Reputation: 71
We are implementing Cloud Armor policies with GKE to restrict access to Ingress and allow only IP ranges whitelisted in armor policies. Steps followed:
Added Security admin
to Node Service Account and Kubernetes Engine Service Agent
Any help is appreciated, TIA!
Error syncing to GCP: error running backend syncing routine: failed to set security policy from "" to "armor-policy-name" for backend service backend-service-name (namespace/serverice-name:&ServiceBackendPort{Name:,Number:80,}): googleapi: Error 400: Invalid value for field 'resource': '{ "securityPolicy": "https://www.googleapis.com/compute/v1/projects/gcp_project_name/global/s...'. deny action is only supported for TCP and SSL load balancers., invalid
Upvotes: 0
Views: 414
Reputation: 12053
The issue is that you can only use the deny
action with TCP or SSL load balancers. Since you are attaching the policy to Ingress, you need to use deny-403
, deny-404
or deny-502
as the action in your rule.
https://cloud.google.com/sdk/gcloud/reference/compute/security-policies/rules/create#--action
Upvotes: 1