Okteto Cloud allows you to restrict access to your application by marking its endpoints as private. Private endpoints can only be accessed by Okteto users who have access to your Okteto namespace, and they'll need to provide their credentials before being granted access.
Private endpoints can be identified by the lock icon in the Okteto Cloud UI:
Enable Private Endpoints for your Application
Add the annotation below to your service's manifest to make your application's endpoints private:
Using this annotation will tell Okteto to create a private http ingress rule for your application.
apiVersion: v1kind: Servicemetadata:name: hello-worldlabels:app: hello-worldannotations:dev.okteto.com/auto-ingress: "private"spec:type: ClusterIPports:- port: 8080protocol: TCPtargetPort: 8080selector:app: hello-world
Private Endpoints generated this way follow the same rules and restrictions than Automatic SSL Endpoints.
You can also use this feature with your own ingresses. This is useful when you have more complex configurations, or when you only want to protect a subset of your application's endpoints.
Add the annotation below to your ingress' manifest to make your application's endpoints private:
apiVersion: networking.k8s.io/v1kind: Ingressmetadata:annotations:dev.okteto.com/generate-host: "true"dev.okteto.com/private: "true"name: hello-worldspec:rules:- http:paths:- backend:serviceName: hello-worldservicePort: 8080path: /
If you only want to protect certain endpoints of you application (e.g the admin portal, or your metrics endopint), we recommend that you create two ingresses:
- A first ingress with the routes for all the public endpoints
- A second ingress, with the
dev.okteto.com/privateannotation, for all your private routes.
Private Endpoints use your Okteto Cloud account for authentication, so they are best suited to protect endpoints that you and your team will access via the browser. They are not recommended for automation, or to protect endpoints that will be accessed by your end users.
Private Endpoints restrict external access to your applications. Applications running in your namespace will be able to access your private endpoints without authentication by using the