Import and export policies
Review how to import and export policies when using Gloo workspaces.
Overview
You can import and export resources across Gloo workspaces. To federate Gloo resources across namespaces within a workspace, Gloo creates copies of the translated resources in each namespace. You can create the Gloo resource directly within the “source” workspace, or export the resource to another “target” workspace.
In general, Gloo workspaces are set up to give you control of your microservices. When it comes to sharing policies across workspaces, policies generally still apply the rules of the source workspace to routes, destinations, or workspaces, even when those resources are shared across workspaces.
Learn more about policy behavior on imported resources by determining:
- Whether the policy is client or server-side.
- What exported resource that the policy applies to.
- For more in-depth information about policies for delegated routes, see Route policy attachment.
Client and server-side policies
Policies are server or client-side, depending on which proxy enforces the policy.
Client-side: Client-side policies are enforced by the sending, outbound proxy (the ingress gateway) before traffic is sent to the workload in the cluster. Client-side policies include the following:
- Active healthcheck
- Client TLS
- CORS
- CSRF
- DLP
- External auth, such as for API keys, LDAP, or OPA policies
- Failover
- Fault injection
- Header manipulation
- HTTP buffer filter
- JWT
- Listener connection
- Load balancer and consistent hash
- Mirroring
- Outlier detection
- Proxy protocol
- Rate limit
- Retry and timeout
- TCP connection
- Transformation
- Gloo Mesh Enterprise (requires a service mesh): Trim proxy config
- Web application firewall (WAF)
Server-side (requires a service mesh): Server-side policies are enforced by the receiving, inbound proxy.
- If you use Gloo Mesh Gateway with Gloo Mesh Enterprise, this proxy is the sidecar proxy for your workloads.
- In a standalone Gloo Mesh Gateway deployment, your workloads do not have sidecar proxies and server-side policies are not supported.
Gloo Mesh Enterprise server-side policies include the following:
Exported resources that policies can apply to
You cannot import or export policies across workspaces. However, policies might still apply to Gloo resources that you import and export to other workspaces. Review the following sections for more information about how policy behavior changes based on the kind of resource that you import and export. To check the policies that are applied in your environment, you can review the translated Istio resources such as VirtualServices and DestinationRules that Gloo creates, such as in the Gloo UI.
Route tables
Routes that are exported via a route table keep their policies from the source workspace. Policies in the new, target workspace do not apply to imported routes. This way, the original resource owner can control how the host is accessed.
If you as the target workspace owner want to change the behavior of a route, you have two choices:
- Ask the original owner to add a policy in the source workspace.
- Create another route table in your current workspace.
Imported route table summary:
- ✅ The source workspace’s policies still apply.
- ❌ The target workspace’s policies do not apply.
For an overview of how delegated routes impact policy import and export, see Route table management.
Kubernetes services
Kubernetes services that are exported keep their server-side destination policies from the source workspace. In the target workspace, you can only apply client-side route policies to imported services. This way, the original resource owner can control access to the source service with server-side policies. But you as the target workspace owner can control the client-side behavior, such as to inject faults for resilience testing or manipulate headers.
Imported Kubernetes service summary:
- ✅ The source workspace’s server-side policies still apply.
- ❌ The source workspace’s client-side policies no longer apply.
- ❌ The target workspace’s server-side policies do not apply.
- ✅ The target workspace’s client-side policies do apply.
Virtual destinations
Virtual destinations that are exported keep client-side policies from the source workspace. Any client-side policies in the target workspace do not apply.
Imported virtual destination summary:
- ✅ The source workspace’s client-side policies still apply.
- ❌ The target workspace’s client-side policies do not apply.
- ✅ The target workspace’s policies that apply to routes backed by the destinations do apply.
The following policies are supported:
- ActiveHealthCheckPolicy
- AdaptiveRequestConcurrencyPolicy
- ClientTLSPolicy
- ConnectionPolicy for TCP
- FailoverPolicy
- LoadBalancerPolicy
- OutlierDetectionPolicy
External services
Similar to virtual destinations, external services that are exported do not keep any policies from the source workspace. Instead, you as the target workspace owner can apply your own client-side policies to the external service or routes that are backed by the external service. You can also apply your own server-side policies to the external service.
This way, each team can set its own client and server-side policies for the external service within their own workspace, but share the external service configuration across teams.
Imported external service summary:
- ❌ The source workspace’s policies no longer apply.
- ✅ The target workspace’s policies do apply.