I have GKE applications in following setup:
example.com
api.example.com
I expose those loads via Ingress and all looks cool. I want to protect application with Cloud Armor. I added annotation to api
service. I can confirm that if policy has just one rule "deny all IPs" I cannot reach backend endpoints and if I change rule to "allow all IPs" I can. So GCA itself works ok.
I tried to connect reCaptcha Enterprise and interpret it's score with Google Cloud Armor but I cannot make it work. I created following rules but whatever values I add token.recaptcha.score
doesn't seem to be interpreted at all.
So in presented example I will always be blocked even if I make rule ridiculously small like "> 0.1". Front sends X-Recaptcha-Token
to backend so it looks like I did everything correctly.
Only thing I'm not sure about is if this allow rule is correctly defined. GCP Logging shows that policy was applied but I don't know exactly which rule:
{
"insertId": "uxxxv",
"jsonPayload": {
"enforcedSecurityPolicy": {
"outcome": "DENY",
"configuredAction": "DENY",
"priority": 2147483647,
"name": "login-security-policy"
},
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
"statusDetails": "denied_by_security_policy"
},
"httpRequest": {
"requestMethod": "OPTIONS",
"requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AXXXXXXE",
"requestSize": "330",
"status": 403,
"responseSize": "228",
"userAgent": "XXX",
"remoteIp": "XX.XX.XX.XX",
"referer": "https://example.com/",
"latency": "0.220009s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"zone": "global",
"target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
"backend_service_name": "k8s-be-3xxx9--9xxx9",
"forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
"project_id": "xxx",
"url_map_name": "k8s2-um-dxxxd-default-main-ixxxq"
}
},
"timestamp": "2021-12-21T12:22:28.505728Z",
"severity": "WARNING",
"logName": "projects/xxx/logs/requests",
"trace": "projects/xxx/traces/bxxx4",
"receiveTimestamp": "2021-12-21T12:22:28.925285233Z",
"spanId": "cxxx4"
}
I just assume that field jsonPayload.enforcedSecurityPolicy.priority
is pointing to default rule which means that Allow
rule doesn't work.
Also reCaptcha key has been enabled by emailing Google according to documentation.
The HTTP method that is falling through to the default rule is OPTIONS. The OPTIONS method is often used by CORS, so you normally want those requests to get through.
Add a rule that allows HTTP method OPTIONS based upon request.method == 'OPTIONS'.
Or modify your existing rule to to only check if the method is GET, PUT, POST (specify the methods you need to validate reCaptcha).