At the moment we do not have a productized access limitation story for Preview Environments, however there are multiple methods which this can be achieved.

Basic Auth

Ingress within a Preview cluster are controlled using the Kuberentes Nginx Ingress Controller. This means that any annotations supported by the ingress are supported within Preview, including basic authentication.

Documentation for nginx basic-auth can be found here.

VPN

You can utilize a VPN, and then use the whitelist-source-range Ingress annotation to provide access to only that VPN CIDR block.

Identity Aware Proxies

If you are running a self-hosted cluster, you can use an Identity Aware Proxy to manage access to all, or a subset, of your namespaces.

OAuth Proxy

If you are running a self-hosted cluster, you can use an oauth2_proxy installation to manage authentication. An example of this set up is described in this blog post. When this is configured, specific ingresses can be secured through the use of ingress annotations.

There are other Identity Aware Proxy solutions, one of which you may already be using. We have a list below of known options. If you require assistance integrating one of these with your Preview Environments, please let us know and we'd be happy to help.

• Pomerium

• Google Identity Aware Proxy (if using GKE)