Configuring Cross-Origin Access for LoadBalancer Ingresses

The same-origin policy of browsers prevents a web page loaded by one origin from directly requesting resources from another origin in web development. Cross-origin resource sharing (CORS) is a secure solution that allows cross-origin requests.

CORS can be used in the following scenarios:

Separated frontend and backend: In web development, frontend applications are often deployed under a domain name (for example, app.example.com), while the backend API service uses a different domain name (for example, api.example.com). This can cause cross-origin resource sharing to be blocked, but CORS can help resolve this issue by allowing the frontend to obtain data from the API service.
Third-party service integration: If your website needs to call third-party APIs (for example, the APIs of a map service or social media login platform), configure CORS to enable cross-origin resource sharing.
CDN: If your website is using a CDN to provide static resources from a domain name that differs from the primary domain, you can use CORS to load these resources.

If you enable cross-origin access for a LoadBalancer ingress, you will not be able to enable URL redirection, URL rewriting, or HTTP to HTTPS redirection.

Prerequisites

A CCE standard cluster is available, and the cluster version meets the following requirements:
- v1.23: v1.23.18-r10 or later
- v1.25: v1.25.16-r0 or later
- v1.27: v1.27.16-r0 or later
- v1.28: v1.28.13-r0 or later
- v1.29: v1.29.8-r0 or later
- v1.30: v1.30.4-r0 or later
- Other clusters of later versions
The cluster can be accessed using kubectl. For details, see Accessing a Cluster Using kubectl.

Notes and Constraints

This feature is only available when dedicated load balancers are used.

Using kubectl

Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.

Create a YAML file named ingress-test.yaml. The file name can be customized.

vi ingress-test.yaml

An example YAML file of an ingress created using an existing load balancer is as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress 
metadata:
  name: ingress-test 
  namespace: default 
  annotations:
    kubernetes.io/elb.class: performance # Only dedicated load balancers are supported.
    kubernetes.io/elb.cors-allow-origin: 'http://example.com'  # The origin that can be accessed
    kubernetes.io/elb.cors-allow-headers: 'fake-header-1' # The allowed request header
    kubernetes.io/elb.cors-expose-headers: 'fake-header-2' # The response header to be exposed
    kubernetes.io/elb.cors-allow-methods: 'GET,POST' # The allowed HTTP request methods
    kubernetes.io/elb.cors-allow-credentials: 'true' # Credentials can be sent.
    kubernetes.io/elb.cors-max-age: '3600' # The cache duration of a pre-check request
    kubernetes.io/elb.port: '80'
    kubernetes.io/elb.id: 3f5906fb-2b07-4e33-b3fe-b095f03d86a6
spec:
  rules:
    - host: example.com 
      http:
        paths:
          - path: / 
            backend:
              service:
                name: nginx-03657 
                port:
                  number: 80
            property:
              ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH 
            pathType: ImplementationSpecific 
  ingressClassName: cce

**Table 1** Annotations for cross-origin access
Parameter	Type	Description	Example Value
kubernetes.io/elb.cors-allow-origin	Array[string]	Specify Access-Control-Allow-Origin for the origin that can be accessed. Options: Wildcard (): indicates that all domain names can be accessed. Domain names: start with http://* or https://. Level-1 wildcard domain names are supported. The format is http(s)://example.com or http(s)://example.com:port, where the port number ranges from 1 to 65535. A maximum of 32 values can be set. Use commas (,) to separate them.	kubernetes.io/elb.cors-allow-origin: 'http://example.com'
kubernetes.io/elb.cors-allow-headers	Array[string]	Specify Access-Control-Allow-Headers for allowed request headers. A value can contain a maximum of 32 characters and cannot start or end with an underscore (_) or hyphen (-). Only uppercase letters, lowercase letters, digits, underscores (_), and hyphens (-) are allowed. A maximum of 32 values can be set. Use commas (,) to separate them.	kubernetes.io/elb.cors-allow-headers: 'fake-header-1'
kubernetes.io/elb.cors-expose-headers	Array[string]	Specify Access-Control-Expose-Headers for custom response headers that can be accessed by a cross-origin request. This allows you to retrieve non-standard response headers using client-side JavaScript code. A value can contain a maximum of 32 characters and cannot start or end with an underscore (_) or hyphen (-). Only uppercase letters, lowercase letters, digits, underscores (_), and hyphens (-) are allowed. A maximum of 32 values can be set. Use commas (,) to separate them.	kubernetes.io/elb.cors-expose-headers: 'fake-header-2'
kubernetes.io/elb.cors-allow-methods	Array[string]	Specify Access-Control-Allow-Methods for allowed HTTP request methods. You can enter multiple values by separating them with commas (,). The supported methods include GET, POST, PUT, DELETE, HEAD, OPTIONS and PATCH.	kubernetes.io/elb.cors-allow-methods: 'GET,POST'
kubernetes.io/elb.cors-allow-credentials	String	Specify Access-Control-Allow-Credentials to control the sending of credentials (such as cookies). Options: true: Credentials can be sent. false: Credentials cannot be sent. Once configured, the settings cannot be deleted. To remove the configuration, use kubernetes.io/elb.cors-disabled to delete all cross-origin settings.	kubernetes.io/elb.cors-allow-credentials: 'true'
kubernetes.io/elb.cors-max-age	String	Specify Access-Control-Max-Age for the cache duration of a CORS pre-check request. Unit: second. Value range: -1 to 172800 Properly configure this parameter based on service requirements. If the value is too low, pre-check requests may happen frequently. If the value is too high, the CORS policy may not take effect immediately.	kubernetes.io/elb.cors-max-age: '3600'
kubernetes.io/elb.cors-disabled	String	Disable all cross-origin settings. Options: true: disables all cross-origin settings. The parameter values in the YAML file will not be deleted, but all cross-origin settings will not take effect. false: default value, indicating that the cross-origin settings take effect based on your settings.	kubernetes.io/elb.cors-disabled: 'true'

Create an ingress.
```
kubectl create -f ingress-test.yaml
```
If information similar to the following is displayed, the ingress has been created:
```
ingress/ingress-test created
```

Check the created ingress.

kubectl get ingress

If information similar to the following is displayed, the ingress has been created:

NAME          CLASS    HOSTS          ADDRESS          PORTS   AGE
ingress-test  cce      example.com    **.**.**.**      80      10s

Verifying Cross-Origin Access

Log in to the ELB console, locate the load balancer used by the ingress, and check whether the forwarding policy of the listener contains cross-origin configurations.

Use curl to send a cross-origin request and check the response header.

curl -X OPTIONS -H 'Origin: {Origin}' {Accessed ingress URL} -I

For example, if the origin is example.com and the accessed ingress URL is 121.**.**.**:80, run the following command:

curl -X OPTIONS -H 'Origin: example.com' 121.**.**.**:80 -I

The Access-Control-** request header will be added to the original backend response.

HTTP/1.1 200 OK 
Access-Control-Allow-Headers: fake-header-1 
Access-Control-Expose-Headers: fake-header-2 
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Credentials: true 
Access-Control-Max-Age: 3600

Parent Topic: Advanced Setting Examples of LoadBalancer Ingresses

Previous topic: Configuring a Custom EIP for a LoadBalancer Ingress

Next topic: Nginx Ingresses