Enable Global access for internal HTTP(S) load balancer with FrontendConfig [272577313]

Assigned

Feature Request

Status Update

No update yet.

Description

mi...@doit.com

created issue #1

Mar 11, 2023 03:38AM

Current documentation about enabling Global access on a GKE cluster implies it only works for Service [type=LoadBalancer] by adding an annotation to the Service manifest.

TCP/UDP load balancer config

This appears supported with TCP/UDP load balancer by adding an annotation to the Service

apiVersion: v1
kind: Service
metadata:
  name: my-app-ilb-svc
  annotations:
    networking.gke.io/load-balancer-type: "Internal"
    networking.gke.io/internal-load-balancer-allow-global-access: "true"
  labels:
    app: my-app
spec:
  ...
  type: LoadBalancer

Problem (HTTP(S) internal load balancer)

Adding the annotation to a Service with a NEG and Ingress doesn't appear to work. If there is a way to declaratively enable Global access for internal HTTP(S) load balancing, it is not clear in documentation and various experiments have proven unsuccessful.

If you create an internal HTTP(S) load balancer using and Ingress manifest, and then inspect the load balancer, you can manually add another IP/port to the frontend and optionally enable Global access (via Cloud Console).

There appears to be no way to do this programmatically, however, because the annotation that works for Service [type=LoadBalancer] does not change the status of the Global access for the frontend.

Checking the CRD specification for FrontendConfig, it only offers sslPolicy and redirectToHttps.

Given users can manually enable Global access in the console when adding frontends to an internal HTTP(S) load balancer, it makes sense to also include this option in FrontendConfig.

Proposed enhancement:

Since it appears the Global access toggle in Console is grouped with frontend configuration of the load balancer, it makes sense to extend the FrontendConfig CRD to toggle that feature and match what users can manually configure.

spec.properties.globalAccess

properties:
  enabled:
    default: false
    type: boolean

Attachments

snapshot of console illustrating default Global access disabled for internal HTTP(S) load balancer
snapshot of adding new IP/Port to the frontend and can enable Global access

Screenshot 2023-03-10 at 8.06.14 PM.png

113 KB

View

Download

Screenshot 2023-03-10 at 8.28.55 PM.png

96 KB

View

Download

Comments

ba...@google.com <ba...@google.com> Mar 11, 2023 03:45AM

Assigned to ba...@google.com.

mi...@doit.com <mi...@doit.com> #2Mar 11, 2023 04:27AM

Gist experiment to recreate issue with comments/writeup below code:

https://gist.github.com/mikesparr/0a44f19916576e5b0aef6839c5d687fe

ba...@google.com <ba...@google.com> #3Mar 11, 2023 09:36AM

Reassigned to gc...@google.com.

Hello,

Thanks for reaching out to us!

The Product Engineering Team has been made aware of your feature request, and will address it in due course. Though we can't provide an ETA on feature requests nor guarantee their implementation, rest assured that your feedback is always taken very seriously, as it allows us to improve our products. Thank you for your trust and continued support to improve Google Cloud Platform products.

In case you want to report a new issue, please do not hesitate to create a new Issue Tracker thread describing your issue. Once again, thank you for the suggestions.

mi...@doit.com <mi...@doit.com> #4Mar 13, 2023 02:26PM

A colleague discovered this issue from December and someone implied this functionality will be added to GKE Gateway at some point [1]. It does make sense however to include in FrontendConfig given the features align with frontend config in console. If any insights as to plans or progress please share.

[1] https://github.com/kubernetes/ingress-gce/issues/1887

ba...@google.com <ba...@google.com> Sep 1, 2023 01:16PM

Reassigned to ba...@google.com.

ba...@google.com <ba...@google.com> Sep 8, 2023 06:11AM

Reassigned to gc...@google.com.

po...@gmail.com <po...@gmail.com> #5Sep 11, 2023 09:09PM

Hi Team

has this been implenented? or could we use the same annotation in Ingress object as well for enabling global access?

networking.gke.io/internal-load-balancer-allow-global-access: "true"

we...@gcp.telefonica.de <we...@gcp.telefonica.de> #6Nov 14, 2023 07:15AM

It is possible to add the [

networking.gke.io/internal-load-balancer-allow-global-access: "true"] annotation when executing a "gcloud compute forwarding-rules delete" followed by an "gcloud compute forwarding-rules create" adding: "--allow-global-access".

Then it is working as expected. For me this is more a bug than a feature. We dont have plans using GKE gateway by the way.

Can you tell us when we can expect a solution for this?