This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cannot create internal ingress with error about ssl policy being global, but it's regional policy

Posted on 08-04-2023 05:01 PM
Bigphatk
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm trying to create an internal ingress for 2 services in GKE (called app/api).
But I'm getting an error that seems incocrrect maybe to the non-expert eye.

The internal ingress error I'm getting is:

Error syncing to GCP: error running load balancer syncing routine: loadbalancer LBNAME does not exist: googleapi: Error 400: Invalid value for field 'resource.sslPolicy': 'global/sslPolicies/regional-ssl-policy'. Unexpected scope 'global'., invalid

This error message seems to suggest the ssl policy is global, but it's regional in correct region.

Here is some config:

The frontend config is:

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: frontendforingress
spec:
  sslPolicy: regional-ssl-policy <===== NOTE: This is a regional ssl policy, in correct region

The ingress config is:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingressname
  annotations:
    cloud.google.com/backend-config: '{"ports": {"80":"app-backend","8000":"api-backend"}}'
    kubernetes.io/ingress.class: "gce-internal"   # Add this annotation for internal load balancer
    kubernetes.io/ingress.allow-http: "false"  # Internal ingress does not support https+http at same time
    ingress.gcp.kubernetes.io/pre-shared-cert: ourcertificates
    networking.gke.io/v1beta1.FrontendConfig: frontendforingress
spec:
  defaultBackend:
    service:
      name: app
      port:
        number: 80
  rules:
    - host: api.company.com
      http:
        paths:
          - pathType: "ImplementationSpecific"
            backend:
              service:
                name: api
                port: 
                  number: 8000
    - host: app.company.com
      http:
        paths:
          - pathType: "ImplementationSpecific"
            backend:
              service:
                name: app
                port: 
                  number: 80

Any suggestions how to proceed?


TMI: More k8s configs:
-----------------------
Service for app:
apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/backend-config: '{"default": "app-backend"}'
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app: app
  name: app
spec:
  type: NodePort
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: app
  sessionAffinity: None
Service api:
apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/backend-config: '{"default": "api-backend"}'
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app: api
  name: api
spec:
  type: NodePort
  sessionAffinity: None
  ports:
  - name: tcp-8000
    port: 8000
    protocol: TCP
    targetPort: 8000
  selector:
    app: api

Backendconfig for app:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: app-backend
spec:
  logging:
    enable: false

Backendconfig for api:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: api-backend
spec:
  logging:
    enable: false





1 7 2,124
Topic Labels
7 REPLIES 7

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Can you run 

gcloud compute ssl-policies list --uri

 

0 Likes

Posted on --/--/---- --:-- AM
Bigphatk
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM 
https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/regional-ssl-policy

@garisingh This is the output of  

gcloud compute ssl-policies list --uri
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Hmm ... very odd ... the error seems to think the policy is in the global space.  But thanks for running the command.  Will see what else I an find.

0 Likes

Posted on --/--/---- --:-- AM
enifsieus
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Any further insights? I'm encountering the same issue (and have confirmed it's a regional policy being applied as well).

0 Likes

Posted on --/--/---- --:-- AM
MaximeLbpk
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I'm running into the exact same issue, any update @garisingh?

During my search, I noticed that it's pointed in the doc that "FrontendConfig can only be used with External Ingresses.", why wouldn't this be possible with internal ones, the FrontendConfig seems taken into account anyway, but could this be linked?
I also noticed that regionTargetHttpsProxies do have sslPolicy field but no setSslPolicy method like in targetHttpsProxies. Same here, why such differences? And could this be linked to our issue?

@Bigphatk/ @enifsieus did you find any workaround in the mean time?

 

Thanks!

Maxime

0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
In response to MaximeLbpk
Reply posted on --/--/---- --:-- AM

Sorry for the delay here.   I actually did not notice that the original poster was using internal ingress.  That was likely the root of that issue.

That being said, if you do want to use SSL Policy with an internal L7 ALB, I'd suggest using the GKE Gateway Controller / API rather than ingress.  It does support SSL Policy with all L7 ALB types.

 

0 Likes

Posted on --/--/---- --:-- AM
MaximeLbpk
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello @garisingh, no problem, thanks for the answer!

So to be sure, at the end the issue is just that custom SSL policy is not compatible with internal Ingress, right?
It seems to be confirmed in this table too, with GA with Gateway for SSL policy.
I'll consider Gateway API then, thanks again.

Maxime

0 Likes
Top Labels in this Space