Thanks @aayore. In my case, I had to specify an ingress class explicitly, so that Google Cloud wouldn't interfere. The Nginx ingress seems to be happy with ClusterIp services.

metadata:
  name: foo
  annotations:
    kubernetes.io/ingress.class: "nginx"

I don't know why that error happens, because it seems (to me) to be a valid configuration. But to clear the error, you can switch your service to a named NodePort. Then switch your ingress to use the port name instead of the number. For example:

Service:

apiVersion: v1
kind: Service
metadata:
  name: testapp
spec:
  ports:
  - name: testapp-http # ADD THIS
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: testapp
  type: NodePort

Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: testapp
spec:
  rules:
  - host: hostname.goes.here
    http:
      paths:
      - backend:
          serviceName: testapp
          # USE THE PORT NAME FROM THE SERVICE INSTEAD OF THE PORT NUMBER
          servicePort: testapp-http
        path: /

Update:

This is the explanation I received from Google.

Since services by default are ClusterIP [1] and this type of service is meant to be accessible from inside the cluster. It can be accessed from outside when kube-proxy is used, not meant to be directly accessed with an ingress.

As a suggestion, I personally find this article [2] good for understanding the difference between these types of services.

[1] https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

[2] https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0