-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GKE ingress with https load balancer and IAP/security policy enabled #469
Comments
@rllin-fathom What is your GKE master version? Does creating ingress with the same setup but without BackendConfig work? |
@MrHohn |
@rllin-fathom Given the situation, I think the best move would be looking at ingress controller's logs at the moment. Would you mind emailing me your cluster information {cluster_location, project_name, cluster_name} and I can take a look? |
@MrHohn done, thanks! |
Posting an update here, after inspecting the logs, it turned out ingress controller is getting permission denied (due to an internal bug on GCP) while updating IAP configuration on backend service, which leads to the hang of ingress creation. For those who hit this same issue, a temporary workaround is to set [1] the default GKE service account (Kubernetes Engine Service Agent) as an Owner. This should eventually be revoked once that internal bug is fixed. [1] https://cloud.google.com/iam/docs/granting-changing-revoking-access |
We are seeing the same behavior (status remain "Creating ingress" in gke version 1.10.6-gke.2), yet we tried the suggested workaround and it did not work for us. Our Ingress object contain a list of rules (with a backend for each ) - something like
|
@aviresonai Did you enable IAP on Ingress via BackendConfig as well? Did creating ingress without IAP work? |
I think the issue we are having is discussed at #471 |
@rllin-fathom Closing this bug since the original issue looks to be resolved. /close |
@rramkumar1: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I have an application that uses GKE Ingress for a load balancer. Recently GKE started supporting declaring IAP support via
BackendConfig
. I followed the documentation at [1] and [2]. However, now, GKE seems to hang while creating my Ingress.Below is the yaml for my service, ingress and backendconfig.
kubectl -n randall-test-1 get svc,ing,backendconfig -o yaml
The hang gives me no insight.
However, in GKE console, I just get
Creating ingress
as a status for > 20 mins with no resolution. I also check myLoad Balancers
in console and see nothing.Any ideas what is happening or what else I can check?
I also tried to do this with just
securityPolicy
which is supposed to link the Load Balancer with a Cloud Armor policy. This also doesn't work with a similar hang.[1] https://cloud.google.com/iap/docs/enabling-kubernetes-howto
[2] https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig
The text was updated successfully, but these errors were encountered: