raghu_manne
raghu_manne

Reputation: 71

Cloud Armor with GKE to restrict access to Ingress

We are implementing Cloud Armor policies with GKE to restrict access to Ingress and allow only IP ranges whitelisted in armor policies. Steps followed:

  1. Created a cloud armor policy to whitelist certain ranges and deny all the other.
  2. Created a BackendConfig with security policy referencing armor policy.
  3. Added backendconfig as annotation to k8s service.

Added Security admin to Node Service Account and Kubernetes Engine Service Agent

Any help is appreciated, TIA!

Error syncing to GCP: error running backend syncing routine: failed to set security policy from "" to "armor-policy-name" for backend service backend-service-name (namespace/serverice-name:&ServiceBackendPort{Name:,Number:80,}): googleapi: Error 400: Invalid value for field 'resource': '{ "securityPolicy": "https://www.googleapis.com/compute/v1/projects/gcp_project_name/global/s...'. deny action is only supported for TCP and SSL load balancers., invalid

Upvotes: 0

Views: 414

Answers (1)

Gari Singh
Gari Singh

Reputation: 12053

The issue is that you can only use the deny action with TCP or SSL load balancers. Since you are attaching the policy to Ingress, you need to use deny-403, deny-404 or deny-502 as the action in your rule.

https://cloud.google.com/sdk/gcloud/reference/compute/security-policies/rules/create#--action

Upvotes: 1

Related Questions