Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cors preflight does not work when Jwt Policy targets the Istio Ingress Gateway #16171

Open
yangminzhu opened this issue Aug 9, 2019 · 4 comments

Comments

@yangminzhu
Copy link
Contributor

commented Aug 9, 2019

(NOTE: This is used to report product bugs:
To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/
To ask questions about how to use Istio, please visit https://discuss.istio.io
)

Bug description
See https://discuss.istio.io/t/cors-preflight-does-not-work-when-jwt-policy-targets-the-istio-ingress-gateway/3410

@lei-tang Would you mind to take a look? The customer is reporting it's failing in 1.2, not sure if it also fails in master where we have switched to use JWT filter in Envoy (we also need to verify this but that is a separate issue). We may also need an e2e test to prevent such regression, thank you!

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Expected behavior
Cors preflight requests should work when a Jwt Policy is configured on the istio-ingressgateway target.

Steps to reproduce the bug
See the original report

Version (include the output of istioctl version --remote and kubectl version)
Istio 1.2

How was Istio installed?

Environment where bug was observed (cloud vendor, OS, etc)

Additionally, please consider attaching a cluster state archive by attaching
the dump file to this issue.

@svilenvul

This comment has been minimized.

Copy link

commented Aug 12, 2019

+1 Same issue here.

@svilenvul

This comment has been minimized.

Copy link

commented Aug 14, 2019

@lei-tang @yangminzhu, this bug is preventing us to migrate to Istio End User Authentication.

It looks rather simple to fix. Could you give an Estimated Time of Availability for it?

@yangminzhu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 14, 2019

@lei-tang added the support of Cors preflight in Istio proxy. I just talked with him but he is working on other tasks and won't be able to work on this.

@myidpt @rlenglet let me know if you can find someone to help on this. I can try to take a look if nobody is going to work on this but I'm not familiar with this part of code.

@svilenvul sorry for the delay, I was handling a urgent security CVE issue until yesterday so didn't have time to follow up on this. My guess is we can fix this sometime next week but please be noted it will take more time to ship the fix to a new 1.2 release (if any).

@myidpt

This comment has been minimized.

Copy link
Contributor

commented Aug 14, 2019

@svilenvul Our team are all occupied on high-priority things now. We will get to this as soon as we have bandwidth.
Adding the help wanted label in case anyone from the community is interested in fixing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.