ingress-gce icon indicating copy to clipboard operation
ingress-gce copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Custom response headers support?

Open aleks-m opened this issue 4 years ago • 19 comments

Hi.

Is there a way to configure custom response headers on path or load balancer level?

Thanks.

aleks-m avatar May 20 '20 10:05 aleks-m

@aleks-m Do you mean headers sent back to the client? Can't you do that in your application?

rramkumar1 avatar May 21 '20 13:05 rramkumar1

@rramkumar1 yes.

Well, in theory I can. But in my case I have multiple apps behind one load balancer and it will be pretty hard to modify all of them (especially given the fact what they are written in different programming languages). And such approach will be impossible if I run a third-party app with no source code provided and with no header configuration support. Would be much better to just set response headers on a load balancer instead of modifying each app source code.

aleks-m avatar May 21 '20 14:05 aleks-m

@mark-church any thoughts? I don't think there is a GCLB feature for this nor can I find a feature request.

rramkumar1 avatar May 21 '20 14:05 rramkumar1

This is not available right now, we'll update when it is possible on the underlying product.

bowei avatar May 21 '20 15:05 bowei

The feature has been released in beta in GCLB 3 days ago. https://issuetracker.google.com/issues/62051227

lorenzozimolo avatar Sep 28 '20 06:09 lorenzozimolo

I need this feature for HSTS. Can we unfreeze this?

jeremyd avatar Feb 10 '21 21:02 jeremyd

I might be not understanding frozen status -- I use it to pin issues so they do not rot

bowei avatar Feb 10 '21 21:02 bowei

Apologies @bowei I assumed frozen meant something bad. I see now that it prevents auto-close. Thanks for clarifying.

jeremyd avatar Feb 10 '21 22:02 jeremyd

This is not available right now, we'll update when it is possible on the underlying product.

Hello @bowei! This is definitely supported by GCE load balancers (https://cloud.google.com/load-balancing/docs/custom-headers#working-with-response). Tested succesfully by manually adding custom responce headers (including CORS like Access-Control-Allow-Origin) to NEGs configured with Ingress BackendConfigs. Please, implement this feature. Response headers (mostly CORS ones) is a core feature that will let many people to get rid of ingress-nginx installed between ingress-gce and k8s services. Thanks!

ivan046 avatar May 29 '21 15:05 ivan046

I made a request for allowing Custom Response Headers from GKE, via a BackendConfig resource. This is essential for enforcing HSTS from a site served by a GKE cluster. The only workaround is to modify the load balaner settings generated by GKE, and that is not a clean approach. Vote for the feature at : https://issuetracker.google.com/issues/191700241

cgotfried avatar Jun 23 '21 14:06 cgotfried

@cgotfried I can't vote on that issue - I got "access denied" then I tried to open that issue tracker URL.

aleks-m avatar Sep 07 '21 11:09 aleks-m

same, I'd like to vote for this, but cannot

nealharris avatar Sep 14 '21 16:09 nealharris

@aleks-m , @nealharris I don't know why this is happening. The issue is not reachable in the Google issuetracker anymore. I get Access Denied when i try to go there. I don't have any way to troubleshoot this.

cgotfried avatar Sep 14 '21 17:09 cgotfried

@cgotfried I get the same Access Denied error. Could you re-create the issue?

otherguy avatar Nov 03 '21 10:11 otherguy

Also unable to upvote https://issuetracker.google.com/issues/191700241 - it will be great to have this feature available so we can use HSTS on GKE NEGs

albertoal avatar Nov 18 '21 23:11 albertoal

Any updates on this one? This would be essential not only for HSTS, but for other "classic" security headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy and Referrer-Policy.

dinvlad avatar Feb 11 '22 22:02 dinvlad

+1

m62534 avatar Mar 16 '22 16:03 m62534

+1

allenvino1 avatar Jun 14 '22 02:06 allenvino1

+1

anhnt094 avatar Jul 30 '22 11:07 anhnt094

+1

bernardopericacho avatar Sep 29 '22 03:09 bernardopericacho

I found out, there are 3 PR related to this, https://github.com/kubernetes/ingress-gce/pull/1771, https://github.com/kubernetes/ingress-gce/pull/1772, and https://github.com/kubernetes/ingress-gce/pull/1776. But not sure, when it will be release

ridhoadya avatar Oct 12 '22 09:10 ridhoadya

Any timeline on when this will land to GKE?

dinvlad avatar Oct 20 '22 01:10 dinvlad

We are currently testing out the changes. I will update when the changes are available in GKE and what version it is available in.

swetharepakula avatar Oct 31 '22 15:10 swetharepakula

@swetharepakula finally! thanks for the update!

ivan046 avatar Oct 31 '22 16:10 ivan046

@swetharepakula any updates? Want to configure this in my manifest instead of having to ask developers to generate custom response headers in code.

red8888 avatar Dec 16 '22 18:12 red8888

We have released custom response header support. This is be available in new GKE 1.25+ clusters.

swetharepakula avatar Dec 27 '22 19:12 swetharepakula

@swetharepakula Is this feature available for existing GKE 1.25 clusters? At least, my cluster with v1.25.4-gke.2100 does not have BackendConfig CRD updated.

shield-9 avatar Jan 05 '23 08:01 shield-9

@shield-9 , we have started the rollout, but the change has not completely been rolled out to existing clusters. Once rolled out, existing clusters will be upgraded according to maintenance windows with the new version of the ingress controller.

swetharepakula avatar Jan 26 '23 20:01 swetharepakula

May be worth update the docuementation to also say customResponseHeaders is supported here https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#request_headers

megalucio avatar Mar 28 '23 11:03 megalucio

Is it rolled out already? Apart from the docs ☝️ not being updated, there is also no mention of it in the GKE release notes and I would expect it to be there.

gdubicki avatar Jun 26 '23 15:06 gdubicki