PreviewHQ
  • Introduction
  • Basics
    • What is Continuous Product Review?
    • What is a Preview Environment?
    • Use Cases
      • Product and Stakeholder Review
      • QA Environments
      • Automated End-to-End Testing
      • Sales Demo Environments
      • Support Training
  • Getting Started
    • Installation
    • Add Configuration
    • Add a Cluster
    • Create a Deployment
      • with a Pull Request
      • with the Dashboard
      • with the CLI
      • with the API
  • Technical Stuff
    • Defining Deployments
      • Helm Charts
      • Kubernetes Manifests
      • [UNRELEASED] Terraform
    • Configuration File
      • Branches
      • Services
      • Chart Repositories
      • Chart Values
      • Docker Registries
      • Images
      • Webhooks
    • Template Strings
    • Using Seed Data
      • Using Shared Data Sources
    • Access Control
      • Preview Application Access
      • Preview Environment Access
    • Using Third-Party Integrations
    • Debugging
    • Current Limitations
  • Sample Applications
    • Emojivoto
    • Guestbook - Helm
    • Guestbook - Manifests
  • misc
    • FAQ
    • Changelog
    • Telemetry Data
    • Links
      • Homepace
      • Dashboard
Powered by GitBook
On this page
  • Basic Auth
  • VPN
  • Identity Aware Proxies
  • OAuth Proxy

Was this helpful?

  1. Technical Stuff
  2. Access Control

Preview Environment Access

At the moment we do not have a productized access limitation story for Preview Environments, however there are multiple methods which this can be achieved.

By default Preview Environments are publicly accessible. While they are not easily discoverable, there are methods by which valid URLs can be determined. If you are required to enable strict access control, we highly recommend utilizing one of the solutions below.

Basic Auth

Ingress within a Preview cluster are controlled using the Kuberentes Nginx Ingress Controller. This means that any annotations supported by the ingress are supported within Preview, including basic authentication.

Documentation for nginx basic-auth can be found here.

VPN

You can utilize a VPN, and then use the whitelist-source-range Ingress annotation to provide access to only that VPN CIDR block.

Identity Aware Proxies

If you are running a self-hosted cluster, you can use an Identity Aware Proxy to manage access to all, or a subset, of your namespaces.

OAuth Proxy

If you are running a self-hosted cluster, you can use an oauth2_proxy installation to manage authentication. An example of this set up is described in this blog post. When this is configured, specific ingresses can be secured through the use of ingress annotations.

There are other Identity Aware Proxy solutions, one of which you may already be using. We have a list below of known options. If you require assistance integrating one of these with your Preview Environments, please let us know and we'd be happy to help.

  • Pomerium

  • Google Identity Aware Proxy (if using GKE)

PreviousPreview Application AccessNextUsing Third-Party Integrations

Last updated 4 years ago

Was this helpful?