BackendConfig support for user-defined response headers

[andriymarchuk]

We have support for user-defined request headers for https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#request_headers

Would be great if BackendConfig also had support for user-defined response headers as per
https://cloud.google.com/load-balancing/docs/custom-headers#working-with-response

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[stevenaldinger]

/remove-lifecycle stale

[stevenaldinger]

Edit: I ended up deploying an nginx sidecar in the pod, used proxy_hide_header Content-Security-Policy; to get rid of what google puts on there, and then added my own.

I'm trying to serve an app (Rocket chat) with ingress-gce/managed certs and need to be able to set content security policy response headers so it can be iframed at another domain.
is that possible without this feature or is ingress-gce unusable for that case?

[grzegorz655]

Hi,
any chance to add support for user-defined response headers?

[bluemalkin]

Would love to see this implemented please.

[ivan046]

Any progress in that?

[ivan046]

Everyone interested, please, add your stars to the correspondining issue here: https://issuetracker.google.com/issues/191700241
Thanks! It's a really easy-to-imolement feature. Hope will get it soon.

[lmakarov]

Everyone interested, please, add your stars to the correspondining issue here: https://issuetracker.google.com/issues/191700241

That issue is private (or deleted?).

Added a thumb-up on this one. Hoping someone will notice it.

---

Apparently, this is a dupe of an earlier request: #1106

[arnisoph]

👍 need :D

[jotacamou]

Any progress or news on this by any chance?

[thebeardedpapi]

Any word on this?

[griseau]

Hello guys, do you have a workaround to be able to headers like Content-Security-Policy ? It's really annoying

[skymeyer]

This definitely would be great to have +1

[oryades]

Need this to add custom headers in response.

[red8888]

Any updates on this? The level of engagement and support here is very frustrating. As previously stated the link is private so how can we even start it!? https://issuetracker.google.com/issues/191700241

This is a basic feature. I want to use GKE native ingresses to take advantage of the global GCE load balancing features but it still does not support custom response headers.

[allenvino1]

An progress? This is the only feature that is lacking for us to migrate to ingress-gce.

[dorfire]

+1

[bschaeffer]

+1

[anhnt094]

+1. Any progress on that?

[erikhubers]

+1

[itpromorus]

we all need it)

[baptiste-dauphin]

+1 we also need this feature ;)

[allenvino1]

Any updates?

[bernardopericacho]

+1

[Agh42]

It took me about one hour of trying to get this done until I finally reached this issue...

It's such a common requirement to be able to set headers such as Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy, Content-Security-Policy and others in one central location.

When using NGINX as Ingress we can simple set nginx.ingress.kubernetes.io/configuration-snippet.more_set_headers.

So there is really no way to do this with the gce ingress class? We have to fall back to using the Web-UI or gcloud CLI to set response headers on all of our backends (that were created by helm from a BackendConfig)?

A big +1 on this issue from me as well...

[swetharepakula]

Custom response headers can now be configured using the BackendConfig CRD. This feature is available in new GKE 1.25+ clusters.

dup #1106

[acondrat]

Custom response headers can now be configured using the BackendConfig CRD. This feature is available in new GKE 1.25+ clusters.

dup #1106

Great news! Could you please share a link to documentation or source code explaining how to use it? I checked https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration but it does not seem to mention this.

[MishaVeldhoen]

I've just updated my cluster to 1.25.4-gke.2100, and as far as I can tell this feature is not yet available (kubectl describe crd backendconfigs.cloud.google.com)

[swetharepakula]

I gave an update in #1106 (comment). The initial rollout only was for newly created clusters that were at least 1.25. We have since rolled out the upgrade for existing 1.25 clusters. The upgrade will occur during your set maintenance windows.

[skyl]

I gave an update in #1106 (comment). The initial rollout only was for newly created clusters that were at least 1.25. We have since rolled out the upgrade for existing 1.25 clusters. The upgrade will occur during your set maintenance windows.

This doesn't seem to work if CDN is enabled? eg

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backend-config
spec:
  cdn:
    enabled: true
    cacheMode: "USE_ORIGIN_HEADERS"
    cachePolicy:
      includeHost: true
      includeProtocol: true
      includeQueryString: true
  # Don't seem to work with CDN
  customResponseHeaders:
    headers:
      - "Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"
      - "X-Frame-Options: SAMEORIGIN"
      - "X-Content-Type-Options: nosniff"
      - "Content-Security-Policy: ..."
      - "Referrer-Policy: no-referrer-when-downgrade"
      - "X-XSS-Protection: 1; mode=block"
      - "Via: Unicorn Fartz"

EDIT: actually it looks like it just takes some time? Will report back in a little while.

EDIT2: it seemed to take a few more minutes than I expected but the above works.