Kubernetes Istio 1.5 cors不工作-对飞行前请求的响应不';无法通过访问控制检查
当在istio入口网关目标上配置Jwt策略时,Cors飞行前请求不起作用 网关Kubernetes Istio 1.5 cors不工作-对飞行前请求的响应不';无法通过访问控制检查,kubernetes,google-cloud-platform,cors,keycloak,istio,Kubernetes,Google Cloud Platform,Cors,Keycloak,Istio,当在istio入口网关目标上配置Jwt策略时,Cors飞行前请求不起作用 网关 apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: api-gateway namespace: foo spec: selector: istio: ingressgateway # use istio default controller servers: - port: nu
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-gateway
namespace: foo
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "api.example.com"
tls:
httpsRedirect: true # sends 301 redirects for http requests
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "api.example.com"
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: foo
spec:
selector:
matchLabels:
app: backend
jwtRules:
- issuer: "http://keycloak.foo/auth/realms/example"
jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt-example
namespace: foo
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
when:
- key: request.auth.claims[groups]
values: ["group1"]
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: backend-vs
namespace: foo
spec:
hosts:
- "api.example.com"
gateways:
- api-gateway
http:
- match:
- uri:
prefix: /api/v1/info
route:
- destination:
host: backend.foo.svc.cluster.local
corsPolicy:
allowOrigin:
- "https://app.example.com"
allowMethods:
- POST
- GET
- PUT
- DELETE
- PATCH
- OPTIONS
allowHeaders:
- authorization
- content-type
- accept
- origin
- user-agent
allowCredentials: true
maxAge: 300s
安全性
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-gateway
namespace: foo
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "api.example.com"
tls:
httpsRedirect: true # sends 301 redirects for http requests
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "api.example.com"
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: foo
spec:
selector:
matchLabels:
app: backend
jwtRules:
- issuer: "http://keycloak.foo/auth/realms/example"
jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt-example
namespace: foo
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
when:
- key: request.auth.claims[groups]
values: ["group1"]
当我在firefox中测试web应用程序时,它工作正常,但在其他浏览器(如opera、chrome、safari)中,它失败,出现以下错误:
访问位于的XMLHttpRequest'https://api.example.com/api/v1/info“起源”https://app.example.com'已被CORS策略阻止:对飞行前请求的响应未通过访问控制检查:请求的资源上不存在'access control Allow Origin'标头。
让我更加深思熟虑的是,在firefox中它工作得很好,但在其他浏览器中却失败了
注意:为了验证istio中的cors策略是否正确,我所做的是在istio中禁用此策略,并在firefox中进行测试以查看发生了什么,结果是cors确实出现了问题,但是,当我在firefox中重新运行时,在istio中重新启用cors时,请求工作正常。在执行分段测试并查看错误原因后,我发现问题出现在我创建在同一服务端口(backend.example.com)上运行的KeyClope网关(KeyClope.example.com)时,https的默认值为443,http的默认值为80
我所做的是将keybeave暴露到网关上的另一个端口(ingresgateway)。有了上述内容和angular应用程序,我不再考虑cors的问题。如果cors在某些浏览器中工作,但在其他浏览器中失败,最有可能的原因是浏览器扩展。因此,请确保在禁用所有浏览器扩展的情况下进行测试。Adblock是一个特别的扩展,它通常是脚本请求失败的原因。禁用所有chrome扩展,它将不起作用,问题仍然存在,奇怪的是,我在safari中没有扩展,它在那里也不起作用。问题解决后,我建议添加更新作为答案,并接受它以提高可见性。然后为cors/浏览器问题本身打开新帖子。关于cors/浏览器问题,请查看评论和答案。