Kusk: Configuring your Ingress Controller for CORS with OpenAPI

Egor Dobrovolsky
September 14, 2021

Theory

CORS — Cross-Origin Resource Sharing — is a mechanism that allows browser and server to communicate and establish a set of security settings that tell a browser which origins scripts may be loaded from and what it can talk to.

Not only having a properly configured CORS is crucial to have a functioning web application talking to an APIs, it’s also very important to thoroughly review allowed CORS origins from a security perspective to disallow third parties talking to your APIs on user’s behalf.

You’d need to have CORS configured on your server to allow your websites talk to your APIs on the backend. In Kubernetes, accessing your API services is usually done with help of an Ingress Controller.

Configuring a CORS on a backend route usually involves setting a few parameters: origins (list of all origins browser is allowed to talk to), methods (HTTP methods that browser can use), headers (a list of headers browser may use in it’s request to the server) and etc.

Unfortunately, all ingress controllers support CORS slightly differently, and getting to grips with those differences can be important when choosing your ingress controller. Let’s have a look at how CORS is configured with two of the more popular ingress controllers: Ambassador Edge Stack and Nginx-Ingress.

Practice

For Ambassador Ingress Controller, you would need to configure a CORS for each Mapping, i.e.:

Nginx-ingress does not have it’s own set of CRDs to configure ingress routes, so a set of annotations is used instead:

Manually managing different CORS settings for a lot of deployed APIs can become cumbersome and error-prone, rendering websites and SPAs dysfunctional or, in the worst case, insecure.

Enter Kusk — OpenAPI for Kubernetes

Kusk is a tool that allows you to automatically generate Kubernetes manifests based on your OpenAPI schema — freeing you from burden of manually editing Ingress manifests and making the whole process more enjoyable and less error-prone!

For example, Kusk makes it easy to configure CORS on your APIs within x-kusk extension — i.e. having an OpenAPI schema like this:

Kusk would turn it into a ready-to-be-applied Kubernetes manifest for Ambassador:

Sounds easy, right? But there’s more — what if you want a specific set of endpoints exposed to a browser? Kusk can handle that, too! Just specify cors option inside an x-kusk extension on the path level (or even more precisely — at the operation level) — and Kusk will generate a separate set of Mappings for each route with corresponding CORS settings!

Kusk currently supports automatic CORS configuration for Ambassador and nginx-ingress, and Traefik support is coming! For a full options reference, take a look at the documentation.

Make your OpenAPI schema a real source of truth

Kusk aims to simplify workflows for Developers that adopt Kubernetes, giving the ability to use OpenAPI schemas as a source of truth for configuring cluster resources.

Adopting an OpenAPI to define your APIs bring many advantages to both the developers and consumers of those APIs. Why not make Ops life a little bit easier too?

Kusk can use your OpenAPI schema stored in Git and automatically apply it in a GitOps fashion if you have ArgoCD — working as an ArgoCD plugin!

To start using Kusk, refer to our Getting Started guide here. And please, don’t hesitate to give your feedback through Github or hop on our Discord to discuss anything!

Kusk is brought to you by kubeshop.io

Happy days!

/Kusk-team

Thanks to Ole Lensmar and Dmitry Fonarev.

Get the updates and insights direct to your inbox.