Workspaces

Uses: Kong Gateway Admin API

What is a Workspace?

Workspaces are a way of namespacing Kong Gateway entities so they can be managed independently. Workspaces work in combination with RBAC to create isolated environments for teams to operate independently of each other. Workspaces can’t share entities, like Services, between them, and only Workspace Admins with the correct permissions, in the Workspace, can manage them.

Workspaces support multi-tenancy by isolating Kong Gateway configuration objects. When paired with RBAC, Kong Gateway administrators can effectively create tenants within the control plane. The Workspace administrators have segregated and secure access to only their portion of the Kong Gateway configuration in Kong Manager, the Admin API, and the declarative configuration tool decK.

 
flowchart LR
    subgraph Workspace1 [Workspace-1]
        A(Team A's - Service)
        B(Route)
    end 

    subgraph Workspace2 [Workspace-2]
        C(Team B's - Service)
        D(Route)

    end

    subgraph Workspace3 [Workspace-3]
        E(Team C's - Service)
        F(Route)
    end
    subgraph Gatewayorg [Gateway Organization]
    Workspace1
    Workspace2
    Workspace3
    end

How does Kong Gateway resolve entity conflicts between Workspaces?

Routing rules are configured at the Data Plane level. The Data Plane routes client traffic based on the configuration applied across all Workspaces. Configuring entities related to routing, such as Gateway Services and Routes, alter the client traffic routing behavior of the Data Plane, but Kong Gateway will always attempt to ensure that routing rules don’t contain conflicts.

To route traffic to the appropriate Workspace, Kong Gateway uses a conflict detection algorithm.

When a Service or Route is created or modified, the Kong Gateway Router checks for the existence of that object before allowing the operation to proceed in this order:

If the Service or Route created is unique across all Workspaces, the new entity is created.
If an existing Service or Route object in the current Workspace has the same routing rules as the one being created or modified, the operation proceeds.
If an equivalent Service or Route is found in a different Workspace, and the host is provided:
1. If the host field matches in both Workspaces, a 409 Conflict error is returned.
2. If the host field doesn’t match, the operation proceeds.
3. If the host is an absolute value, a 409 Conflict error is returned.

Roles, groups, and permissions

Because Workspaces allow users to control Kong Gateway entities in isolation, users must have the correct permissions to configure a particular Workspace. Users will require either a Super Admin or Admin role to configure Workspaces.

The following table details which Workspace permissions each Admin role has:

	Super Admin	Admin
Manage entities within the specified Workspace
Create new Workspaces
Assign and revoke roles to admins
Manage all Workspaces across the organization

For more information, see Roles and permissions.

Manage Workspaces with decK

The following decK flags must be used when interfacing with Workspaces using decK.

Manage multiple Workspaces

To manage all Workspaces at once, use the --all-workspaces flag with decK:

deck gateway dump --all-workspaces

This will dump your configuration into individual yaml files with the specific Workspace name including default.

You can set a Workspace specifically within a decK file like this:

_format_version: "3.0"
_workspace: default
services:
- name: example_service

Deploy Workspace-specific config

decK configurations must be deployed on a per-Workspace basis, individually. This is achieved using the --workspace flag:

deck gateway sync default.yaml --workspace default

Delete a Workspace configuration

decK can’t delete Workspaces. However, using deck gateway reset in combination with the --workspace or --all-workspaces flags forces decK to delete the entire configuration inside the Workspace, but not the Workspace itself.

Schema

Set up a Workspace

To create a Workspace, call the Admin API’s /workspaces endpoint.

curl -i -X POST http://localhost:8001/workspaces/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "my-workspace"
    }
    '

FAQs

Do I have to enable Workspaces?

No, Kong Gateway Enterprise ships with the default Workspace. You can create additional Workspaces, but the default Workspace will always remain, and can’t be deleted.

Are there entities that can’t exist in a Workspace?

There are certain entities that can’t exist within a Workspace:

CA Certificates apply to all Workspaces. They’re used to verify the client certificates in mTLS handshakes. The SSL handshake takes place before receiving an HTTP request when the Workspace is unknown.
RBAC entities - Users, Roles, Admins, Groups - exist outside of a Workspace. However, you must assign Workspace-specific Roles for any User, Admin, or Group to access entities in a specific Workspace.
Other Workspaces can’t exist within a Workspace.

Can I use Workspaces in Konnect?

No. Instead, Konnect offers the more powerful Control Planes and Control Plane Groups to manage entities within an API ecosystem.

Two Workspaces can’t share the same name. However, Workspace names are case sensitive - for example, “Payments” and “payments” are not equal and would be accepted as two different Workspaces. We recommend giving Workspaces unique names regardless of letter case to prevent confusion.

What happens if I create an entity without specifying a Workspace?

If you don’t specify a target Workspace, the entity will be created in the default workspace.