When running kube-apiserver with both authorization and CORS, it seems that OPTIONS pre-flight requests are checking for the Authorization header and rejecting the requests. According to the CORS specification, Authorization headers are always excluded from OPTIONS pre-fight requests:
For a CORS-preflight request, request’s credentials mode is always "same-origin", i.e., it excludes credentials, but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS-preflight request as well.
This is a huge blocker for writing any authenticated browser-based UI that can make calls against kube-apiserver, from what I can tell.
Hopefully this is just something misconfigured on our end, and I'm just misunderstanding.
When running kube-apiserver with both authorization and CORS, it seems that
OPTIONS
pre-flight requests are checking for theAuthorization
header and rejecting the requests. According to the CORS specification,Authorization
headers are always excluded fromOPTIONS
pre-fight requests:This is a huge blocker for writing any authenticated browser-based UI that can make calls against kube-apiserver, from what I can tell.
Hopefully this is just something misconfigured on our end, and I'm just misunderstanding.