Okteto allows you to restrict access to your application by marking its endpoints as private. Private endpoints can only be accessed by Okteto users who have access to your Okteto namespace, and they'll need to provide their credentials before being granted access.
Private endpoints can be identified by the lock icon in the Okteto dashboard:
Enable Private Endpoints for your Application
- Docker Compose
Add the annotation below to your service's manifest to make your application's endpoints private:
Using this annotation will tell Okteto to create a private http ingress rule for your application.
- port: 8080
Private Endpoints generated this way follow the same rules and restrictions than Automatic SSL Endpoints.
You can also use this feature with your own ingresses. This is useful when you have more complex configurations, or when you only want to protect a subset of your application's endpoints.
Add the annotation below to your ingress' manifest to make your application's endpoints private:
If you only want to protect certain endpoints of you application (e.g the admin portal, or your metrics endopint), we recommend that you create two ingresses:
- A first ingress with the routes for all the public endpoints
- A second ingress, with the
dev.okteto.com/privateannotation, for all your private routes.
Private Endpoints is one of the extensions that Okteto added to Docker Compose to make it easier to develop cloud-native applications.
You can enable private endpoints by adding the
dev.okteto.com/private: "true" label to your service:
You can also define this at the
endpoint level if needed.
- path: /
Private Endpoints use your Okteto account for authentication, so they're best suited to protect endpoints that you and your team will access via the browser. They're not recommended for automation, or to protect endpoints that will be accessed by your end users.
Private Endpoints only restrict external access to your applications. Applications running in your namespace will be able to access your private endpoints without authentication by using the