auth-allowing-javascript-access-api-server.adoc

Allowing JavaScript-based access to the API server from additional hosts

The default {product-title} configuration only allows the web console to send requests to the API server.

If you need to access the API server or OAuth server from a JavaScript application using a different hostname, you can configure additional hostnames to allow.

Prerequisites

• Access to the cluster as a user with the cluster-admin role.

Procedure

1. Edit the APIServer resource:

   $ oc edit apiserver.config.openshift.io cluster

2. Add the additionalCORSAllowedOrigins field under the spec section and specify one or more additional hostnames:

   apiVersion: config.openshift.io/v1
   kind: APIServer
   metadata:
     annotations:
       release.openshift.io/create-only: "true"
     creationTimestamp: "2019-07-11T17:35:37Z"
     generation: 1
     name: cluster
     resourceVersion: "907"
     selfLink: /apis/config.openshift.io/v1/apiservers/cluster
     uid: 4b45a8dd-a402-11e9-91ec-0219944e0696
   spec:
     additionalCORSAllowedOrigins:
     - (?i)//my\.subdomain\.domain\.com(:|\z) (1)

   1. The hostname is specified as a Golang regular expression that matches against CORS headers from HTTP requests against the API server and OAuth server.

      Note	This example uses the following syntax: The (?i) makes it case-insensitive. The // pins to the beginning of the domain and matches the double slash following http: or https:. The \. escapes dots in the domain name. The (:|\z) matches the end of the domain name (\z) or a port separator (:).

3. Save the file to apply the changes.