When provisioning CML, we recommend that the ML workspace be given a
static subdomain name. This subdomain is used in the URL for the ML Workspace. A
workspace domain is structured as
https://<workspace-subdomain>.<cluster>.<company>.com.
Workloads created in an ML workspace are containers provisioned in kubernetes
and must be addressable to the user. To do this, CML creates a unique subdomain.
The URL for the workload is structured as
https://<workload-subdomain>.<workspace-subdomain>.<cluster>.<company>.com.
Because the workload subdomain is randomly generated, for TLS to work, an ML
workspace needs to have a wildcard SAN entry in the TLS certificate and its
formed like
SAN:*.<workspace-subdomain>.<cluster>.<company>.com.
By using unique subdomains, the ML Workspace is able to securely serve each
interactive workload with proper isolation and protect it from code injection
attacks such as Cross Site Scripting.