We use a Google Cloud CDN.
How can we assign both backend- and edge-security-policy to that CDN via helm?
It can be done via gcp-web-console: Assign the same Backend-Service as target to both Cloud Armor policies. But in helm you can have only one BackendConfig with one securityPolicy.
Our setup with only the backend-security-policy configured looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-cdn
annotations:
kubernetes.io/ingress.class: "gce"
spec:
rules:
- host: www.mycdn
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: service-cdn
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: service-cdn
name: service-cdn
annotations:
cloud.google/neg: '{"ingress": true}'
cloud.google/backend-config: '{"default": "backendconfig-cdn"}'
spec:
ports:
- name: web
port: 80
targetPort: 8080
clusterIP: None
selector:
app: lb-stateful
---
apiVersion: cloud.google/v1
kind: BackendConfig
metadata:
name: backendconfig-cdn
spec:
securityPolicy:
name: backend-security-policy
timeoutSec: 1800
cdn:
enabled: true
healthCheck:
checkIntervalSec: 5
type: HTTP
requestPath: /
How can this be done?
We use a Google Cloud CDN.
How can we assign both backend- and edge-security-policy to that CDN via helm?
It can be done via gcp-web-console: Assign the same Backend-Service as target to both Cloud Armor policies. But in helm you can have only one BackendConfig with one securityPolicy.
Our setup with only the backend-security-policy configured looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-cdn
annotations:
kubernetes.io/ingress.class: "gce"
spec:
rules:
- host: www.mycdn
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: service-cdn
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: service-cdn
name: service-cdn
annotations:
cloud.google/neg: '{"ingress": true}'
cloud.google/backend-config: '{"default": "backendconfig-cdn"}'
spec:
ports:
- name: web
port: 80
targetPort: 8080
clusterIP: None
selector:
app: lb-stateful
---
apiVersion: cloud.google/v1
kind: BackendConfig
metadata:
name: backendconfig-cdn
spec:
securityPolicy:
name: backend-security-policy
timeoutSec: 1800
cdn:
enabled: true
healthCheck:
checkIntervalSec: 5
type: HTTP
requestPath: /
How can this be done?
Share Improve this question edited Mar 27 at 12:52 jonrsharpe 122k30 gold badges268 silver badges475 bronze badges asked Mar 27 at 12:50 zeebuckzeebuck 11 bronze badge 1- Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Bot Commented Mar 27 at 16:11
1 Answer
Reset to default 0It is not possible to configure a Cloud Armor Edge Security policy via Helm today. You can only do this via the console/API/gCloud CLI. If you manually decorate your backend service on the load balancer instance with an Edge Policy, it will add it; however, you are not able to directly control it via the CI/CD config itself. If you change the backend service name or add additional services, you will have to once again manually add the Edge Security policy. Most of the future development is happening on Gateway API, but alas, you still cannot decorate an Edge Policy via the Gateway controller.