Adding Access Control Origin to Kubernetes

Question

I am trying to allow Access Control Origin due to the following error in an Android Cordova app:

http://localhost:8080/#/: Line 0 : Access to XMLHttpRequest at 'https://api.v2.domain.com/api/v1/users/me/favorites?lat=42.5467&lng=-83.2113&radius=10.0&limit=5&search=' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I am trying to figure out where in Kubernetes to add it - I assume it's somewhere in the Service or the Deployment.

Here's both:

apiVersion: v1
kind: Service
metadata:
  name: domain-server
  annotations:
    dns.alpha.kubernetes.io/external: "api.v2.domain.com"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:152660121739:certificate/8efe41c4-9a53-4cf6-b056-5279df82bc5e
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  type: LoadBalancer
  selector:
    app: domain-server
  ports:
    - port: 443
      targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: domain-server
spec:
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 3
  revisionHistoryLimit: 10
  template:
    metadata:
      labels:
        app: domain-server
    spec:
      containers:
        - name: domain-server
          image: "152660121739.dkr.ecr.us-east-2.amazonaws.com/domain-server"
          imagePullPolicy: Always
          resources:
            limits:
              memory: "1200Mi"
            requests:
              memory: "900Mi"
              cpu: "200m"
          ports:
            - name: http
              containerPort: 8080
     ...

Is this the correct place to put the header? If so, how would one add CORS to Kubernetes here? I am noticing some suggestions like Nginx ingresses, but the application I am using does not use Nginx.

Answer 1

This problem is not about Kubernetes. Browsers enforce CORS, check reference here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS . You can also use curl or postman and see content without CORS error.

Normally nginx servers can fix that and kubernetes-nginx is not really different. It basically uses reverse proxy to control services. Check this reference to get started to fix CORS error by ingress: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#enable-cors

Answer 2

It would be much more easier if you use Nginx, that you will have to add just these annotations in service configuration file:

nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
   more_set_headers "Access-Control-Allow-Origin: $http_origin";

But in your case it seems that problem is connected more with CORS that straight with Kubernetes cors-article. You have to enable CORS.

You can edit kubernetes API server yaml file, to get CORS working.

Add line --cors-allowed-origins=["http://*"] argument to /etc/default/kube-apiserver or /etc/kubernetes/manifests/kube-apiserver.yaml file, it depends where your kube-apiserver configuration file is located.

spec:
containers:
- command:
  - kube-apiserver
  - --cors-allowed-origins=["http://*"]

Then restart to kube-apiserver.

Then change annotation dns.alpha.kubernetes.io/external: "api.v2.domain.com" to dns.alpha.kubernetes.io/external: "http://api.v2.domain.com" in your service configuration file and apply changes.