Kubernetes Istio 1.5 cors不工作-对飞行前请求的响应不'；无法通过访问控制检查_Kubernetes_Google Cloud Platform_Cors_Keycloak_Istio

Kubernetes Istio 1.5 cors不工作-对飞行前请求的响应不'；无法通过访问控制检查

kubernetes google-cloud-platform cors keycloak

Kubernetes Istio 1.5 cors不工作-对飞行前请求的响应不'；无法通过访问控制检查,kubernetes,google-cloud-platform,cors,keycloak,istio,Kubernetes,Google Cloud Platform,Cors,Keycloak,Istio,当在istio入口网关目标上配置Jwt策略时，Cors飞行前请求不起作用网关 apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: api-gateway namespace: foo spec: selector: istio: ingressgateway # use istio default controller servers: - port: nu

当在istio入口网关目标上配置Jwt策略时，Cors飞行前请求不起作用

网关

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.example.com"
      tls:
        httpsRedirect: true # sends 301 redirects for http requests
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "api.example.com"

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
    - issuer: "http://keycloak.foo/auth/realms/example"
      jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt-example
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
      when:
        - key: request.auth.claims[groups]
          values: ["group1"]

虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: backend-vs
  namespace: foo
spec:
  hosts:
    - "api.example.com"
  gateways:
    - api-gateway
  http:
    - match:
        - uri:
            prefix: /api/v1/info
      route:
        - destination:
            host: backend.foo.svc.cluster.local
      corsPolicy:
        allowOrigin:
          - "https://app.example.com"
        allowMethods:
          - POST
          - GET
          - PUT
          - DELETE
          - PATCH
          - OPTIONS
        allowHeaders:
          - authorization
          - content-type
          - accept
          - origin
          - user-agent
        allowCredentials: true
        maxAge: 300s

安全性

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.example.com"
      tls:
        httpsRedirect: true # sends 301 redirects for http requests
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "api.example.com"

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
    - issuer: "http://keycloak.foo/auth/realms/example"
      jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt-example
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
      when:
        - key: request.auth.claims[groups]
          values: ["group1"]

当我在firefox中测试web应用程序时，它工作正常，但在其他浏览器（如opera、chrome、safari）中，它失败，出现以下错误：

访问位于的XMLHttpRequest'https://api.example.com/api/v1/info“起源”https://app.example.com'已被CORS策略阻止：对飞行前请求的响应未通过访问控制检查：请求的资源上不存在'access control Allow Origin'标头。

让我更加深思熟虑的是，在firefox中它工作得很好，但在其他浏览器中却失败了

注意：为了验证istio中的cors策略是否正确，我所做的是在istio中禁用此策略，并在firefox中进行测试以查看发生了什么，结果是cors确实出现了问题，但是，当我在firefox中重新运行时，在istio中重新启用cors时，请求工作正常。

在执行分段测试并查看错误原因后，我发现问题出现在我创建在同一服务端口（backend.example.com）上运行的KeyClope网关（KeyClope.example.com）时，https的默认值为443，http的默认值为80

我所做的是将keybeave暴露到网关上的另一个端口（ingresgateway）。有了上述内容和angular应用程序，我不再考虑cors的问题。

如果cors在某些浏览器中工作，但在其他浏览器中失败，最有可能的原因是浏览器扩展。因此，请确保在禁用所有浏览器扩展的情况下进行测试。Adblock是一个特别的扩展，它通常是脚本请求失败的原因。禁用所有chrome扩展，它将不起作用，问题仍然存在，奇怪的是，我在safari中没有扩展，它在那里也不起作用。问题解决后，我建议添加更新作为答案，并接受它以提高可见性。然后为cors/浏览器问题本身打开新帖子。关于cors/浏览器问题，请查看评论和答案。