On GCP, we should use the healthcheck port 8080 instead of enabling anonymous access

Currently, the example configurations for GCP instruct users to enable anonymous monitoring access ([ link to code](https://github.com/elastic/cloud-on-k8s/blob/7b26130391ed9b6c6cf179a909227debf19016be/config/recipes/gclb/01-elastic-stack.yaml#L26)) for the Elastic cluster in order to get the GCP health check to work. On GCP, HTTP/HTTPS health checks **must** return a `200 OK`  ([source](https://cloud.google.com/load-balancing/docs/health-check-concepts#criteria-protocol-http) ). This is undesirable because it exposes monitoring information to anonymous users.

It is possible to instead, set GCP to use a TCP health check against the health check port that Elastic uses for Kubernetes health checks.

```
---
apiVersion: networking.gke.io/v1
kind: HealthCheckPolicy
metadata:
  name: es-lb-healthcheck
spec:
  default:
    config:
      tcpHealthCheck:
        port: 8080
      type: TCP
  targetRef:
    group: ''
    kind: Service
    name: elasticsearch-es-http
```
The examples in GKE for HealthCheckPolicies don't indicate that this option exists, but if you look at the other GCP documentation for Health Checks, you can find many references to using TCP health checks. 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

On GCP, we should use the healthcheck port 8080 instead of enabling anonymous access #8778

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

On GCP, we should use the healthcheck port 8080 instead of enabling anonymous access #8778

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions