Workspaces as configuration boundaries
Workspaces provide boundaries for how Gloo Mesh, Istio, and Kubernetes resources access each other across workspaces.
Gloo Mesh uses workspaces to help you manage services across service meshes. A workspace represents a group of Kubernetes namespaces and clusters. The Gloo Mesh, Istio, and Kubernetes resources that you create in a workspace can be used by all the namespaces in the workspace, across clusters. Additionally, you can set up the workspace to prevent access to its services even from other services in the same Istio mesh. This way, you grant users access only to the namespaces that they need for their services. The rest of the team can use their services, without needing access across namespaces. The following figure shows workspace boundaries.
Consider the following example that builds on the Import and Export diagram from the previous workspace overview.
Multitenant workspace setup
The example sets up a workspace for each of the following teams: Team A, Team B, and Team C. Each workspace allows the respective team to access one or more Kubernetes namespaces, potentially in different clusters. By default, resources that are deployed in these namespaces are isolated across teams. Later, you can set up importing and exporting rules to share resources across teams.
Click the following Workspace example config to expand an example configuration file for each team's workspace. You create workspace resources in the management cluster. For more information, see the API docs.
Service isolation, federation, and reuse within workspaces
With workspaces, you can easily set up which services in your workload clusters can talk to each other and how you want to share Gloo Mesh resources.
-
Service isolation within the workspace. You can quickly set up traffic encryption for all of your services within the workspace. Then, connections across the services are secured via mutual TLS (mTLS).
-
Federation across clusters. After you enable federation, your services can communicate with other services in the workspace, even in different clusters. For example, Team B and C's workspaces federate across multiple clusters.
-
Gloo Mesh resources apply throughout the workspace. For example, you might have a failover policy that you want all of the apps in Team B's workspace to use. Each app in the Team B workspace can use the same failover policy, even if the app runs in a different namespace and cluster than where the failover policy is created.
Click the following WorkspaceSettings example config to expand an example configuration file for each team's workspace settings. You apply workspace settings resources in the workload cluster of your choice, as long as that cluster is part of the workspace. For more information, see the API docs.