Skip to main content
Version: 1.15

Default Settings for Okteto Cloud

Okteto Cloud gives you access to a vanilla Kubernetes namespace in a multi-tenant environment. Okteto uses a combination of RBAC, pod security policies, resource quotas, network policies, admission controllers, and custom code to ensure that Okteto Cloud namespaces are isolated, secure, and easy to use for everyone.

This document explains the limitations and restrictions most likely to affect your applications in Okteto Cloud.

Exposing services

NodePort or LoadBalancer services are not supported in Okteto Cloud. Okteto Cloud automatically translates NodePort or LoadBalancer services into ingress rules. More information is available here.

Pod Security Policies

Okteto Cloud configures pod security policies to limit the privileges of your applications. The following options are not allowed: privileged, hostNetwork, allowPrivilegeEscalation, hostPID, hostIPC. Mounting volume host paths is also not allowed.

Resource quotas

The following resource quotas are associated to every namespace created in Okteto Cloud:

ResourceQuota
Namespaces5
Pods10
CPUs1CPU/pod with a maximum of 4CPUs/namespace
Memory3Gi/pod with a maximum of 8Gi/namespace
Storage5Gi
Services10
Secrets50
Config Maps50
Persistent Volume Claims5

Network policies

Okteto Cloud configures network policies for each namespace. Only traffic between the pods running in your namespaces is allowed, as well as external traffic to the internet.

RBAC

Okteto Cloud uses RBAC rules to limit the access to the Kubernetes API. The supported endpoints are:

- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/exec
- pods/attach
- pods/portforward
- configmaps
- secrets
- services
- endpoints
- serviceaccounts
- events
- persistentvolumeclaims
- replicationcontrollers
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
- limitranges
- namespaces
- namespaces/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- extensions
resources:
- deployments
- ingresses
- replicasets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- helm.fluxcd.io
resources:
- helmreleases
- helmreleases/status
verbs:
- '*'
- apiGroups:
- helm.integrations.flux.weave.works
resources:
- fluxhelmreleases
verbs:
- '*'
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
- kongconsumers
- kongcredentials
- kongingresses
- tcpingresses
verbs:
- '*'
- apiGroups:
- openfaas.com
resources:
- functions
verbs:
- '*'
- apiGroups:
- litmuschaos.io
resources:
- chaosengines
- chaosexperiments
- chaosresults
verbs:
- '*'
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- list
- watch
- get

You can only create Roles restricted to the endpoints above. RoleBindings can only refer to Roles existing on your namespaces.