Applying multiple security policies to a CDN ingress in GCP

Hey folks, I’m scratching my head over this Google Cloud CDN setup. I want to use both backend and edge security policies for our CDN, but I’m not sure how to do it with Helm.

Here’s what I’ve got so far:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cdn-ingress
  annotations:
    kubernetes.io/ingress.class: "gce"
spec:
  rules:
  - host: cdn.example.com
    http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: cdn-service
            port:
              number: 80

---
apiVersion: v1
kind: Service
metadata:
  name: cdn-service
  annotations:
    cloud.google.com/neg: '{"ingress": true}'
    cloud.google.com/backend-config: '{"default": "cdn-backendconfig"}'
spec:
  ports:
    - port: 80
      targetPort: 8080
  clusterIP: None
  selector:
    app: cdn-app

---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: cdn-backendconfig
spec:
  securityPolicy:
    name: backend-security-policy
  cdn:
    enabled: true

This works for the backend security policy, but I can’t figure out how to add the edge policy too. In the GCP console, you can just target both policies to the same backend service. But in Helm, it looks like you can only have one BackendConfig with one security policy.

Any ideas on how to make this work? Thanks in advance!

hey there! have u tried using the networkpolicy resource? it might help u apply multiple security policies. something like:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cdn-policy
spec:
  podSelector:
    matchLabels:
      app: cdn-app
  policyTypes:
  - Ingress
  - Egress

this could give u more control over traffic. just a thought!

hey lu_57read! that’s a tricky one. have you tried using the cloud.google.com/security-policy annotation on the ingress resource? it might let you apply the edge policy separately. something like:

metadata:
  annotations:
    cloud.google.com/security-policy: edge-security-policy

just curious - what kind of security measures are you trying to implement? maybe there’s another approach we could explore?

I’ve encountered a similar challenge with GCP CDN security policies. One approach that worked for me was utilizing the ‘FrontendConfig’ resource in addition to the BackendConfig. This allows you to specify both edge and backend security policies separately.

Try adding a FrontendConfig resource to your Helm chart:

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: cdn-frontendconfig
spec:
  sslPolicy: edge-ssl-policy
  redirectToHttps:
    enabled: true

Then, reference this FrontendConfig in your Ingress annotations:

annotations:
  networking.gke.io/v1beta1.FrontendConfig: cdn-frontendconfig

This setup should allow you to maintain your existing backend security policy while adding edge security measures. Remember to adjust the policy names and settings to match your specific requirements.