Istio 1.7 CORS Policy not fully working

Security
1

When I apply the CORS policy, not all of the CORS headers are serialized back. I only get back the following headers. I’m wondering if I’m doing anything wrong? I do have a JWT policy using the RequestAuthentication definition also applied to the same gateway the virtual service below is applied to.

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials

I’m expecting as expected in this CorsPolicy document

  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Max-Age
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  namespace: ingestion
  name: http-bobber-2-public
spec:
  hosts:
    - '*'
  gateways:
    - alb-system/default-istio-gateway
  http:
    - name: http-bobber-2-default-public-route
      match:
        - uri:
            prefix: /ingestion/http-bobber-2/
      rewrite:
        uri: /
      route:
        - destination:
            host: http-bobber-2.ingestion.svc.cluster.local
      corsPolicy:
        allowOrigins:
          - exact: "*"
        allowMethods:
          - GET
          - POST
          - PATCH
          - PUT
          - DELETE
          - OPTIONS
        allowCredentials: false
        allowHeaders:
          - authorization
        maxAge: "24h"
2

I was able to get CORS preflight to work by adding an explicit AuthPolicy in the same namespace as the ingress gateway.

kind: AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
metadata:
  name: http-bobber-policy
  namespace: alb-system
spec:
  rules:
    - from:
        - source:
            requestPrincipals:
              - '*'
    - to:
        - operation:
            paths:
              - /ingestion/http-bobber-2/*
            methods:
              - OPTIONS
  selector:
    matchLabels:
      app: istio-ingressgateway
1 Like