Okteto Cloud gives you access to a vanilla Kubernetes namespace in a multi-tenant environment. Okteto uses a combination of RBAC, pod security policies, resource quotas, network policies, admission controllers, and custom code to ensure that Okteto Cloud namespaces are isolated, secure, and easy to use for everyone.
This document explains the limitations and restrictions most likely to affect your applications in Okteto Cloud.
LoadBalancer services are not supported in Okteto Cloud. Okteto Cloud automatically translates
LoadBalancer services into ingress rules. More information is available here.
Okteto Cloud configures pod security policies to limit the privileges of your applications. The following options are not allowed:
hostIPC. Mounting volume host paths is also not allowed.
The following resource quotas are associated to every namespace created in Okteto Cloud:
|CPUs||1CPU/pod with a maximum of 4CPUs/namespace|
|Memory||3Gi/pod with a maximum of 8Gi/namespace|
|Persistent Volume Claims||5|
|Concurrent connections from the same IP||20/ingress|
|Requests accepted each second from the same IP||20/ingress|
|Requests accepted each minute from the same IP||200/ingress|
|CPUs||2CPUs/pod with a maximum of 8CPUs/namespace|
|Memory||6Gi/pod with a maximum of 16Gi/namespace|
|Persistent Volume Claims||10|
|Concurrent connections from the same IP||40/ingress|
|Requests accepted each second from the same IP||40/ingress|
|Requests accepted each minute from the same IP||400/ingress|
Okteto Cloud configures network policies for each namespace. Only traffic between the pods running in your namespaces is allowed, as well as external traffic to the internet.
Okteto Cloud uses RBAC rules to limit the access to the Kubernetes API. The supported endpoints are:
You can only create
Roles restricted to the endpoints above.
RoleBindings can only refer to
Roles existing on your namespaces.