Default Settings for Okteto Cloud
Okteto Cloud gives you access to a vanilla Kubernetes namespace in a multi-tenant environment. Okteto uses a combination of RBAC, pod security policies, resource quotas, network policies, admission controllers, and custom code to ensure that Okteto Cloud namespaces are isolated, secure, and easy to use for everyone.
This document explains the limitations and restrictions most likely to affect your applications in Okteto Cloud.
Exposing services
NodePort
or LoadBalancer
services are not supported in Okteto Cloud. Okteto Cloud automatically translates NodePort
or LoadBalancer
services into ingress rules. More information is available here.
Pod Security Policies
Okteto Cloud configures pod security policies to limit the privileges of your applications. The following options are not allowed: privileged
, hostNetwork
, allowPrivilegeEscalation
, hostPID
, hostIPC
. Mounting volume host paths is also not allowed.
Resource quotas
The following resource quotas are associated to every namespace created in Okteto Cloud:
Resource | Quota |
---|---|
Namespaces | 5 |
Pods | 10 |
CPUs | 1CPU/pod with a maximum of 4CPUs/namespace |
Memory | 3Gi/pod with a maximum of 8Gi/namespace |
Storage | 5Gi |
Services | 10 |
Secrets | 50 |
Config Maps | 50 |
Persistent Volume Claims | 5 |
Network policies
Okteto Cloud configures network policies for each namespace. Only traffic between the pods running in your namespaces is allowed, as well as external traffic to the internet.
RBAC
Okteto Cloud uses RBAC rules to limit the access to the Kubernetes API. The supported endpoints are:
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/exec
- pods/attach
- pods/portforward
- configmaps
- secrets
- services
- endpoints
- serviceaccounts
- events
- persistentvolumeclaims
- replicationcontrollers
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
- limitranges
- namespaces
- namespaces/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- extensions
resources:
- deployments
- ingresses
- replicasets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- helm.fluxcd.io
resources:
- helmreleases
- helmreleases/status
verbs:
- '*'
- apiGroups:
- helm.integrations.flux.weave.works
resources:
- fluxhelmreleases
verbs:
- '*'
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
- kongconsumers
- kongcredentials
- kongingresses
- tcpingresses
verbs:
- '*'
- apiGroups:
- openfaas.com
resources:
- functions
verbs:
- '*'
- apiGroups:
- litmuschaos.io
resources:
- chaosengines
- chaosexperiments
- chaosresults
verbs:
- '*'
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- list
- watch
- get
You can only create Roles
restricted to the endpoints above. RoleBindings
can only refer to Roles
existing on your namespaces.