I have a Kubernetes Engine cluster set up in Google Cloud Platform and it's working wonderfully. I can query the Kubernetes API itself to get info on Kubernetes objects, using the IP-based URL of the Kubernetes Master seen when running kubectl cluster-info.
I'd like to create a simple dashboard for less technical users that pulls its info from the Kubernetes API, and this is done client-side (using React). However, I only have the IP-based endpoint and so my requests are blocked by the CORS policy. How can I resolve this simply?
I understand that if I owned the cluster I'd be able to update kube-apiserver.yaml to provide a more permissive value for --cors-allowed-origins, but as far as I can tell I don't have access to this in GKE.
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
I've also tried putting a Kong proxy in front of the kubernetes.default internal service, but kubernetes.default is secured with a self-signed certificate that Kong doesn't trust. Should I be pointing Kong at the Kubernetes Master IP instead, even though this isn't inside the cluster? I'm using the Kong Ingress Controller so I don't know if I can point it at "external" endpoints like the Kubernetes Master IP. I could try to spin up a service for this but don't want to go down a rabbithole without some advice.
https://github.com/Kong/kubernetes-ingress-controller
I've also considered that I could write my own little adapter that routes through to kubernetes.default and uses the certificate authority file that Kubernetes will inject. I think this would work, but getting this to work with the server-sent events of the watch endpoints will be a pain and I think it's more effort than I should be going into.
I'm surprised this isn't a more common question, and that makes me think I'm doing something unusual. I'd be keen to see examples of dashboards written over the Kubernetes API.
Best Answer
As far as I know there is no way to enable CORS for GKE. You could try with the proxy approach. In this case you can inject the CA of the GKE master into the root CAs in the container where the proxy is running. In general it would be better to write a small wrapper that will expose only the required Kubernetes APIs.
So as CORS is out of picture you could also try to use the dashboard through Kubernetes apiserver proxy. What I mean by that is you could expose the service as ClusterIP and access it through the proxy like in the example below:
So you will not have a CORS issue as the master and the service will be on the same domain.