Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-21672: http2: trim connetions and buffers #80

Merged
merged 24 commits into from
Oct 23, 2023
Merged

OCPBUGS-21672: http2: trim connetions and buffers #80

merged 24 commits into from
Oct 23, 2023

Conversation

ibihim
Copy link

@ibihim ibihim commented Oct 19, 2023
edited
Loading

What

  • Replace/bump go.opentelemetry.io/contrib/instrumentation.
  • Add capability to disable HTTP/2.
  • Add capability to fine-tune resources for HTTP/2.

Why

  • CVE on opentelemetry, which didn't affect KRP, but caused security bots to go haywire.
  • CVE-2023-44487: Rapid Reset on Streams enables DDOS attacks.

ibihim and others added 15 commits June 5, 2023 17:24
@ibihim
CHANGELOG: v0.14.2, add Make-,Dockerfile change
b90c95c
@ibihim
Merge pull request brancz#242 from ibihim/v0.14.2-changelog-update
707f21b 
CHANGELOG: v0.14.2, add Make-,Dockerfile change
@ibihim
version: Makefile variable shifting
bcc5773 
It is necessary to have more fine grained and rigid versioning to be
able to use k8s' versioning.
@ibihim
version: add ldflags with versioning
e82d1a1
@ibihim
Merge pull request brancz#253 from ibihim/version-flag-ldflags
2b8fb20 
version: set version flag values properly
@ibihim
go*: update dependencies
2540d5f
@ibihim
cut release v0.14.3
3e2ea8f
@ibihim
Merge pull request brancz#254 from ibihim/release-0.14.3
b8b0b55 
Release 0.14.3
@ibihim
Makefile: revert VERSION, add VERSION_SEMVER
96da89f
@ibihim
Merge pull request brancz#258 from ibihim/v0.14.3-fix
3ed1e58 
Makefile: revert VERSION, add VERSION_SEMVER
@ReToCode
Bump golang.org/x/net to address CVE-2023-44487
1ef0e21
@ReToCode
Bump golang version to address CVE-2023-44487
3893e96
@ibihim
Merge pull request brancz#261 from ReToCode/bump-go
188f80a 
Bump golang.org/x/net to address CVE-2023-44487
@ibihim
cut release v0.14.4
0bc66fd
@ibihim
Merge pull request brancz#262 from ibihim/cut-release-v0.14.4
b0fa6e5 
Release 0.14.4
@openshift-ci openshift-ci bot requested review from deads2k and s-urbaniak October 19, 2023 15:27
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 19, 2023
@ibihim ibihim mentioned this pull request Oct 19, 2023
Merged
@ibihim ibihim force-pushed the CVE-2023-44487-trimming-http2 branch from ab150f0 to 569f97f Compare October 19, 2023 19:38
s-urbaniak
s-urbaniak reviewed Oct 20, 2023
View reviewed changes
pkg/filters/auth.go Outdated
// limit this connection to just this request,
// and then send a GOAWAY and tear down the TCP connection
// https://github.com/golang/net/commit/97aa3a539ec716117a9d15a4659a911f50d13c3c
w.Header().Set("Connection", "close")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aren't we supposed to return here? you are continuing the handler chain.

@s-urbaniak
Copy link

/rename OCPBUGS-21672: http2: trim connetions and buffers

@s-urbaniak
Copy link

/retitle OCPBUGS-21672: http2: trim connetions and buffers

@openshift-ci openshift-ci bot changed the title http2: trim connetions and buffers OCPBUGS-21672: http2: trim connetions and buffers Oct 20, 2023
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Oct 20, 2023
@openshift-ci-robot
Copy link

@ibihim: This pull request references Jira Issue OCPBUGS-21672, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.15.0) matches configured target version for branch (4.15.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xingxingxia

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

What

Set boundaries to http/2.

