Blog

Istio VirtualService: centralizing CORS policies across revisions and namespaces

Mesh gateways can enforce CORS before traffic reaches language-specific services, reducing duplicated EnvoyFilter YAML.

Published: 2026-02-08Updated: 2026-02-101 min read

istiokubernetesservice-meshcors

Gateway versus sidecar

Ingress gateways are the natural place for browser-facing CORS; sidecars can stay minimal for east-west.

If both apply, document precedence—double Access-Control-* headers confuse browsers unpredictably.

Lint VirtualService for invalid regex in allowed origins before merge.

Alert on drift between staging and production header sets.