Import and export policies
Review how to import and export policies when using Gloo workspaces.
Overview
You can import and export resources across Gloo workspaces. To federate Gloo resources across namespaces within a workspace, Gloo creates copies of the translated resources in each namespace. You can create the Gloo resource directly within the “source” workspace, or export the resource to another “target” workspace.
In general, Gloo workspaces are set up to give you control of your microservices. When it comes to sharing policies across workspaces, policies generally still apply the rules of the source workspace to routes, destinations, or workspaces, even when those resources are shared across workspaces.
Learn more about policy behavior on imported resources by determining:
- Whether the policy is client or server-side.
- What exported resource that the policy applies to.
- For more in-depth information about policies for delegated routes, see Route policy attachment.
Client and server-side policies
Policies are server or client-side, depending on which proxy enforces the policy.
Client-side: Client-side policies are enforced by the sending, outbound proxy (the workload’s sidecar) before traffic is sent to the target workload. Client-side policies include the following:
- CORS
- External auth, such as for API keys, LDAP, or OPA policies
- Failover
- Fault injection
- Header manipulation
- JWT policies when applied to destinations and routed through the east-west gateway
- Load balancer and consistent hash
- Mirroring
- Outlier detection
- Rate limit
- Retry and timeout
- TCP connection
- Transformation
- Trim proxy config
Ingress client-side: If you use Gloo Mesh Enterprise with Gloo Mesh Gateway, you can also apply the following ingress client-side policies:
- Active healthcheck
- Client TLS
- CSRF
- DLP
- GraphQL allowed queries
- GraphQL query caching
- HTTP buffer filter
- JWT policies when applied to routes that are routed through the ingress gateway
- Listener connection
- Proxy protocol
- Web application firewall (WAF)
Server-side: Server-side policies are enforced by the receiving, inbound proxy. In Gloo Mesh Enterprise this proxy is the sidecar proxy of the target workload. The policies are created in the namespace of the backing Kubernetes service. Server-side policies include the following:
Exported resources that policies can apply to
You cannot import or export policies across workspaces. However, policies might still apply to Gloo resources that you import and export to other workspaces. Review the following sections for more information about how policy behavior changes based on the kind of resource that you import and export. To check the policies that are applied in your environment, you can review the translated Istio resources such as VirtualServices and DestinationRules that Gloo creates, such as in the Gloo UI.
Route tables
Routes that are exported via a route table keep their policies from the source workspace. Policies in the new, target workspace do not apply to imported routes. This way, the original resource owner can control how the host is accessed.
If you as the target workspace owner want to change the behavior of a route, you have two choices:
- Ask the original owner to add a policy in the source workspace.
- Create another route table in your current workspace.
Imported route table summary:
- ✅ The source workspace’s policies still apply.
- ❌ The target workspace’s policies do not apply.
For an overview of how delegated routes impact policy import and export, see Route table management.
Kubernetes services
Kubernetes services that are exported keep their server-side destination policies from the source workspace. In the target workspace, you can only apply client-side route policies to imported services. This way, the original resource owner can control access to the source service with server-side policies. But you as the target workspace owner can control the client-side behavior, such as to inject faults for resilience testing or manipulate headers.
Imported Kubernetes service summary:
- ✅ The source workspace’s server-side policies still apply.
- ❌ The source workspace’s client-side policies no longer apply.
- ❌ The target workspace’s server-side policies do not apply.
- ✅ The target workspace’s client-side policies do apply.
Virtual destinations
Virtual destinations that are exported keep client-side policies from the source workspace. Any client-side policies in the target workspace do not apply.
Imported virtual destination summary:
- ✅ The source workspace’s client-side policies still apply.
- ❌ The target workspace’s client-side policies do not apply.
- ✅ The target workspace’s policies that apply to routes backed by the destinations do apply.
The following policies are supported:
- ActiveHealthCheckPolicy
- AdaptiveRequestConcurrencyPolicy
- ClientTLSPolicy
- ConnectionPolicy for TCP
- FailoverPolicy
- LoadBalancerPolicy
- OutlierDetectionPolicy
External services
Similar to virtual destinations, external services that are exported do not keep any policies from the source workspace. Instead, you as the target workspace owner can apply your own client-side policies to the external service or routes that are backed by the external service. You can also apply your own server-side policies to the external service.
This way, each team can set its own client and server-side policies for the external service within their own workspace, but share the external service configuration across teams.
Imported external service summary:
- ❌ The source workspace’s policies no longer apply.
- ✅ The target workspace’s policies do apply.
