Configuring CORS settings on kubernetes NGINX ingress

Preface on CORS Link to heading

Cross-Origin Resource Sharing (CORS) is an “issue” that often pops up during development of web applications that call backend services for data and functionality. In simplest terms it is a security feature that allows the backend service to maintain a whitelist of which host websites are able to call it.

By default, this is often quite restrictive - only the same domain can call a service (e.g. caller from domain can query/fetch

Often the frontend and backend are on different domains, and for example, and this triggers a CORS error in the browser as the request is blocked due to the call being “cross-origin” - unless the backend server explicitly allows this to occur.

Configuring the NGINX Ingress controller Link to heading

The CORS configuration can be implemented within the ingress resource, using annotations. For example, the below ingress configuration of the backend service would be appropriate for a scenario where:

  • There is a backend API hosted on
  • There is a frontend web application hosted on that needs to use data from
  • This backend API should only be available for the frontend from
kind: Ingress
  name: ingress-route-backend
    # enable CORS to allow it "true"

    # specify which origins to allow
    # format is quoted comma-separated list, e.g. "a, b, c" ""

    # specifically define which methods to alow
    # format is quoted comma-separated list, e.g. "a, b, c" "PUT, GET, POST, OPTIONS, DELETE"
  ingressClassName: nginx
  - hosts: