluster.

Available Deployment Methods

In-cluster Installation
Out-of-cluster Installation
- Set up Ingress on Minikube with the NGINX Ingress Controller
- Installing cert-manager with kubectl
  - See Also

In-cluster Installation

Follow the steps below to install Meshery in your Kubernetes cluster.

Preflight Checks

Read through the following considerations prior to deploying Meshery on Kubernetes.

Preflight: Cluster Connectivity

Verify your kubeconfig’s current context is set to the Kubernetes cluster you want to deploy Meshery to.

	
		kubectl config current-context

Installation: Using `mesheryctl`

Once configured, execute the following command to start Meshery.

Before executing the below command, go to ~/.meshery/config.yaml and ensure that the current platform is set to Kubernetes.

	
		mesheryctl system start

Installation: Using Helm

For detailed instructions on installing Meshery using Helm V3, please refer to the Helm Installation guide.

Post-Installation Steps

Optionally, you can verify the health of your Meshery deployment using mesheryctl system check.

You’re ready to use Meshery! Open your browser and navigate to the Meshery UI.

Accessing Meshery UI

After successfully deploying Meshery, you can access Meshery's web-based user interface. Your default browser will automatically open and navigate to Meshery UI (default location is http://localhost:9081).

You can use the following command to open Meshery UI in your default browser:


mesheryctl system dashboard

If you have installed Meshery on Kubernetes or a remote host, you can access Meshery UI by exposing it as a Kubernetes service or by port forwarding to Meshery UI.


mesheryctl system dashboard --port-forward

Depending on how you have networking configured in Kubernetes, you can use kubectl to port forward to the Meshery UI.


kubectl port-forward svc/meshery 9081:9081 --namespace meshery

Verify Kubernetes Connection

After installing Meshery, regardless of the installation type, it is important to verify that your kubeconfig file has been uploaded correctly via the UI.

In the Meshery UI, navigate to Lifecycle from the menu on the left.
Click on Connections.
Ensure that your cluster appears in the list of connections and is marked as Connected.
Click on the cluster name to perform a ping test and confirm that Meshery can communicate with your cluster.

Customizing Your Meshery Provider Callback URL

Meshery Server supports customizing your Meshery Provider authentication flow callback URL. This is helpful when deploying Meshery behind multiple layers of networking infrastructure.

For production deployments, it is recommended to access the Meshery UI by setting up a reverse proxy or using a LoadBalancer. By specifying a custom redirect endpoint, you can ensure that authentication flows complete successfully, even when multiple routing layers are involved.

Note: For production deployments, it is important to select the Remote Provider in order to control which identity providers are authorized. Learn more about this in the Extensibility: Providers guide.

Define a custom callback URL by setting up the MESHERY_SERVER_CALLBACK_URL environment variable before installing Meshery.

To customize the authentication flow callback URL, use the following command:


MESHERY_SERVER_CALLBACK_URL=https://custom-host mesheryctl system start

Meshery should now be running in your Kubernetes cluster and the Meshery UI should be accessible at the EXTERNAL IP of the meshery service.

Exposing Meshery Service (LoadBalancer)

When Meshery is installed in-cluster, Meshery UI is served by a Kubernetes Service named meshery in the meshery namespace. This Service is created as type LoadBalancer by default, forwarding port 9081 (Meshery UI) to the Meshery Server container on port 8080.

On a managed Kubernetes offering - such as GKE, EKS, AKS, or DigitalOcean Kubernetes - a LoadBalancer Service instructs the cloud provider to provision an external load balancer and assign it a routable EXTERNAL-IP. Retrieve the address with:

	
		kubectl get service meshery --namespace meshery

Once the EXTERNAL-IP column shows an address instead of <pending>, open Meshery UI in your browser at http://[EXTERNAL-IP]:9081.

If the Service was previously set to another type (for example, ClusterIP), switch it back to LoadBalancer:

	
		kubectl patch service meshery --namespace meshery --type merge -p '{"spec":{"type":"LoadBalancer"}}'

EXTERNAL-IP not assigned?

A LoadBalancer Service is only assigned an external address when the cluster runs a load balancer controller. Managed clouds provide one out of the box; bare-metal and local clusters (for example, Minikube or kind) do not. On those clusters, install a load balancer implementation such as MetalLB, expose Meshery through a NodePort Service instead, or reach the UI with port-forwarding by following the mesheryctl system dashboard guide.

Out-of-cluster Installation

Install Meshery on Docker (out-of-cluster) and connect it to your Kubernetes cluster.

Set up Ingress on Minikube with the NGINX Ingress Controller

Run the below command to enable the NGINX Ingress controller for your cluster:

	
		minikube addons enable ingress

To check if NGINX Ingress controller is running

	
		kubectl get pods -n ingress-nginx

Installing cert-manager with kubectl

Run the below command to install cert-manager for your cluster:

	
		kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml