Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

Workspace

A Workspace carves a chunk of the cluster resources owned by a tenant into an isolated configuration domain.

The following example claims ns1 and ns2 namespaces across all clusters owned by the tenant mycompany.

apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  name: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"

The following example claims ns1 namespace only from the c1 cluster and claims all namespaces from the c2 cluster.

apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  name: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1"
    - "c2/*"

Workspace

A Workspace is a collection of related namespaces in one or more clusters.

FieldDescriptionValidation Rule

namespaceSelector

tetrateio.api.tsb.types.v2.NamespaceSelector
REQUIRED
Set of namespaces owned exclusively by this workspace. A workspace can own all namespaces of a cluster or a set of namespaces across any cluster or a set of namespaces in a specific cluster. Use */* to claim all cluster resources under the tenant.

message = {
  required: true
}

privileged

google.protobuf.BoolValue
If set to true, allows Gateways in the workspace to route to services in other workspaces. Set this to true for workspaces owning cluster-wide gateways shared by multiple teams.

isolationBoundary

string
OPTIONAL
Istio Isolation Boundary name to which this workspace belongs. If not provided explicitly, the workspace looks for an isolation boundary with name set as "global". Therefore, in order to move existing workspaces to isolation boundaries, and be a part of revisioned control plane, it is recommended to configure an isolation boundary with the name "global".

securityDomain

string
Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Workspace, all the children resources will belong to that security domain in the same way a Security group belongs to a Workspace, a Security group will also belong to the security domain assigned to the Workspace. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.