Attach cloudarmor policies to load balancers #5710
Conversation
Summary of ChangesHello @beets, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the security posture of our load-balanced services by attaching a specific Cloud Armor policy. The "botcrawl-throttle" policy is now configured to protect the backend services, aiming to mitigate unwanted bot traffic and improve overall system resilience against automated attacks. This change is implemented across both templated and direct Kubernetes configurations. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a Cloud Armor security policy, botcrawl-throttle, to the backend configuration for the main website service. My review highlights two main points. First, the policy name is hardcoded in the Kubernetes manifests; I've suggested making this configurable, especially in the Helm chart, to improve maintainability. Second, the policy is only applied to one of several backends exposed by the load balancer. I've raised a question about whether other backends (Node.js, mixer) should also be protected by this policy to ensure complete coverage.
| securityPolicy: | ||
| name: botcrawl-throttle |
There was a problem hiding this comment.
I have a couple of points regarding this change:
- Hardcoded value: The security policy name
botcrawl-throttleis hardcoded. In Helm charts, it's best practice to make such values configurable viavalues.yaml. This improves reusability and simplifies management across different environments. You could add a value likewebsite.securityPolicyNametovalues.yamland reference it here. - Incomplete coverage?: This change adds the security policy only to the main
website-service'sBackendConfig. However,backendconfig-nodejsandwebsite-mixer-backendconfigare also defined in this chart and exposed via the same Ingress. Should they also be protected by this Cloud Armor policy? If so, thesecurityPolicyblock should be added to them as well.
securityPolicy:
name: {{ .Values.website.securityPolicyName }}
| securityPolicy: | ||
| name: botcrawl-throttle |
There was a problem hiding this comment.
I have a couple of points regarding this change:
- Hardcoded value: The security policy name
botcrawl-throttleis hardcoded. If you are using a tool like Kustomize, it would be better to manage this value as a variable to improve maintainability. If not, a comment indicating this might need manual changes could be helpful. - Incomplete coverage?: The security policy is applied to the main service's
backendconfig, but not tobackendconfig-nodejsin the same file. Should the Node.js backend also be protected? If so, thesecurityPolicyshould be added there too.
3 participants
No description provided.