stackoom
  简体   繁体   中英

How do I set custom headers using Google Kubernetes Engine?

 原文  2021-07-26 17:02:27       kubernetes/ http-headers/ google-kubernetes-engine/ kubernetes-ingress/ nginx-ingress

Question

I understand that an NGINX Ingress controller allows custom header creation using a ConfigMap . Is there either:

  1. a way to use NGINX for GKE or
  2. to directly specify custom headers in the networking.gke.io namespace?

I am specifically interested in setting HTTPS Strict Transport Security , Upgrade Insecure Requests and Content Security Policy headers. I find it a little award that the redirectToHttp feature does not enabled these by default so I am desperate for any ideas.

1 answers

solution1
 2  2021-07-27 19:15:30

Taken from one of my Nginx ingress config values:

HSTS - under controller.config: 

  hsts: "True" # default is "False". Enables HTTP Strict Transport Security (HSTS): the HSTS header is added to the responses from backends. See https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  hsts-max-age: "31536000" # default is 2592000 (1 month).
  hsts-include-subdomains: "True" # default is "False".

Redirect to HTTPS - under anotations:

nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

CORS - Under anotations: 

nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "http://localhost:8888/"
nginx.ingress.kubernetes.io/cors-max-age: "3600"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,apikey,x-apikey,Accept-Language,impersonated,source"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, PATCH, OPTIONS"

So, an example would look like this:

❯ kubectl get configmaps -n ingress nginx-ingress-0-24-controller -o yaml 

apiVersion: v1
data:
  Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
    style-src 'self' 'unsafe-inline'; frame-src 'self'
  Referrer-Policy: 'Referrer-Policy: strict-origin-when-cross-origin'
  X-API-Token: x
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-Using-Nginx-Controller: "true"
  X-XSS-Protection: 1; mode=block
  client_body_buffer_size: 128k
  client_max_body_size: 24M
  enable-vts-status: "true"
  hsts: "True"
  hsts-include-subdomains: "True"
  hsts-max-age: "31536000"
  http-snippet: |
    more_clear_headers 'Server';
  log-format-upstream: '{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr",
    "x-forward-for": "$proxy_add_x_forwarded_for", "request_id": "$request_id", "remote_user":
    "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status":
    $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri",
    "request_query": "$args", "request_length": $request_length, "duration": $request_time,
    "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent":
    "$http_user_agent"}'
  proxy-hide-headers: Server, server, Access-Control-Allow-Origin, X-Using-Nginx-Controller
  proxy-set-headers: ingress/nginx-ingress-0-24-custom-headers
  server-tokens: "False"
  ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  ssl-protocols: TLSv1.2
  use-http2: "true"
kind: ConfigMap
metadata:
  creationTimestamp: "2020-08-20T08:46:22Z"
  labels:
    app: nginx-ingress
    chart: nginx-ingress-1.8.2
    component: controller
    heritage: Tiller
    release: nginx-ingress-0-24
  name: nginx-ingress-0-24-controller
  namespace: ingress
  resourceVersion: "205918413"
  selfLink: /api/v1/namespaces/ingress/configmaps/nginx-ingress-0-24-controller
  uid: 9fc20850-e2c1-11ea-87b8-42010af00186

While the annotations go in the ingress yaml:

❯ kubectl get ingresses -n system nginx-ingress-ingress-config protect-private -o yaml 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-0-24
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  creationTimestamp: "2021-03-05T13:03:49Z"
(...)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I run traefik behind Kubernetes on Google Container Engine? How do I set up a Tensorflow cluster using Google Compute Engine Instances to train a model? How to set up an environment variables on google kubernetes engine? How do I avoid unschedulable pods when running an autoscale-enabled Google Container/Kubernetes Engine cluster? How do I scale up my cluster on Google Container Engine / Kubernetes? How to set the external IP of a specific node in Google Kubernetes Engine? How do I connect Kubernetes Engine on GCP to an external Google Cloud Storage Bucket? How do you access compute engine instance using internal ip from Google Kubernetes Engine pod in same zone? How do I create a Kubernetes Custom Resource using javascript client How can I increase the size of master node on google kubernetes engine?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM