GKE: Identity-aware proxy > L7 load balancer > Custom host and path rules > Error code 11

Question

I am using GKE Identity-aware proxy > L7 load balancer > Custom host and path rules. It works fine for the root-path. But it does not work for custom paths.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: basic-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-static-ip"
spec:
  rules:
  - host: my.custom.org
    http:
      paths:
      - path: /v1/*
        backend:
          serviceName: webv1
          servicePort: 8080
      - path: /v3/*
        backend:
          serviceName: webv3
          servicePort: 8080
      - path: /nginx/*
        backend:
          serviceName: nginx
          servicePort: 80
      - path: /*
        backend:
          serviceName: nginx
          servicePort: 80

Path / and /nginx/ works fine. /v2/ and /v3/ throws There was a problem with your request. Error code 11.

If I disable the IAP, everything works fine.

Environment:

• Kubernetes version (use kubectl version): 1.12.7-gke.17

• Cloud provider or hardware configuration: GKE

Setting up HTTP Load Balancing with Ingress @ https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer

Enabling Cloud IAP for GKE @ https://cloud.google.com/iap/docs/enabling-kubernetes-howto

Answer 1

This error code 11 is related to a misconfiguration of the OAuth client ID1.

I see that you the failing one are using a different serviceport. If you are serving the following 2 URLs from two different backends both may have IAP enabled but configured with different clientIds.

As of GCP does not support different clientIds for different paths, and the effort for IAP to use a single clientId across b/e services is underway. For now, if you can verify the clientId, and change it to a single one if they are different, that would work.

The recommended approach would be setting up an NGINX proxy. The ingress + IAP only have one service to deal with instead of two, and it will work like a charm.

---