admin 管理员组文章数量: 1086019
We use a Google Cloud CDN.
How can we assign both backend- and edge-security-policy to that CDN via helm?
It can be done via gcp-web-console: Assign the same Backend-Service as target to both Cloud Armor policies. But in helm you can have only one BackendConfig with one securityPolicy.
Our setup with only the backend-security-policy configured looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-cdn
annotations:
kubernetes.io/ingress.class: "gce"
spec:
rules:
- host: www.mycdn
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: service-cdn
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: service-cdn
name: service-cdn
annotations:
cloud.google/neg: '{"ingress": true}'
cloud.google/backend-config: '{"default": "backendconfig-cdn"}'
spec:
ports:
- name: web
port: 80
targetPort: 8080
clusterIP: None
selector:
app: lb-stateful
---
apiVersion: cloud.google/v1
kind: BackendConfig
metadata:
name: backendconfig-cdn
spec:
securityPolicy:
name: backend-security-policy
timeoutSec: 1800
cdn:
enabled: true
healthCheck:
checkIntervalSec: 5
type: HTTP
requestPath: /
How can this be done?
We use a Google Cloud CDN.
How can we assign both backend- and edge-security-policy to that CDN via helm?
It can be done via gcp-web-console: Assign the same Backend-Service as target to both Cloud Armor policies. But in helm you can have only one BackendConfig with one securityPolicy.
Our setup with only the backend-security-policy configured looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-cdn
annotations:
kubernetes.io/ingress.class: "gce"
spec:
rules:
- host: www.mycdn
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: service-cdn
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: service-cdn
name: service-cdn
annotations:
cloud.google/neg: '{"ingress": true}'
cloud.google/backend-config: '{"default": "backendconfig-cdn"}'
spec:
ports:
- name: web
port: 80
targetPort: 8080
clusterIP: None
selector:
app: lb-stateful
---
apiVersion: cloud.google/v1
kind: BackendConfig
metadata:
name: backendconfig-cdn
spec:
securityPolicy:
name: backend-security-policy
timeoutSec: 1800
cdn:
enabled: true
healthCheck:
checkIntervalSec: 5
type: HTTP
requestPath: /
How can this be done?
Share Improve this question edited Mar 27 at 12:52 jonrsharpe 122k30 gold badges268 silver badges475 bronze badges asked Mar 27 at 12:50 zeebuckzeebuck 11 bronze badge 1- Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Bot Commented Mar 27 at 16:11
1 Answer
Reset to default 0It is not possible to configure a Cloud Armor Edge Security policy via Helm today. You can only do this via the console/API/gCloud CLI. If you manually decorate your backend service on the load balancer instance with an Edge Policy, it will add it; however, you are not able to directly control it via the CI/CD config itself. If you change the backend service name or add additional services, you will have to once again manually add the Edge Security policy. Most of the future development is happening on Gateway API, but alas, you still cannot decorate an Edge Policy via the Gateway controller.
本文标签: google cloud platformAssign both backend and edgesecuritypolicy to a ingressStack Overflow
版权声明:本文标题:google cloud platform - Assign both backend- and edge-security-policy to a ingress - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://roclinux.cn/p/1744088276a2531548.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论