Private Endpoints

Okteto Cloud allows you to restrict access to your application by marking its endpoints as private. Private endpoints can only be accessed by Okteto users who have access to your Okteto namespace, and they'll need to provide their credentials before being granted access.

Private endpoints can be identified by the lock icon in the Okteto Cloud UI:

Enable Private Endpoints for your Application

Add the annotation below to your service's manifest to make your application's endpoints private:

dev.okteto.com/auto-ingress: "private"

Using this annotation will tell Okteto to create a private http ingress rule for your application.

Full example:

apiVersion: v1
kind: Service
metadata:
name: hello-world
labels:
app: hello-world
annotations:
dev.okteto.com/auto-ingress: "private"
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-world

Private Endpoints generated this way follow the same rules and restrictions than Automatic SSL Endpoints.

Advanced Scenarios

You can also use this feature with your own ingresses. This is useful when you have more complex configurations, or when you only want to protect a subset of your application's endpoints.

Add the annotation below to your ingress' manifest to make your application's endpoints private:

dev.okteto.com/private: "true"

Full example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
dev.okteto.com/generate-host: "true"
dev.okteto.com/private: "true"
name: hello-world
spec:
rules:
- http:
paths:
- backend:
serviceName: hello-world
servicePort: 8080
path: /

If you only want to protect certain endpoints of you application (e.g the admin portal, or your metrics endopint), we recommend that you create two ingresses:

  • A first ingress with the routes for all the public endpoints
  • A second ingress, with the dev.okteto.com/private annotation, for all your private routes.

Restrictions

Private Endpoints use your Okteto Cloud account for authentication, so they are best suited to protect endpoints that you and your team will access via the browser. They are not recommended for automation, or to protect endpoints that will be accessed by your end users.

Private Endpoints restrict external access to your applications. Applications running in your namespace will be able to access your private endpoints without authentication by using the service name.