Search code examples
kubernetescross-origin-resource-policy

Explain CORS in Kubernetes context

The following configuration has been taken out from here:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: cors-example
spec:
  virtualhost:
    fqdn: www.example.com
    corsPolicy:
        allowCredentials: true
        allowOrigin:
          - "*" # allows any origin
        allowMethods:
          - GET
          - POST
          - OPTIONS
        allowHeaders:
          - authorization
          - cache-control
        exposeHeaders:
          - Content-Length
          - Content-Range
        maxAge: "10m" # preflight requests can be cached for 10 minutes.
  routes:
    - conditions:
      - prefix: /
      services:
        - name: cors-example
          port: 80

My understanding is that entrance to the cluster is allowed only through www.example.com. Any other external url won't even hit the HTTPProxy.

  • Hence, I really do not get the role of corsPolicy. What exactly does? What does allows any origin mean? The only origin HTTPProxy allows, is www.example.com. Correct?
  • In general, are there any CORS restrictions inside K8s cluster (pod to pod)? My understanding again is no.

P.S. Please do not explain what CORS is. I know very well.This is not my question

Solution

  • I guess your overconfidence in knowing what CORS means is clouding your reasoning. Lets imagine the following scenario:

    • You are hosting a REST API at www.example.com
    • I am a developer of www.somewebsite.com and I want to use your API.
    • My website tries to fetch data from www.example.com.
      • The above policy will tell the browser to allow me to fetch your data since I will get a response from your server with a header that allowed origins are *.
    • If you don't include this configuration, the browser will not let me consume your API since the domain of my website [www.somewebsite.com] is not allowed to call this API and is not the same with the one where you host the API.

    You see I am still trying to fetch data from your domain, www.example.com, and the HTTP Proxy will hit your pods, but the browser is the one that will prevent me from getting the data, unless you have the above configuration.