TechQA.

Google Identity Aware Proxy with Internal load balancer

1.7k views Asked by At

Is it possible to add IAP on top of the internal load balancer? In my setup I have:

  1. Published and configured oauth screen as per https://cloud.google.com/iap/docs/enabling-kubernetes-howto#enabling_iap
  2. Certificates for my internal domain
  3. Kubernetes service setup with the backendConfig (as per https://cloud.google.com/iap/docs/enabling-kubernetes-howto#add-iap-to-backendconfig)
  4. Application running in kubernetes
  5. Kubernetes Ingress that creates internal load balancer with the proper ssl certificates

On my local machine i have /etc/hosts pointing to the load balancer. I am able to authenticate when accessing the app but then i get "You don't have access" page instead of my application.

In my GCP console I can't see the internal load balancer listed on the IAP page. I can only see external load balancers.

As per this documentation https://cloud.google.com/iap/docs/concepts-overview#your_responsibilities it looks like IAP is supported with HTTPS ILB.

Is iLB with IAP supported on GCP?

My k8s config

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: config-default
  namespace: default
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my-secret
-------------------------------
apiVersion: v1
kind: Service
metadata:
  name: ilb-service
  annotations:
    cloud.google.com/backend-config: '{"default": "config-default"}'
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app: hello
spec:
  type: NodePort
  selector:
    app: hello
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: host1
  - port: 443
    targetPort: 8080
    protocol: TCP
    name: host2
--------------------------------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ilb-demo-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.allow-http: "false"
    ingress.gcp.kubernetes.io/pre-shared-cert: "titan-testing-ilb"
    kubernetes.io/ingress.regional-static-ip-name: "my-internal-address"
spec:
  defaultBackend:
    service:
      name: ilb-service
      port:
        number: 443
-------------------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-app
spec:
  selector:
    matchLabels:
      app: hello
  replicas: 3
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
      - name: hello
        image: "us-docker.pkg.dev/google-samples/containers/gke/hello-app:2.0"
        ports:
          - containerPort: 8080
            protocol: TCP
kubernetes google-iap
Original Q&A
1

There are 1 answers

3
Bazinga On

User Type:
User Type

I have experienced the same issue at some point and it turned out that I had forgotten to set the user type to "external".

This is if you have managed to get past the login screen of OAuth.

Related Questions in KUBERNETES

Related Questions in GOOGLE-IAP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions