Skip to main content
Version: 1.28

Private endpoints

Okteto allows you to restrict access to your application by marking its endpoints as private. Private endpoints can only be accessed by Okteto users who have access to your Okteto namespace, and they'll need to provide their credentials before being granted access.

Private endpoints can be identified by the lock icon in the Okteto dashboard:

private endpoints UI

Enable Private Endpoints for your Application

Add the annotation below to your service's manifest to make your application's endpoints private:

metadata:
annotations:
dev.okteto.com/auto-ingress: "private"

Using this annotation will tell Okteto to create a private http ingress rule for your application.

Full example:

apiVersion: v1
kind: Service
metadata:
name: hello-world
labels:
app: hello-world
annotations:
dev.okteto.com/auto-ingress: "private"
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-world
note

Private Endpoints generated this way follow the same rules and restrictions than Automatic SSL Endpoints.

Advanced Scenarios

You can also use this feature with your own ingresses. This is useful when you have more complex configurations, or when you only want to protect a subset of your application's endpoints.

Add the annotation below to your ingress' manifest to make your application's endpoints private:

metadata:
annotations:
dev.okteto.com/private: "true"

Full example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world
annotations:
dev.okteto.com/private: "true"
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hello-world
port: 8080

If you only want to protect certain endpoints of you application (e.g the admin portal, or your metrics endpoint), we recommend that you create two ingresses:

  • A first ingress with the routes for all the public endpoints
  • A second ingress, with the dev.okteto.com/private annotation, for all your private routes.

Restrictions

Private Endpoints use your Okteto account for authentication, so they're best suited to protect endpoints that you and your team will access via the browser. They're not recommended for automation, or to protect endpoints that will be accessed by your end users.

Private Endpoints only restrict external access to your applications. Applications running in your namespace will be able to access your private endpoints without authentication by using the service name.