Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ : (go/v3,go/v4) Disable HTTP2 for webhook server and metrics in order to address CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http #3734

Merged
merged 2 commits into from Jan 19, 2024
Merged

✨ : (go/v3,go/v4) Disable HTTP2 for webhook server and metrics in order to address CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http #3734

merged 2 commits into from Jan 19, 2024

Conversation

everettraven
Copy link
Contributor

Description
This PR updates the go/v4 and go/v3 default scaffolding to include some new flags for disabling HTTP/2 on metric (go/v4) and webhook servers. This helps to ensure that new projects don't have to go through manual steps to disable http/2 support to address:

Motivation
Ensure that new projects don't have to go through manual steps to disable http/2 support to address:

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 18, 2024
@everettraven
rapid reset cve scaffold remediations
4526fcf 
Signed-off-by: everettraven <everettraven@gmail.com>
@camilamacedo86 camilamacedo86 changed the title 🌱 rapid reset CVE scaffolding remediations ✨ : (go/v3,go/v4) Disable HTTP2 for webhook server and metrics in order to address CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http Jan 18, 2024
@camilamacedo86
Copy link
Member

camilamacedo86 commented Jan 18, 2024
edited

Hi @everettraven

Go/v3 is deprecated but in this case shows fine add the change on it.
I tried to update the PR title accordingly.
See the emoji 🌱 we only use for changes that does not impact the end users which is not this case since we are changing the scaffolds, feel free to shape it as you see fit.

I added some nits / questions.

Otherwise, /approved

camilamacedo86
camilamacedo86 reviewed Jan 18, 2024
View reviewed changes
docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go Outdated
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&secureMetrics, "metrics-secure", false,
"Whether or not the metrics endpoint should be served securely")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we try to following the standard of the other commets
Something more like

If set enable the ... or Enable ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 2375fa3

camilamacedo86
camilamacedo86 reviewed Jan 18, 2024
View reviewed changes
docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go
@@ -85,9 +93,28 @@ func main() {

ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

disableHTTP2 := func(c *tls.Config) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a comment explained why it has been made?
Have we any other option?
Would that mean that we cannot use HTTP2 at all?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 2375fa3

@everettraven
address review comments
2375fa3 
Signed-off-by: everettraven <everettraven@gmail.com>
Kavinjsir
Kavinjsir approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@Kavinjsir Kavinjsir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

varshaprasad96
varshaprasad96 approved these changes Jan 19, 2024
View reviewed changes
Copy link
Member

@varshaprasad96 varshaprasad96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 19, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, Kavinjsir, varshaprasad96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 19, 2024
@k8s-ci-robot k8s-ci-robot merged commit 7fba82c into kubernetes-sigs:master Jan 19, 2024
19 checks passed
rashmigottipati
rashmigottipati reviewed Jan 19, 2024
View reviewed changes
Copy link
Contributor

@rashmigottipati rashmigottipati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

(not tagging since already merged)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rashmigottipati rashmigottipati rashmigottipati left review comments

@camilamacedo86 camilamacedo86 camilamacedo86 left review comments

@Kavinjsir Kavinjsir Kavinjsir approved these changes

@varshaprasad96 varshaprasad96 varshaprasad96 approved these changes

Assignees

@varshaprasad96 varshaprasad96

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@everettraven @camilamacedo86 @k8s-ci-robot @rashmigottipati @Kavinjsir @varshaprasad96