Skip to main content
Version: 1.11

Private Endpoints

Okteto allows you to restrict access to your application by marking its endpoints as private. Private endpoints can only be accessed by Okteto users who have access to your Okteto namespace, and they'll need to provide their credentials before being granted access.

Private endpoints can be identified by the lock icon in the Okteto dashboard:

private endpoints UI

Enable Private Endpoints for your Application

Add the annotation below to your service's manifest to make your application's endpoints private: "private"

Using this annotation will tell Okteto to create a private http ingress rule for your application.

Full example:

apiVersion: v1
kind: Service
name: hello-world
app: hello-world
annotations: "private"
type: ClusterIP
- port: 8080
protocol: TCP
targetPort: 8080
app: hello-world

Private Endpoints generated this way follow the same rules and restrictions than Automatic SSL Endpoints.

Advanced Scenarios

You can also use this feature with your own ingresses. This is useful when you have more complex configurations, or when you only want to protect a subset of your application's endpoints.

Add the annotation below to your ingress' manifest to make your application's endpoints private: "true"

Full example:

kind: Ingress
annotations: "true"
name: hello-world
- http:
- backend:
serviceName: hello-world
servicePort: 8080
path: /

If you only want to protect certain endpoints of you application (e.g the admin portal, or your metrics endopint), we recommend that you create two ingresses:

  • A first ingress with the routes for all the public endpoints
  • A second ingress, with the annotation, for all your private routes.


Private Endpoints use your Okteto account for authentication, so they're best suited to protect endpoints that you and your team will access via the browser. They're not recommended for automation, or to protect endpoints that will be accessed by your end users.

Private Endpoints only restrict external access to your applications. Applications running in your namespace will be able to access your private endpoints without authentication by using the service name.