K
Q

Istio 1.5 cors not working - Response to preflight request doesn't pass access control check

4/11/2020

Cors preflight requests do not work when a Jwt Policy is configured on the istio-ingressgateway target.

Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.example.com"
      tls:
        httpsRedirect: true # sends 301 redirects for http requests
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "api.example.com"

Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: backend-vs
  namespace: foo
spec:
  hosts:
    - "api.example.com"
  gateways:
    - api-gateway
  http:
    - match:
        - uri:
            prefix: /api/v1/info
      route:
        - destination:
            host: backend.foo.svc.cluster.local
      corsPolicy:
        allowOrigin:
          - "https://app.example.com"
        allowMethods:
          - POST
          - GET
          - PUT
          - DELETE
          - PATCH
          - OPTIONS
        allowHeaders:
          - authorization
          - content-type
          - accept
          - origin
          - user-agent
        allowCredentials: true
        maxAge: 300s

Security

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
    - issuer: "http://keycloak.foo/auth/realms/example"
      jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt-example
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
      when:
        - key: request.auth.claims[groups]
          values: ["group1"]

when I test the web application in firefox it works fine, but in other browsers like opera, chrome, safari, it fails with the following error:

Access to XMLHttpRequest at 'https://api.example.com/api/v1/info' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

What makes me more thoughtful is because in firefox it works well but in other browsers it fails

NOTE: To validate that the cors policy was correct in istio, what I did was disable this policy in istio and test in firefox to see what was happening, the result was that a problem with cors did indeed come out, but when I re-enabled the cors in istio when rerunning in firefox the request works fine.

-- Juanes30
cors
google-cloud-platform
istio
keycloak
kubernetes

Similar Questions

Unable to connect the web page when deploy Kubernetes service on AWS EC2
how to access management UI for rabbitmq from minikube?
Setup Cloud NAT for only 1 node pool in GKE cluster
jaeger configuration in spring boot application when both of them are deployed on kubernetes

1 Answer

4/14/2020

Good after doing segmented tests and see what was causing the error, I found that the problem appeared when I created the keycloak gateway (keycloak.example.com) that was running on the same service port (backend.example.com) , which by default for https is 443 and for http is 80.

What I did was expose keycloak to another port on the gateway (ingressgateway). with the above and the angular application I stop putting problem of the cors.

-- Juanes30
Source: StackOverflow