This guide walks you through the key features of the SecureGuard dashboard. It assumes you have a running deployment (see Getting Started) and are logged in.
SecureGuard is, by design, mostly a read-only “control room.” It is built to give you safe visibility into your secret-syncing setup, plus a few safe day-2 operations — without ever exposing secret values and without turning the browser into a general-purpose Kubernetes editor.
Most ESO resources (ExternalSecrets, SecretStores, PushSecrets, ReloaderConfigs)
are created and edited outside the dashboard — with kubectl or your GitOps
tool (Argo CD, Flux) — so they live in version control and code review. The
dashboard then lets you watch, troubleshoot, and run targeted actions on them.
| Resource | View | Create | Edit | Delete | Other actions |
|---|---|---|---|---|---|
| ExternalSecret | ✅ | — | — | ✅ | Sync Now (force a refresh) |
| SecretStore / ClusterSecretStore | ✅ | — | — | — | — |
| PushSecret | ✅ | — | — | ✅ | — |
| Kubernetes Secret | ✅ (masked) | — | — | — | — |
| ReloaderConfig | ✅ | — | — | ✅ | — |
| ESODeployment | ✅ | ✅ | ✅ | ✅ | Guided create/edit form |
| Cluster | ✅ | ✅ (upload kubeconfig) | — | ✅ | Health check |
| Federation (Server / Authorization) | ✅ | — | — | — | — |
Why so read-only? Each thing the browser can do must be explicitly allowed by the proxy’s route allowlist. Keeping the surface small is a deliberate security choice — see Architecture → Security Model. To create the resources marked “—” above, use kubectl apply or GitOps.
The Dashboard page provides an at-a-glance view of your secrets management posture:
Navigate to External Secrets in the sidebar. The table shows all ExternalSecrets across your selected namespace(s) with:
Synced (green), Pending (amber), or Error (red)Click any row to open the detail view, which includes:
••••••••)ExternalSecrets are not created from the dashboard. Create them with
kubectl or your GitOps tool so they stay in version control. A minimal example:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: db-creds
namespace: default
spec:
refreshInterval: 1h
secretStoreRef:
name: my-store # an existing SecretStore/ClusterSecretStore
kind: SecretStore
target:
name: db-creds # the Kubernetes Secret ESO will create
data:
- secretKey: password # key in the created Secret
remoteRef:
key: secret/db/postgres # path in the provider
property: password # field at that path
kubectl apply -f db-creds-externalsecret.yaml
Within a few seconds it appears in the dashboard’s External Secrets list, where you can watch it sync. (See ESO Basics for what each field means, and the Glossary for the terms.)
From an ExternalSecret’s detail view you can:
force-sync annotation; ESO reacts to it.) Use this after rotating a value in
the provider and wanting it reflected right away.kubectl
/ GitOps, then re-viewed here.SecretStores define how to connect to an external secret provider (OpenBao, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, etc.).
Both types are managed from the Secret Stores page. Use the tab selector to switch between the two.
SecretStores are view-only in the dashboard — create and edit them with
kubectl or GitOps. The list shows each store’s provider and its Ready
status; the detail view shows the full configuration as read-only YAML and the
store’s status conditions.
When you look at a store’s configuration, note that credential fields are references, not raw values: a store points to an existing Kubernetes Secret (by name and key) that holds the actual provider credentials — the dashboard never shows or accepts the credentials themselves.
PushSecrets are the reverse flow — they push Kubernetes Secrets upstream to an external provider.
On the Push Secrets page you can view all PushSecrets and their sync
status, open a detail view, and delete a PushSecret. Creating a PushSecret is
done with kubectl or GitOps (the dashboard has no create form). A PushSecret
specifies the source Kubernetes Secret, the target SecretStore, the destination
path in the provider, and which keys to push.
The Secrets page lists all Kubernetes Secrets in the selected namespace(s). For each secret:
••••••••This page is view-only — Kubernetes Secrets are created and updated by ESO (from your ExternalSecrets), not edited by hand in the dashboard.
ReloaderConfigs trigger automatic workload restarts when synced secrets change.
On the Reloaders page you can view all ReloaderConfigs and their status,
and delete one. They are created with kubectl / GitOps and specify:
ESODeployments manage the ESO operator lifecycle across clusters:
Deploying, Running, Upgrading, ErrorThe Federation page provides read-only visibility into cross-cluster secret distribution — letting a central SecureGuard instance serve secret data to many clusters without exposing the backend stores. It has two tabs:
FederationServer resources, which declare what the broker
exposes (backend stores) and which token issuers it trusts, with Ready status.FederationAuthorization policies, which grant a specific
remote identity read access to specific stores and key globs (deny-by-default).These resources carry references and policy only — never secret values.
Secret serving happens in the separate federation broker, not in the dashboard
proxy. Federation is opt-in and disabled by default. For setup, the broker, the
fedclient consumer, and resolution modes, see the Federation guide.
The Event Stream page shows real-time Kubernetes events related to ESO resources. Use it for:
kubectlThe Visualization page renders an interactive graph showing relationships between:
Click any node to navigate to its detail page. Use the controls to zoom, pan, and re-layout the graph.
The cluster selector in the top bar lets you scope the view to a specific cluster or view resources across all clusters.
The Cluster Management page shows the health status of all connected clusters. Unhealthy clusters are flagged with the reason (unreachable, auth expired, etc.).
The namespace selector in the top bar filters all views by namespace. Select “All Namespaces” to see resources across the entire cluster.
The selected namespace is persisted in the URL (?namespace=...), making it shareable and bookmarkable.
As you use the dashboard, keep these security principles in mind: