BackendConfig with multiple securityPolicys not working

7/12/2019

https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-armor-backendconfig

I have only seen example assigning one securityPolicy but I want to assign multiple ones.

I created the following backend config with 2 policies and applied to my service with beta.cloud.google.com/backend-config: my-backend-config

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  namespace: cloud-armor-how-to
  name: my-backend-config
spec:
  securityPolicy:
    name: "policy-one"
    name: "policy-two"

When I deploy only "policy-two" is applied. Can I assign two policies somehow? I see no docs for this

-- red888
google-cloud-armor
google-cloud-platform
google-kubernetes-engine
kubernetes

2 Answers

7/15/2019

This same behavior happens to the regular HTTP(S) Load Balancers. It looks like it's only possible to add only a single Security Policy per target and the same behavior affects the HTTP(S) load Balancers created by the GKE ingress.

ReplacePolicy-message

It's possible to add more rules for that only security policy. The new rules can be added in the same way as the first rule was added; however, the priorities of these rules must be different like in the example below:

~$ gcloud beta compute security-policies rules create 1000 \
--security-policy ca-how-to-security-policy \
--src-ip-ranges "192.0.2.0/24" \
--action "deny-404"

~$ gcloud beta compute security-policies rules create 1001 \
--security-policy ca-how-to-security-policy \
--src-ip-ranges "11.16.0.0/24" \
--action "deny-404"
-- Alfredo GH
Source: StackOverflow

7/12/2019

There's nothing in the docs that says that you can specify more than one policy. Even the spec says securityPolicy the singular and the YAML structure is not an array.

Furthermore, if you look at your spec:

spec:
  securityPolicy:
    name: "policy-one"
    name: "policy-two"

The YAML standard completely ignores the first name: "policy-one" which explains why only name: "policy-two" is used. You can check it on YAMLlint. To have one more value on your YAML you would have to convert securityPolicy to an array. Something like this:

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  namespace: cloud-armor-how-to
  name: my-backend-config
spec:
  securityPolicy:
  - name: "policy-one"
  - name: "policy-two"

The issue with this is that it's probably not supported by GCP.

-- Rico
Source: StackOverflow