K
Q

Kubernetes ingress not enforcing inserting hsts into headers

4/10/2018

I am using kubectl to run Kubernetes on a Kops controlled cluster on AWS. I want to insert the Strict-Transport-Security header into the pages that are served from our site. My ingress currently forces all traffic to HTTPS, but ignores the annotations I have in my

ingress.yaml:

nginx.ingress.kubernetes.io/hsts: "true"

When I run kubectl get ingress <ingressname> -o yaml, I can see {"annotations":{"nginx.ingress.kubernetes.io/hsts":"true", but as far as I can tell, there is no sign of HSTS in the headers.

I have tried to make this happen from the configmap, but it also doesn't work. I am using the quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.12.0 for the ingresscontroller, and my kubectl server version is v1.8.6.

The ingress deployment, service, and ingress itself all respond to changes, though putting gibberish in to the annotations in the ingress.yaml doesn't seem to break anything.

What am I doing wrong?

-- NewBDAQ
hsts
kubernetes-ingress

Similar Questions

Increase the container load timeout in kubernetes
minikube - E0410 - start.go:159] Error starting host: Error starting stopped host: Machine didn't return an IP after 120 seconds, aborting
I want to upload custom Helm charts on IBM Cloud Private internal repository, but I am not able to do so
spring cloud stream tasklauncher sink not launching a task in kubernetes

2 Answers

8/17/2018

It may depend if you have actually enabled HTTPS on ingress itself. In my case I'm offloading SSL on AWS ELB thus seems to have to force the HSTS header. You may want to first try shorter max-age and drop out includeSubDomains. Use if you know what you are doing ;-) Check out this issue

You can force it by using config map similar to one below:

---
apiVersion: v1
data:
  Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
kind: ConfigMap
metadata:
  name: custom-headers-external-sts
  namespace: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app: ingress-nginx
data:
  add-headers: "ingress-nginx/custom-headers-external-sts"
-- marcin-je
Source: StackOverflow
8/7/2018

I seem to be experiencing the same problem, although I'm applying the changes via configmap.

Kubernetes: 1.8.6

Image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.15

Here's the config I've set:

 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: nginx-ingress
   namespace: kube-ingress
   labels:
     k8s-addon: nginx-ingress.addons.k8s.io
 data:
   allow-backend-server-header: "true"
   hsts: "true"
   hsts-include-subdomains: "true"
   hsts-max-age: "31536000"
   hsts-preload: "true"
   use-proxy-protocol: "true"
-- Adrian Ng
Source: StackOverflow