Multi-Tenancy

Okteto Cloud gives you access to a vanilla Kubernetes namespace in a multi-tenant environment. Okteto uses a combination of RBAC, pod security policies, resource quotas, network policies, admission controllers and custom code to ensure that Okteto Cloud namespaces are isolated, secure and easy to use for everyone.

This document explain the limitations and restrictions most likely to affect your applications in Okteto Cloud.

Exposing services

NodePort or LoadBalancer services are not supported in Okteto Cloud. Okteto Cloud automatically translates NodePort or LoadBalancer services into ingress rules. More information is available here.

Pod Security Policies

Okteto Cloud configures pod security policies to limit the privileges of your applications. The following options are not allowed: privileged, hostNetwork, allowPrivilegeEscalation, hostPID, hostIPC. Mounting volume host paths is also not allowed.

Resource quotas

The following resource quotas are associated to every namespace created in Okteto Cloud:

Developer Plan

ResourceQuota
CPUs2
Memory4Gi
Storage10Gi
Private Images3
Remote Docker Builds15/day
Pods10
Replication Controllers20
Services10
Secrets10
Config Maps10
Persistent Volume Claims5
Ingress bandwidth5Mi/pod
Egress bandwidth5Mi/pod
Concurrent connections from the same IP20/ingress
Requests accepted each second from the same IP20/ingress
Requests accepted each minute from the same IP200/ingress

Developer Pro Plan

ResourceQuota
CPUs4
Memory8Gi
Storage20Gi
Private Images10
Remote Docker Builds100/day
Pods20
Replication Controllers30
Services20
Secrets20
Config Maps20
Persistent Volume Claims10
Ingress bandwidth5Mi/pod
Egress bandwidth5Mi/pod
Concurrent connections from the same IP20/ingress
Requests accepted each second from the same IP20/ingress
Requests accepted each minute from the same IP200/ingress

Network policies

Okteto Cloud configures network policies for each namespace. Only traffic between the pods running in the same namespace is allowed, as well as external traffic to the internet.

RBAC

Okteto Cloud uses RBAC rules to limit the access to the Kubernetes API. The supported endpoints are:

- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/exec
- pods/attach
- pods/portforward
- configmaps
- secrets
- services
- endpoints
- serviceaccounts
- events
- persistentvolumeclaims
- replicationcontrollers
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
- limitranges
- namespaces
- namespaces/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- extensions
resources:
- deployments
- ingresses
- replicasets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'

You can only create Roles restricted to the endpoints above. RoleBindings can only refer to Roles existing on your namespaces.