GKE Security and Cloud Armor

What about GKE Backends? Google Cloud Armor with Google Kubernetes Engine (GKE) Ingress

Use Case - Your application is running on GKE Cluster and it is exposed via a service of LoadBalancer type. This translates to create a native Load Balancer in GCP.

Step 1 - Create a Cloud Armor Policy (Policy Type - Backend Security Policy)

This will ask you for allow deny rules. Once the policy is created, you will need to associate it with a target.

Step 2  -  Associate the policy with a target

The target needs to be an HTTP(s) based backend load balancer service. CDNs not allowed.

Step 2b. Adaptive Protection Option

Adaptive Protection will enable backend machine learning models to look for traffic anomalies.

Backend Config  and Service in Kubernetes

Next - we need to tweak a Kubernetes object called backend Config by defining a Custom Resource Definition.

After you configure a Google Cloud Armor security policy, you can use Kubernetes Ingress to enable it with GKE.

You can reference your security policy with a BackendConfig resource by adding the name of your security policy to the BackendConfig. The following BackendConfig manifest specifies a security policy named example-security-policy:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  namespace: cloud-armor-how-to
  name: my-backendconfig
spec:
   securityPolicy:
     name: "my-policy-1"
   healthCheck:
     checkIntervalSec: 30
     timeoutSec: 30
     healthyThreshold: 1
     unhealthyThreshold: 5
     port: 80
     type: HTTP
     requestPath: /health

Finally, we associate this backend config with our GKE Service

apiVersion: v1
kind: Service
metadata:
annotations:
cloud.google.com/backend-config: '{"default": "my-backendconfig"}'