Skip to main content

Multi-Tenancy

Okteto Cloud gives you access to a vanilla Kubernetes namespace in a multi-tenant environment. Okteto uses a combination of RBAC, pod security policies, resource quotas, network policies, admission controllers, and custom code to ensure that Okteto Cloud namespaces are isolated, secure, and easy to use for everyone.

This document explains the limitations and restrictions most likely to affect your applications in Okteto Cloud.

Exposing services

NodePort or LoadBalancer services are not supported in Okteto Cloud. Okteto Cloud automatically translates NodePort or LoadBalancer services into ingress rules. More information is available here.

Pod Security Policies

Okteto Cloud configures pod security policies to limit the privileges of your applications. The following options are not allowed: privileged, hostNetwork, allowPrivilegeEscalation, hostPID, hostIPC. Mounting volume host paths is also not allowed.

Resource quotas

The following resource quotas are associated to every namespace created in Okteto Cloud:

Developer Plan

ResourceQuota
Namespaces5
Pods10
CPUs1CPU/pod with a maximum of 4CPUs/namespace
Memory3Gi/pod with a maximum of 8Gi/namespace
Storage5Gi
Services10
Secrets50
Config Maps50
Persistent Volume Claims5
Ingress bandwidth10Mi/pod
Egress bandwidth10Mi/pod
Concurrent connections from the same IP20/ingress
Requests accepted each second from the same IP20/ingress
Requests accepted each minute from the same IP200/ingress

Developer Pro Plan

ResourceQuota
Namespaces10
Pods20
CPUs2CPUs/pod with a maximum of 8CPUs/namespace
Memory6Gi/pod with a maximum of 16Gi/namespace
Storage20Gi
Replication Controllers30
Services20
Secrets100
Config Maps100
Persistent Volume Claims10
Ingress bandwidth25Mi/pod
Egress bandwidth25Mi/pod
Concurrent connections from the same IP40/ingress
Requests accepted each second from the same IP40/ingress
Requests accepted each minute from the same IP400/ingress

Network policies

Okteto Cloud configures network policies for each namespace. Only traffic between the pods running in your namespaces is allowed, as well as external traffic to the internet.

RBAC

Okteto Cloud uses RBAC rules to limit the access to the Kubernetes API. The supported endpoints are:

- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/exec
- pods/attach
- pods/portforward
- configmaps
- secrets
- services
- endpoints
- serviceaccounts
- events
- persistentvolumeclaims
- replicationcontrollers
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
- limitranges
- namespaces
- namespaces/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- extensions
resources:
- deployments
- ingresses
- replicasets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- helm.fluxcd.io
resources:
- helmreleases
- helmreleases/status
verbs:
- '*'
- apiGroups:
- helm.integrations.flux.weave.works
resources:
- fluxhelmreleases
verbs:
- '*'
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
- kongconsumers
- kongcredentials
- kongingresses
- tcpingresses
verbs:
- '*'
- apiGroups:
- openfaas.com
resources:
- functions
verbs:
- '*'
- apiGroups:
- litmuschaos.io
resources:
- chaosengines
- chaosexperiments
- chaosresults
verbs:
- '*'
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- list
- watch
- get

You can only create Roles restricted to the endpoints above. RoleBindings can only refer to Roles existing on your namespaces.