diff --git a/README.md b/README.md
index ba1b8e4..e222898 100644
--- a/README.md
+++ b/README.md
@@ -86,12 +86,13 @@ kubectl apply -f apps/
 
 ## Access Points
 
-| Service          | URL                                                                                            | Credentials / Notes                                                                               |
-|------------------|------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
-| **Severed Blog** | [http://blog.localhost:8080](https://www.google.com/search?q=http://blog.localhost:8080)       | Public Access                                                                                     |
-| **Grafana**      | [http://grafana.localhost:8080](https://www.google.com/search?q=http://grafana.localhost:8080) | **User:** `admin` / **Pass:** `severed_secure_password`<br> <br>*(Anonymous View Access Enabled)* |
-| **Prometheus**   | *Internal Only*                                                                                | Accessed via Alloy/Grafana                                                                        |
-| **Loki**         | *Internal Only*                                                                                | Accessed via Alloy/Grafana                                                                        |
+| Service           | URL                                                                                            | Credentials / Notes                                                                                                            |
+|-------------------|------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
+| **Severed Blog**  | [http://blog.localhost:8080](https://www.google.com/search?q=http://blog.localhost:8080)       | Public Access                                                                                                                  |
+| **Grafana**       | [http://grafana.localhost:8080](https://www.google.com/search?q=http://grafana.localhost:8080) | **User:** `admin` / **Pass:** `severed_secure_password`<br> <br>*(Anonymous View Access Enabled)*                              |
+| **Prometheus**    | *Internal Only*                                                                                | Accessed via Alloy/Grafana                                                                                                     |
+| **Loki**          | *Internal Only*                                                                                | Accessed via Alloy/Grafana                                                                                                     |
+| **K8s Dashboard** | `https://localhost:8443`                                                                       | **Auth:** Token-based. Access via `kubectl port-forward svc/kubernetes-dashboard-kong-proxy 8443:443 -n kubernetes-dashboard`. |
 
 ## Observability Features
 
@@ -120,3 +121,14 @@ This stack uses **Grafana Alloy** to automatically scrape metrics and tail logs
 * [ ] Add Cert-Manager for TLS (HTTPS).
 * [ ] Implement ArgoCD for automated GitOps syncing.
 * [ ] Move to a physical Home Server.
+
+---
+
+### todos/bugfixes
+
+* **[ ] Automate Dashboard Auth:** Rotate/retrieve the `admin-user` token to avoid manually `create token` every session.
+* **[ ] External Secret Management:** Replace generic secrets with HashiCorp Vault to encrypt `grafana-secrets` and dashboard tokens.
+* **[ ] Ingress Hardening:** Resolve the `localhost` 401 loop using **Cert-Manager** with self-signed certificates, which allows Kong to see valid HTTPS traffic and accept session cookies natively.
+* **[ ] Persistence Layer:** Deploy a **Local Path Provisioner** or **HostPath** storage class for Loki and Prometheus
+  so that metrics and dashboard configurations survive a `k3d cluster stop`.
+* **[ ] Resource Quotas:** Define `resources: requests/limits` for the LGTM stack.
diff --git a/infra/dashboard/dashboard-admin.yaml b/infra/dashboard/dashboard-admin.yaml
new file mode 100644
index 0000000..14311f1
--- /dev/null
+++ b/infra/dashboard/dashboard-admin.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kubernetes-dashboard
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: admin-user
+    namespace: kubernetes-dashboard
diff --git a/infra/dashboard/permanent-token.yaml b/infra/dashboard/permanent-token.yaml
new file mode 100644
index 0000000..9246026
--- /dev/null
+++ b/infra/dashboard/permanent-token.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admin-user-token
+  namespace: kubernetes-dashboard
+  annotations:
+    kubernetes.io/service-account.name: "admin-user"
+type: kubernetes.io/service-account-token
diff --git a/infra/dashboard/traefik-config.yaml b/infra/dashboard/traefik-config.yaml
new file mode 100644
index 0000000..7139931
--- /dev/null
+++ b/infra/dashboard/traefik-config.yaml
@@ -0,0 +1,9 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    additionalArguments:
+      - "--serversTransport.insecureSkipVerify=true"