Skip to main content

Workspace Domain

The workspace domain controls the full workspace lifecycle — who can provision, create, list, read, delete, and connect to workspaces — as well as fine-grained access to file transfer and in-workspace app operations. Each action below indicates the service that calls it.

Contracts

All contracts include Subject, see Subject claims.

workspace:provision

Provisioner

Evaluated before a workspace is provisioned. The full blueprint is carried in context as a YAML-encoded struct. The policy may return patch obligations that the enforcer applies to the blueprint before provisioning proceeds.

Resource

FieldDescription
idWorkspace name. Required.
typeResource type. The value is workspace.
attributes.ownerUsername of the user provisioning the workspace. Required.
attributes.blueprintBlueprint name. Optional.

Context

FieldDescription
blueprintFull blueprint struct encoded as YAML. Required.
modestandalone or inject. Required.
workload_nameTarget workload name. Required when mode is inject.
workload_namespaceTarget workload namespace. Required when mode is inject.
workload_kindTarget workload kind. Required when mode is inject.

Obligations

KeyDescription
patch:<json-pointer>String value to write at the given JSON Pointer (RFC 6901) path in the blueprint. The enforcer applies all patch obligations to the blueprint before provisioning proceeds. Example: patch:/resources/cpu2000m.

workspace:list

API Server

Evaluated when a user requests a list of workspaces. There is no specific workspace, so id is always empty. When owner is omitted, all workspaces are listed (admin use).

Resource

FieldDescription
idEmpty — no specific workspace.
typeResource type. The value is workspace.
attributes.ownerOwner username to filter by. Optional — omit to list all workspaces.

No contract-specific context fields. Obligations — none; allow/deny only.

workspace:create

API Server

Evaluated when a user requests to create a new workspace. There is no workspace name yet, so id is empty.

Resource

FieldDescription
idEmpty — no specific workspace yet.
typeResource type. The value is workspace.
attributes.ownerOwner username for whom the workspace is being created. Required.

No contract-specific context fields. Obligations — none; allow/deny only.

workspace:read

API Server

Evaluated when a user requests the details of a specific workspace.

Resource

FieldDescription
idWorkspace name. Required.
typeResource type. The value is workspace.
attributes.ownerUsername of the workspace owner. Required.

No contract-specific context fields. Obligations — none; allow/deny only.

workspace:delete

API Server

Evaluated when a user requests to delete a specific workspace.

Resource

FieldDescription
idWorkspace name. Required.
typeResource type. The value is workspace.
attributes.ownerUsername of the workspace owner. Required.

No contract-specific context fields. Obligations — none; allow/deny only.

workspace:connect

API Server

Evaluated when a user opens an interactive browser session on a workspace — web shell, file browser, or port forward.

Resource

FieldDescription
idWorkspace name. Required.
typeResource type. The value is workspace.
attributes.ownerUsername of the workspace owner. Required.

Context

FieldDescription
typewebshell, webfiles, or portforward. Required.
portPort number as a string. Required when type is portforward.

Obligations — none; allow/deny only.

workspace:files

API Server

Evaluated when a user transfers files to or from a workspace via the API server.

Resource

FieldDescription
idWorkspace name. Required.
typeResource type. The value is workspace.
attributes.ownerUsername of the workspace owner. Required.

Context

FieldDescription
opdownload or upload. Required.

Obligations — none; allow/deny only.

workspace:app

API Server

Evaluated when a user installs, starts, or stops an in-workspace app.

Resource

FieldDescription
idWorkspace name. Required.
typeResource type. The value is workspace.
attributes.ownerUsername of the workspace owner. Required.
attributes.appApp name. Required.

Context

FieldDescription
opinstall, start, or stop. Required.

Obligations — none; allow/deny only.

Example policy

package workspace

import rego.v1
import data.common

default allow := false

# admins may perform any workspace action
allow if input.subject.username in common.admin_users

# users may perform any workspace action on resources they own
allow if {
    input.action in {"workspace:provision", "workspace:list", "workspace:create",
        "workspace:read", "workspace:delete", "workspace:connect",
        "workspace:files", "workspace:app"}
    input.subject.roles[_] == "user"
    input.resource.owner == input.subject.username
}

# --- workspace:provision obligations ---

# cap CPU for non-admin users
obligations["patch:/resources/cpu"] := "1000m" if {
    input.action == "workspace:provision"
    not input.subject.username in common.admin_users
}

# cap memory for non-admin users
obligations["patch:/resources/memory"] := "2Gi" if {
    input.action == "workspace:provision"
    not input.subject.username in common.admin_users
}

This example demonstrates the following patterns:

  • Admins (usernames in common.admin_users) may perform any workspace action.
  • All user-facing actions carry resource.owner, so a single allow rule on input.resource.owner == input.subject.username covers the full set. For workspace:list and workspace:create, resource.id is empty. Note that for workspace:list, resource.owner is optional — when absent, the request targets all workspaces and should typically be restricted to admins.
  • workspace:provision is called by the Provisioner service but the subject is still the user from the JWT — so the same resource.owner check applies. Only the workspace owner can provision their own workspace.
  • Patch obligations use JSON Pointer keys (e.g. patch:/resources/cpu) to mutate specific fields in the blueprint before provisioning proceeds. Admins are exempt and receive the blueprint unmodified.