You can import and export resources across Gloo workspaces. To federate Gloo resources across namespaces within a workspace, Gloo creates copies of the translated resources in each namespace. You can create the Gloo resource directly within the “source” workspace, or export the resource to another “target” workspace.

In general, Gloo workspaces are set up to give you control of your microservices. When it comes to sharing policies across workspaces, the following general rules apply:

  • Policies that select destinations (applyToDestinations) or workloads (applyToWorkloads) do not apply across workspaces, even if their underlying destinations are imported. This way, each workspace owner can control the client-side policies that are applied to their own destinations.
  • Policies that select routes (applyToRoutes) or the destinations of routes (applyToRouteDestination) do still apply across workspaces. This way, you control how your services are accessed via the routes, even if those routes are exported to other workspaces.

Learn more about policy behavior on imported resources by determining:

Client and server-side policies

Policies are server or client-side, depending on which proxy enforces the policy.

Client-side: Client-side policies are enforced by the sending, outbound proxy (the workload’s sidecar) before traffic is sent to the target workload. Client-side policies include the following:

Ingress client-side: If you use Gloo Mesh Enterprise with Gloo Mesh Gateway, you can also apply the following ingress client-side policies:

Server-side: Server-side policies are enforced by the receiving, inbound proxy. In Gloo Mesh Enterprise this proxy is the sidecar proxy of the target workload. The policies are created in the namespace of the backing Kubernetes service. Server-side policies include the following:

Exported resources that policies can apply to

You cannot import or export policies across workspaces. However, policies might still apply to Gloo resources that you import and export to other workspaces. Flip through the following tabs for more information about how policy behavior changes based on the kind of resource that you import and export. To check the policies that are applied in your environment, you can review the translated Istio resources such as VirtualServices and DestinationRules that Gloo creates, such as in the Gloo UI.