The Grafana instance bundled with kube-prometheus-stack works the moment the pods come up, but two things almost always need attention before anyone else touches it: the default login has to change, and someone needs to decide how the rest of the team is actually going to reach it.

Quick Answer

To change the default Grafana password in kube-prometheus-stack, set grafana.adminPassword — or better, grafana.admin.existingSecret — in values.yaml before going to production. The chart's default admin / prom-operator login is meant only for first access.

None of this requires touching Grafana directly — every setting covered here lives in the chart's own values.yaml, under the grafana key, applied the same way as any other kube-prometheus-stack configuration change through helm upgrade.

Default Login & Changing the Password

Every kube-prometheus-stack install ships the same default Grafana credentials: admin / prom-operator. It's identical across every deployment of the chart, which makes it the first thing worth changing in any environment beyond a local test cluster.

Set a real password directly in values.yaml:

values.yaml
grafana:
  adminPassword: "your-strong-password-here"

For anything production-facing, reference a Kubernetes Secret instead of a plaintext value using grafana.admin.existingSecret, so the password never lives in a values file that ends up in Git.

Exposing Grafana: Ingress, NodePort, Port-Forward

By default, Grafana is only reachable from inside the cluster via its ClusterIP service. There are three common ways to reach it from outside, depending on what stage of setup you're at:

  1. Port-forward for quick, local access: kubectl port-forward -n monitoring svc/kube-prometheus-stack-grafana 3000:80 — no cluster changes needed, but not usable by a whole team.
  2. NodePort for simple external access without an ingress controller — set grafana.service.type: NodePort, useful for bare-metal or small clusters.
  3. Ingress for a real, TLS-terminated URL — configure grafana.ingress.enabled: true along with a host and TLS secret, the standard choice for anything shared with a team.

OAuth, OIDC & LDAP Authentication

Grafana's own authentication system supports generic OAuth, OIDC, LDAP, and SAML directly — none of that requires a separate proxy or plugin. Configuration goes through grafana.grafana.ini in your kube-prometheus-stack values.yaml, under an [auth.generic_oauth] or [auth.ldap] section, exactly as it would in a standalone Grafana install.

The one kube-prometheus-stack-specific detail: client secrets for OAuth/OIDC should go through grafana.envValueFrom pointing at a Secret, not directly in grafana.ini, since values.yaml is often stored in Git.

Running Without the Bundled Grafana

Some teams already run a centralized, standalone Grafana instance and don't want a second one per cluster. Disabling the bundled one is a single flag — grafana.enabled: false — after which Prometheus and Alertmanager still install normally; only the Grafana deployment, its dashboards ConfigMaps, and its service are skipped. Point the external Grafana instance at the cluster's Prometheus service directly as a data source afterward.

Restricting Network Access to Grafana

Exposing Grafana — through Ingress or NodePort — makes it reachable, but reachability and access control are two separate problems. A NetworkPolicy scoped to the monitoring namespace that only allows ingress from your cluster's actual ingress controller (rather than from every pod in the cluster) closes off the most common lateral-movement path into Grafana, independent of whatever authentication method is configured on top of it.

For teams that want read-only dashboards visible without requiring a login at all — a status-page style view — Grafana's auth.anonymous settings under grafana.grafana.ini can grant anonymous users a fixed Viewer role scoped to a specific organization, without exposing the admin interface alongside it.

Frequently Asked Questions

What is the default Grafana password?

admin / prom-operator — the same on every install until overridden.

How do I expose Grafana outside the cluster?

Port-forward for quick access, NodePort for simple external access, or Ingress with TLS for a proper shared URL.

Can I use OAuth to log in?

Yes — configure it under grafana.grafana.ini's [auth.generic_oauth] section in values.yaml.

Conclusion

Grafana access in kube-prometheus-stack is entirely a values.yaml concern — the password, the exposure method, and the authentication backend are all configuration, not code. Get the password changed and the exposure method decided before the first real dashboard gets built on top of it.

Ready to Deploy?

Get your full Kubernetes observability stack running in minutes with the official Helm chart.

Quick Install Guide View on GitHub