Hey folks, I’m scratching my head over this Google Cloud CDN setup. I want to use both backend and edge security policies for our CDN, but I’m not sure how to do it with Helm.
Here’s what I’ve got so far:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cdn-ingress
annotations:
kubernetes.io/ingress.class: "gce"
spec:
rules:
- host: cdn.example.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: cdn-service
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: cdn-service
annotations:
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/backend-config: '{"default": "cdn-backendconfig"}'
spec:
ports:
- port: 80
targetPort: 8080
clusterIP: None
selector:
app: cdn-app
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: cdn-backendconfig
spec:
securityPolicy:
name: backend-security-policy
cdn:
enabled: true
This works for the backend security policy, but I can’t figure out how to add the edge policy too. In the GCP console, you can just target both policies to the same backend service. But in Helm, it looks like you can only have one BackendConfig with one security policy.
Any ideas on how to make this work? Thanks in advance!
hey there! have u tried using the networkpolicy resource? it might help u apply multiple security policies. something like:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cdn-policy
spec:
podSelector:
matchLabels:
app: cdn-app
policyTypes:
- Ingress
- Egress
this could give u more control over traffic. just a thought!
hey lu_57read! that’s a tricky one. have you tried using the cloud.google.com/security-policy annotation on the ingress resource? it might let you apply the edge policy separately. something like:
metadata:
annotations:
cloud.google.com/security-policy: edge-security-policy
just curious - what kind of security measures are you trying to implement? maybe there’s another approach we could explore?
I’ve encountered a similar challenge with GCP CDN security policies. One approach that worked for me was utilizing the ‘FrontendConfig’ resource in addition to the BackendConfig. This allows you to specify both edge and backend security policies separately.
Try adding a FrontendConfig resource to your Helm chart:
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: cdn-frontendconfig
spec:
sslPolicy: edge-ssl-policy
redirectToHttps:
enabled: true
Then, reference this FrontendConfig in your Ingress annotations:
annotations:
networking.gke.io/v1beta1.FrontendConfig: cdn-frontendconfig
This setup should allow you to maintain your existing backend security policy while adding edge security measures. Remember to adjust the policy names and settings to match your specific requirements.