search

kubernetes / apiserver

Library for writing a Kubernetes-style API server.
Apache License 2.0
647 stars 400 forks source link

An apparent bug with mixing authorization and CORS #71

Closed benlesh closed 3 years ago

benlesh commented 3 years ago

When running kube-apiserver with both authorization and CORS, it seems that OPTIONS pre-flight requests are checking for the Authorization header and rejecting the requests. According to the CORS specification, Authorization headers are always excluded from OPTIONS pre-fight requests:

For a CORS-preflight request, request’s credentials mode is always "same-origin", i.e., it excludes credentials, but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS-preflight request as well.

This is a huge blocker for writing any authenticated browser-based UI that can make calls against kube-apiserver, from what I can tell.

Hopefully this is just something misconfigured on our end, and I'm just misunderstanding.

benlesh commented 3 years ago

Hmm. This repository doesn't seem to be the right place for this.