We are implementing Cloud Armor policies with GKE to restrict access to Ingress and allow only IP ranges whitelisted in armor policies. Steps followed:
- Created a cloud armor policy to whitelist certain ranges and deny all the other.
- Created a BackendConfig with security policy referencing armor policy.
- Added backendconfig as annotation to k8s service.
Added Security admin to Node Service Account and Kubernetes Engine Service Agent
Any help is appreciated, TIA!
Error syncing to GCP: error running backend syncing routine: failed to set security policy from "" to "armor-policy-name" for backend service backend-service-name (namespace/serverice-name:&ServiceBackendPort{Name:,Number:80,}): googleapi: Error 400: Invalid value for field 'resource': '{ "securityPolicy": "https://www.googleapis.com/compute/v1/projects/gcp_project_name/global/s...'. deny action is only supported for TCP and SSL load balancers., invalid
The issue is that you can only use the
denyaction with TCP or SSL load balancers. Since you are attaching the policy to Ingress, you need to usedeny-403,deny-404ordeny-502as the action in your rule.https://cloud.google.com/sdk/gcloud/reference/compute/security-policies/rules/create#--action