Blog
Istio VirtualService and Gateway: CORS policy attachment, ServiceEntry for external APIs, and sidecar egress
Apply CORS at the ingress gateway YAML—sidecar proxies to third-party APIs need separate ServiceEntry origins documented.
1 min read
istiokubernetescors
mTLS strict mode
Strict peer authentication can block health checks—ensure OPTIONS probes use the same identities as browsers expect.
Revision tags for canary gateways help roll out CORS header changes safely.
Wasm and EnvoyFilter
Custom EnvoyFilters can mutate CORS headers—pin Istio versions when using community snippets.
Ordering with WASM out-of-tree builds requires extra validation in staging clusters.