CODEWITHSUNDEEP
kubernetesgoogle-cloud-platformkubernetes-ingress
laimison
laimison

Reputation: 1698

GCP Ingress - Error syncing to GCP: error running backend syncing routine: cloud armor security policies not supported for regional backend service

I've got this issue in Google cloud once tried to create an ingress resource.

Usually when ingress is created, other GCP resources are automatically created too (resources such as target-https-proxies-list , urlmap , forwarding-rules , etc. ). Nothing was created this time and the Ingress error is here:

k describe ingress my-service-internal
Name:             my-service-internal
Namespace:        my-namespace
Address:
Default backend:  default-http-backend:80 (10.0.0.5:8080)
Rules:
  Host                                     Path  Backends
  ----                                     ----  --------
  my-service.example.com
                                           /*   my-service-internal:80 (10.251.1.108:8080,10.251.1.134:8080)
Annotations:                               ingress.gcp.kubernetes.io/pre-shared-cert: my-certificate-202107140101
                                           kubernetes.io/ingress.allow-http: false
                                           kubernetes.io/ingress.class: gce-internal
Events:
  Type     Reason  Age                 From                     Message
  ----     ------  ----                ----                     -------
  Normal   Sync    97s (x2 over 97s)   loadbalancer-controller  Scheduled for sync
  Warning  Sync    16s (x14 over 73s)  loadbalancer-controller  Error syncing to GCP: error running backend syncing routine: cloud armor security policies not supported for regional backend service k8s1-263259a6-my-namespace-my-service-in-8-151d5ee9

Any advice what to check first or any guesses what could be the issue?

Upvotes: 1

Views: 5371

Answers (2)

laimison
laimison

Reputation: 1698

The issue was resolved by removing reference to security policy in a backendconfig.

Changing from

Spec:
  Connection Draining:
    Draining Timeout Sec:  60
  Security Policy:
    Name:  
  Session Affinity:
    Affinity Type:  NONE
  Timeout Sec:      40

To

Spec:
  Connection Draining:
    Draining Timeout Sec:  60
  Session Affinity:
    Affinity Type:  NONE
  Timeout Sec:      40

Upvotes: 0

alrashid villanueva
alrashid villanueva

Reputation: 66

To elaborate a bit more on Dawids answer:

The reason for this is that cloud armor policies are only usable by external HTTP loadBalancers as explained on Google's documentation.

So if you are configuring an internal ingress on GKE this creates an Internal HTTP LoadBalancer, which is not compatible with Cloud armor security policies

Upvotes: 3

Related Questions