Import and export resources across workspaces

What if you want to share services across workspaces? For example, maybe you want your gateway in Team A's workspace to route traffic to a frontend service in Team B's workspace, but not to Team C's backend services.

You can share resources across workspaces by configuring the workspace settings and the selectors on your services. You have to configure the settings for both workspaces, which help to make sure that you don't export resources by mistake.

Export to and import from settings

Make sure that your importing and exporting settings match across your workspaces.

You can select your workspaces by using labels and names.

Labels: Use Kubernetes labels to select workspaces for importing or exporting. Each workspace must have the matching label. For example, you might use labels such as team: frontend, app: bookinfo, or env: prod. By using labels, any workspaces that are subsequently added are also selected.

Names: If you want more fine-grained control, you can select workspaces by name. The following types of matching are supported.

Labels and names together: For more fine-grained control, you can combine labels and names together.

Select resources to share across workspaces

After setting up the workspaces to import from and export to, you can narrow sharing to a particular resource. Four kinds of resources are supported:

You can select resources by label, name, namespace, or cluster. For more information, see the API docs.

After importing a resource, Gloo generates subsequent resources like Istio translations in each namespace of the workspace. This way, you can use the imported resources just as other resources in your workspace.

If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.

Example scenarios for importing and exporting

For more information about how importing and exporting work, review the following figure, tabbed description, and example configuration file.

Figure of importing and exporting resources across workspaces.
The Ops team's workspace selects the ingress gateway and Gloo Platform add-on resources like rate limiting and external auth. Their workspace settings resource is configured as follows:

  • Exports the Gloo Platform add-on services and virtual destinations for rate limiting and external auth to any workspace. This way, any future workspaces can also use these Gloo Platform features.
  • Imports the Web team's frontend app resources so that the ingress gateway can route to the frontend.
  • Does not import the Backend API team because the ingress gateway does not need to route to those backend apps.
  • Disables federation, because Gloo virtual destinations are the preferred way to enable multicluster routing, if needed.
  • Enables service isolation so that resources are secured without additional policy configuration.
The Web team's workspace has the frontend apps that run the website. Their workspace settings resource is configured as follows:

  • Imports the Backend API team's backend apps. This way, the frontend website can use the backend services.
  • Imports the Ops team's add-on apps, as well as the gateway.
  • Exports to the Ops team so that the gateway can route to the frontend app.
  • Disables federation, because Gloo virtual destinations are the preferred way to enable multicluster routing, if needed.
  • Enables service isolation so that resources are secured without additional policy configuration.
The Backend API team's workspace has the backend apps that the frontend website needs. Their workspace settings resource is configured as follows:

  • Imports the Ops team's add-on apps so that the backend services can use Gloo features such as rate limiting.
  • Does not import the Ops team's gateway app because the backend services do no need to be exposed via ingress.
  • Exports to the Web team so that the frontend app can use the backend APIs.
  • Disables federation, because Gloo virtual destinations are the preferred way to enable multicluster routing, if needed.
  • Disables service isolation. Instead, the Backend API team uses Gloo access policies for more fine-grained access control.

Example YAML configuration

The following GitHub Gist example configures the settings for three workspaces. You create workspace settings resources in the workload cluster of your choice, as long as that cluster is part of the workspace. For more information, see the API docs.