Cannot create internal ingress with error about ssl policy being global, but it's regional policy

Google Cloud Serverless Applications
1

I’m trying to create an internal ingress for 2 services in GKE (called app/api).
But I’m getting an error that seems incocrrect maybe to the non-expert eye.

The internal ingress error I’m getting is:

Error syncing to GCP: error running load balancer syncing routine: loadbalancer LBNAME does not exist: googleapi: Error 400: Invalid value for field ‘resource.sslPolicy’: ‘global/sslPolicies/regional-ssl-policy’. Unexpected scope ‘global’., invalid

This error message seems to suggest the ssl policy is global, but it’s regional in correct region.

Here is some config:

The frontend config is:

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: frontendforingress
spec:
  sslPolicy: regional-ssl-policy <===== NOTE: This is a regional ssl policy, in correct region

The ingress config is:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingressname
  annotations:
    cloud.google.com/backend-config: '{"ports": {"80":"app-backend","8000":"api-backend"}}'
    kubernetes.io/ingress.class: "gce-internal"   # Add this annotation for internal load balancer
    kubernetes.io/ingress.allow-http: "false"  # Internal ingress does not support https+http at same time
    ingress.gcp.kubernetes.io/pre-shared-cert: ourcertificates
    networking.gke.io/v1beta1.FrontendConfig: frontendforingress
spec:
  defaultBackend:
    service:
      name: app
      port:
        number: 80
  rules:
    - host: api.company.com
      http:
        paths:
          - pathType: "ImplementationSpecific"
            backend:
              service:
                name: api
                port: 
                  number: 8000
    - host: app.company.com
      http:
        paths:
          - pathType: "ImplementationSpecific"
            backend:
              service:
                name: app
                port: 
                  number: 80

Any suggestions how to proceed?

TMI: More k8s configs:

Service for app:

apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/backend-config: '{"default": "app-backend"}'
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app: app
  name: app
spec:
  type: NodePort
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: app
  sessionAffinity: None

Service api:

apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/backend-config: '{"default": "api-backend"}'
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app: api
  name: api
spec:
  type: NodePort
  sessionAffinity: None
  ports:
  - name: tcp-8000
    port: 8000
    protocol: TCP
    targetPort: 8000
  selector:
    app: api

Backendconfig for app:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: app-backend
spec:
  logging:
    enable: false

Backendconfig for api:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: api-backend
spec:
  logging:
    enable: false
1 Like
2

Can you run

gcloud compute ssl-policies list --uri
3 
https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/regional-ssl-policy

@garisingh This is the output of

gcloud compute ssl-policies list --uri
4

Hmm … very odd … the error seems to think the policy is in the global space. But thanks for running the command. Will see what else I an find.

5

Any further insights? I’m encountering the same issue (and have confirmed it’s a regional policy being applied as well).

6

Hello,

I’m running into the exact same issue, any update @garisingh ?

During my search, I noticed that it’s pointed in the doc that “FrontendConfig can only be used with External Ingresses.”, why wouldn’t this be possible with internal ones, the FrontendConfig seems taken into account anyway, but could this be linked?
I also noticed that regionTargetHttpsProxies do have sslPolicy field but no setSslPolicy method like in targetHttpsProxies. Same here, why such differences? And could this be linked to our issue?

@Bigphatk / @enifsieus did you find any workaround in the mean time?

Thanks!

Maxime

7

Sorry for the delay here. I actually did not notice that the original poster was using internal ingress. That was likely the root of that issue.

That being said, if you do want to use SSL Policy with an internal L7 ALB, I’d suggest using the GKE Gateway Controller / API rather than ingress. It does support SSL Policy with all L7 ALB types.

8

Hello @garisingh , no problem, thanks for the answer!

So to be sure, at the end the issue is just that custom SSL policy is not compatible with internal Ingress, right?
It seems to be confirmed in this table too, with GA with Gateway for SSL policy.
I’ll consider Gateway API then, thanks again.

Maxime