-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add a flag to disable htttp2 #1364
Conversation
This is to mitigate CVE-2023-44487 until the Go standard library and golang.org/x/net are fully fixed. Signed-off-by: Jayapriya Pai <janantha@redhat.com>
Welcome @slashpai! |
Hi @slashpai. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
/assign |
/retest |
1 similar comment
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest |
@@ -135,6 +139,10 @@ func (o Options) ApiserverConfig() (*genericapiserver.Config, error) { | |||
return nil, err | |||
} | |||
|
|||
// disable HTTP/2 to mitigate CVE-2023-44487 until the Go standard library | |||
// and golang.org/x/net are fully fixed. | |||
serverConfig.SecureServing.DisableHTTP2 = o.DisableHTTP2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason for why kubernetes apiserver doesn't expose a flag for users to configure while Metrics Server should?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I added the flag is to let users configure and disable it by default till CVE is fixed.
Do we want to just disable it without providing the flag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know if it was ever discussed upstream, but we had a discussion about it downstream and kube-apiserver most likely needs the efficiency of HTTP/2 because of the number of requests it is handling. Though I would admit we didn't have time to run any benchmarks.
In the case of metrics-server, it should be fine to switch to HTTP/1.1 since it only exposes two endpoints, the API endpoint and the metrics endpoint and both don't really require handling heavy load of requests compare to what the kube-apiserver has to handle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, what I'm saying is that I would like to better understand why this was not first proposed in k/k repository. And if it was proposed, what was the response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see, I misunderstood your initial comment.
I think it is fair and we could try to expose the options in k/k. @slashpai could you try adding it in https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/serving.go#L148 and wire the option in k/k?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any update on this PR? this should be done first in k/k and later here? or what is the proposal?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah the idea is to add the option to the apiserver library and revendor it here once merged in k/k
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I will be creating pr to upstream Kubernetes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/retest
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dgrisonnet, slashpai, yangjunmyfm192085 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
This is to mitigate CVE-2023-44487
until the Go standard library and golang.org/x/net are fully fixed.
cc: @dgrisonnet @simonpasquier
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #