-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1beta1/Backendconfig securityPolicy.name will be removed after apply #1508
Comments
or using Server-side Apply also fine even with
|
We've got same issue with v1.19.10-gke.1600
|
Reproduced with GKE 1.18.20-gke.900. 1.17.17-gke.9100 seems fine. I think this may be a security risk. |
I found that 1.21.2-gke.600 has already solved this problem. I didn't know what change fixed the issue, but I hope it will be backported to 1.18-1.20. |
The issue resulted from missing validation for The fix (#1512) was backported to GKE v1.20.9-gke.900+ and will be backported to 1.18 and 1.19 as well. |
/assign |
@skmatti Thanks!! |
This happened to us. We use Cloud Armor to restrict admin services to VPN-only. Could y'all post a notice on the GKE release notes with this bug and the workaround? Thanks, Jon |
The release should be update soon @skmatti |
Our docs are updated with the issue details: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#armor_fields_removed A release note will be sent early next week about the fix in GKE v1.20.9-gke.900 |
Release notes for GKE v1.20: https://cloud.google.com/kubernetes-engine/docs/release-notes#August_17_2021 Will keep this thread posted on the release notes for 1.19 and 1.18 in next couple of weeks. |
I just found this, this is huge for us. |
I've faced the same problem at |
GKE 1.19.x is now patched as of GKE 1.19.14-gke.301 and later. These versions are no longer impacted by this issue and can use v1beta1 BackendConfig versions without any Cloud Armor issues. GKE 1.18.x is targeted to be patched within the next 2 weeks. GKE 1.18.x clusters should continue using the v1 BackendConfig resources as a workaround until GKE 1.18.x is patched. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Issue
If I create BackendConfig with
apiVersion: cloud.google.com/v1beta1
,spec.securityPolicy.name
field will be gone.And actually the related LoadBalancer won't be registered to the CloudArmor's target.
Reproduce
apply
then get
$ kubectl get backendconfig test -o yaml
here
securityPolicy
is{}
Expected
applied resource should have
Environment
GKE v1.19.10-gke.1000 (not autopilot)
The text was updated successfully, but these errors were encountered: