-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2002759: UPSTREAM: <carry>: verify required http2 cipher suites #1022
Conversation
@dgrisonnet: This pull request references Bugzilla bug 2002759, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dgrisonnet: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/bugzilla refresh |
@dgrisonnet: This pull request references Bugzilla bug 2002759, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go
Outdated
Show resolved
Hide resolved
openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go
Outdated
Show resolved
Hide resolved
openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go
Outdated
Show resolved
Hide resolved
openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go
Show resolved
Hide resolved
In the Apiserver admission, we need to return an error if the required http2 cipher suites are missing from a custom tlsSecurityProfile. Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server configuration causing the apiservers to crash. See: go/x/net/http2.ConfigureServer for futher information. Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
864726e
to
b2a9cd9
Compare
@dgrisonnet: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
...shift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver_test.go
Show resolved
Hide resolved
/lgtm for approval and review |
/retest |
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dgrisonnet, p0lyn0mial, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
7 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@dgrisonnet: All pull requests linked via external trackers have merged: Bugzilla bug 2002759 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In the Apiserver admission, we need to return an error if the required
http2 cipher suites are missing from a custom tlsSecurityProfile.
Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server
configuration causing the apiservers to crash.
See: go/x/net/http2.ConfigureServer for futher information.
This change is meant to add a check in the Apiserver admission to validate custom ciphers similarly to the following check in the http2 go library in https://cs.opensource.google/go/x/net/+/d418f374:http2/server.go;l=240-257.
/cc @p0lyn0mial