Import and export policies

You can import and export resources across Gloo workspaces. To federate Gloo resources across namespaces within a workspace, Gloo creates copies of the translated resources in each namespace. You can create the Gloo resource directly within the “source” workspace, or export the resource to another “target” workspace.

In general, Gloo workspaces are set up to give you control of your microservices. When it comes to sharing policies across workspaces, the following general rules apply:

Learn more about policy behavior on imported resources by determining:

Client and server-side policies

Policies are server or client-side, depending on which proxy enforces the policy.

Client-side: Client-side policies are enforced by the sending, outbound proxy (the workload's sidecar) before traffic is sent to the target workload. Client-side policies include the following:

Ingress client-side: If you use Gloo Mesh with Gloo Gateway, you can also apply the following ingress client-side policies:

Server-side: Server-side policies are enforced by the receiving, inbound proxy. In Gloo Mesh, this proxy is the sidecar proxy of the target workload. The policies are created in the namespace of the backing Kubernetes service. Server-side policies include the following:

Exported resources that policies can apply to

You cannot import or export policies across workspaces. However, policies might still apply to Gloo resources that you import and export to other workspaces. Flip through the following tabs for more information about how policy behavior changes based on the kind of resource that you import and export. To check the policies that are applied in your environment, you can review the translated Istio resources such as VirtualServices and DestinationRules that Gloo creates, such as in the Gloo UI.

Routes that are exported via a route table keep their policies from the source workspace. Policies in the new, target workspace do not apply to imported routes. This way, the original resource owner can control how the host is accessed.

If you as the target workspace owner want to change the behavior of a route, you have two choices:

  • Ask the original owner to add a policy in the source workspace.
  • Create another route table in your current workspace.

Imported route table summary:

  • ✅ The source workspace's policies still apply.
  • ❌ The target workspace's policies do not apply.

For an overview of how delegated routes impact policy import and export, see Route table management.

Diagram for how policies applied to imported route tables

Kubernetes services that are exported keep their server-side destination policies from the source workspace. In the target workspace, you can only apply client-side route policies to imported services. This way, the original resource owner can control access to the source service with server-side policies. But you as the target workspace owner can control the client-side behavior, such as to inject faults for resilience testing or manipulate headers.

Imported Kubernetes service summary:

  • ✅ The source workspace's server-side policies still apply.
  • ❌ The source workspace's client-side policies no longer apply.
  • ❌ The target workspace's server-side policies do not apply.
  • ✅ The target workspace's client-side policies do apply.

Diagram for how policies applied to imported Kubernetes services

Virtual destinations that are exported do not keep any policies from the source workspace. Instead, you as the target workspace owner can apply your own client-side policies to the virtual destination or routes that are backed by the virtual destination. You can also apply your own server-side policies to the Kubernetes services that back the virtual destination.

This way, each team can set its own client and server-side policies for the virtual destination within their own workspace, but share the virtual destination configuration across teams.

Imported virtual destination summary:

  • ❌ Neither the source workspace's server-side nor client-side policies apply.
  • ✅ The target workspace's server-side policies do apply to the backing Kubernetes service of the imported virtual destination in the target workspace.
  • ✅ The target workspace's client-side policies do apply.

Diagram for how policies applied to imported virtual destinations

Similar to virtual destinations, external services that are exported do not keep any policies from the source workspace. Instead, you as the target workspace owner can apply your own client-side policies to the external service or routes that are backed by the external service. You can also apply your own server-side policies to the external service.

This way, each team can set its own client and server-side policies for the external service within their own workspace, but share the external service configuration across teams.

Imported external service summary:

  • ❌ The source workspace's policies no longer apply.
  • ✅ The target workspace's policies do apply.

Diagram for how policies applied to imported external services