WorkspaceSettings define a set of workspace-wide parameters such as importFrom and exportTo for the workspace. These settings are commonly defined by the workspace admin. There are 3 key configurations related to WorkspaceSettings: - importFrom: To import resources from another workspace to your workspace, configure the importFrom field in the WorkspaceSettings resource for your workspace. - exportTo: To export resources in your workspace to other workspaces, configure the exportTo field in the WorkspaceSettings resource for your workspace. - options: Configure service isolation, federation and other options for the workspace. You can specify your workspace's importFrom or exportTo or other workspace configuration options in your WorkspaceSettings resource for your workspace. Only one WorkspaceSettings resource can be defined for each workspace. The resource can be deployed to any of your workspace's namespaces in your workload cluster(s). Export: Only the resources below can be exported to other workspaces: - Kubernetes Service - VirtualDestination - ExternalService - RouteTable You can use the exportTo field in the WorkspaceSettings resource for the workspace to configure what resources are exported to which other workspaces. For example, the web application developer can export the RouteTable resource from the web workspace to an admin-owned gateway workspace. The following workspace example defines the backend workspace. The workspace settings example exports the backend workspace to any workspaces that matches the label team: web. In addition, all exported resources from the backend workspace are made available for any workspace that has the label team: web to import. yaml apiVersion: admin.gloo.solo.io/v2 kind: Workspace metadata: name: backend namespace: gloo-mesh labels: team: backend spec: workloadClusters: - namespaces: - name: backend* --- apiVersion: admin.gloo.solo.io/v2 kind: WorkspaceSettings metadata: name: default namespace: backend-namespace spec: exportTo: - workspaces: - selector: team: web Import: To import exported resources from other workspaces, configure the importFrom field in the WorkspaceSettings resource for your workspace. For example, by importing the web workspace, the admin-owned gateway workspace can delegate routing for a subset of the gateway traffic to a RouteTable resource in the web workspace. The following workspace defines the web workspace. The workspace settings example imports the exported resources from the backend workspace into the web workspace. The exported resources from the backend workspace is available to the web workspace for imports because the web workspace has the team:web label. yaml apiVersion: admin.gloo.solo.io/v2 kind: Workspace metadata: name: web namespace: gloo-mesh labels: team: web spec: workloadClusters: - namespaces: - name: web* --- apiVersion: admin.gloo.solo.io/v2 kind: WorkspaceSettings metadata: name: default namespace: web-namespace spec: importFrom: - workspaces: - name: backend The following example imports any workspaces that are available for the web workspace to import and has the team: backend label into the web workspace. After this is deployed in the web-namepsace namespace of a given workload cluster that are part of the workspace, all exported resources from the backend workspaces which has the label team: backend are imported into the web workspace and available for use by anything in the web workspace. yaml apiVersion: admin.gloo.solo.io/v2 kind: WorkspaceSettings metadata: name: default namespace: web-namepsace spec: importFrom: - workspaces: - selector: team: backend WorkspaceSettings defined in the admin namespace for Gloo Mesh will override settings defined in individual workspaces. Must have the name “global” to be picked up by Gloo Mesh.
Select the workspaces whose objects will be imported into this workspace. Objects must both be exported by the workspace that is being imported and imported into this workspace in order to be shared across workspaces. Imported objects allow the creation of routes and outbound-communication from one workspace to another. Currently the following types of objects can be imported across workspaces: - kubernetes services - virtual destinations - external destinations - route tables You can select workspace using labels, for example: yaml importFrom: - workspaces: - selector: team: backend services: - {} # select all services Or select workspace name using exact name match, for example: yaml importFrom: # import all importable objects from the workspace named "backend" - workspaces: - name: backend Or select workspace using labels and name using simple regex, for example: yaml importFrom: - workspaces: - selector: team: backend name: backend* Or select workspace name using labels or select name using simple regex, for example: yaml importFrom: - workspaces: - selector: team: backend - name: backend
A workspace can specify resources to export for use by other workspaces. Currently the following types of objects can be exported across workspaces: - kubernetes services - virtual destinations - external destinations - route tables You can select workspace using labels, for example: yaml exportTo: - workspaces: - selector: team: backend Or select workspace name using exact name match, for example: yaml exportTo: - workspaces: - name: backend Or exportTo all other workspaces, for example: yaml exportTo: - workspaces: - name: * Or select workspace using labels and name using simple regex, for example: yaml exportTo: - workspaces: - selector: team: backend name: backend* Or select workspace name using labels or select name using simple regex, for example: yaml exportTo: - workspaces: - selector: team: backend - name: backend
If Enabled, serviceIsolation will automatically block communication from non-importing workspaces into this one, enforced using mTLS. Setting this to true is equivalent to manually creating an AccessPolicy with the following spec: spec: applyToDestinations: nil config: authn: tlsMode: STRICT authz: authz: allowedClients: - serviceAccountSelector: workspace: this-workspace - serviceAccountSelector: workspace: importing-workspace-1 # for each workspace importing this one Applying AccessPolicies to destinations in this workspace will override the default service isolation behavior.
Federation is a feature which allows Kubernetes Services to directly communicate with each other across clusters using generated hostnames. When enabled, federation will generate a hostname for each Service selected, which is reachable by all network clients in the workspace. Federation allows routes to be created in RouteTables which forward traffic across clusters. These routes will otherwise be treated by Gloo Mesh as errors.
Selects the ingress gateways in a workspace. If no gateways are selected, defaults to attempting to use istio-eastwestgateway.istio-system as the Istio ingress gateway for “east-west” traffic, which is traffic routed across clusters for federation and virtual destinations.
Host information for an east-west gateway. Can be used to specify a set of routable destinations that proxy traffic back to the east-west gateway selected by the selector. Useful when a load balancer external to the mesh is being used. When using this feature, be careful to ensure that the selectors are granular enough to ensure that the correct HostInfo is mapped to the proper gateway.
Specify Host Info to override discovered routing information for an east-west gateway.
Field
Type
Label
Description
addr
string
Address to be used to direct traffic to instead of the default gateway discovered address. Can be an IP address or hostname.
port
uint32
Port to be used to direct traffic to instead of the default gateway discovered port.
WorkspaceSettingsSpec.Options.Federation
Field
Type
Label
Description
enabled
bool
enables the federation feature for selected Kubernetes services in the workspace.
hostSuffix
string
Optional: The suffix used for generated hostnames. Hostnames will be generated for each selected service in the format {{ service name }}.{{ service namespace }}.{{ service cluster }}.{{ host suffix }}.
Selector for the K8s services that will be exposed to cross-cluster traffic within the Workspace. Federated hostnames will be generated for selected imported services.
if provided, expose only selected ports to cross-cluster traffic.
WorkspaceSettingsSpec.Options.ServiceIsolation
Field
Type
Label
Description
enabled
bool
Automatically enables strict mTLS and blocks any access from non-importing workspaces into any destination in the current workspaces. Default value is disabled.
the type of the resource to import or export. The type must be a valid importable/exportable Kubernetes or Gloo Mesh resource type. Supported types: - RouteTable - Service - VirtualDestination - ExternalService - All (all types)
Only select objects exactly matching the name. If the field is omitted, Gloo Mesh will select matching objects with any name available in the workspace.
namespace
string
Only select objects exactly matching the namespace. If the field is omitted, Gloo Mesh will select matching objects across all namespaces available in the workspace.
cluster
string
Only select objects in the exactly matching cluster. If the field is omitted, Gloo Mesh will select matching objects across all clusters available in the workspace.