Why

This would enable us to keep http/2 enabled and
reducing our attack surface.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested a review from xingxingxia October 20, 2023 09:06
@wallylewis
Copy link

/retest-required

1 similar comment
@wallylewis
Copy link

/retest-required

@xingxingxia
Copy link

Hello all, I pre-merge tested this PR, got panics, details are in OCPBUGS-21672 comment:

panic: version string "" doesn't match expected regular expression: "^v(\d+\.\d+\.\d+)"

goroutine 1 [running]:
k8s.io/component-base/metrics.parseVersion({{0x0, 0x0}, {0x0, 0x0}, {0x1bc1454, 0x0}, {0x1bd0b20, 0x28}, {0x0, 0x0}, ...})
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/component-base/metrics/version_parser.go:47 +0x274
k8s.io/component-base/metrics.newKubeRegistry({{0x0, 0x0}, {0x0, 0x0}, {0x1bc1454, 0x0}, {0x1bd0b20, 0x28}, {0x0, 0x0}, ...})
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/component-base/metrics/registry.go:320 +0x119
k8s.io/component-base/metrics.NewKubeRegistry()
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/component-base/metrics/registry.go:335 +0x78
k8s.io/component-base/metrics/legacyregistry.init()
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/component-base/metrics/legacyregistry/registry.go:29 +0x1d

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 23, 2023
@ibihim ibihim force-pushed the CVE-2023-44487-trimming-http2 branch 2 times, most recently from 2cbfef0 to 9969ff7 Compare October 23, 2023 09:10
@ibihim
Dockerfile: pin env variable VERSION to ./VERSION
9969ff7 
The env variable VERSION is set in the image and overwrites the version
from kube-rbac-proxy.
@s-urbaniak
Copy link

/lgtm

@s-urbaniak
Copy link

(we pair programmed here together)

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 23, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 23, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ibihim, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Oct 23, 2023

@ibihim: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci openshift-ci bot merged commit e8e8c84 into openshift:master Oct 23, 2023
@openshift-ci-robot
Copy link

@ibihim: Jira Issue OCPBUGS-21672: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-21672 has been moved to the MODIFIED state.

In response to this:

What

  • Replace/bump go.opentelemetry.io/contrib/instrumentation.
  • Add capability to disable HTTP/2.
  • Add capability to fine-tune resources for HTTP/2.

Why

  • CVE on opentelemetry, which didn't affect KRP, but caused security bots to go haywire.
  • CVE-2023-44487: Rapid Reset on Streams enables DDOS attacks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@oshoval oshoval mentioned this pull request Nov 2, 2023
Merged
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 2, 2023
@oshoval
Bump kube-rbac-proxy
18167f8 
Includes openshift/kube-rbac-proxy#80

Signed-off-by: Or Shoval <oshoval@redhat.com>
@oshoval oshoval mentioned this pull request Nov 2, 2023
Merged
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 5, 2023
@oshoval
Bump kube-rbac-proxy
1484335 
Includes openshift/kube-rbac-proxy#80

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 8, 2023
@oshoval
Bump kube-rbac-proxy
69ebbc7 
Includes openshift/kube-rbac-proxy#80

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 8, 2023
@oshoval
Bump kube-rbac-proxy
87493ba 
Includes openshift/kube-rbac-proxy#80

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 8, 2023
@oshoval
Bump kube-rbac-proxy
779ea0c 
Includes openshift/kube-rbac-proxy#80

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 8, 2023
@oshoval
Bump kube-rbac-proxy
3b1027b 
Includes openshift/kube-rbac-proxy#80

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/kubemacpool that referenced this pull request Nov 12, 2023
@oshoval
Bump kube-rbac-proxy
fe25e40 
Includes openshift/kube-rbac-proxy#80

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/kubemacpool that referenced this pull request Nov 12, 2023
@oshoval
Bump kube-rbac-proxy
d71cbc9 
Includes openshift/kube-rbac-proxy#80

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 12, 2023
@oshoval
Bump kube-rbac-proxy
f300e85 
Includes openshift/kube-rbac-proxy#80
Affects CNAO and KMP.

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Since the image might change, it can't use
the variable which exists only on the latest candid 99.0.0,
but should have an hardcoded value per each release.

Signed-off-by: Or Shoval <oshoval@redhat.com>
@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

This PR has been included in build kube-rbac-proxy-container-v4.15.0-202311140732.p0.ge8e8c84.assembly.stream for distgit kube-rbac-proxy.
All builds following this will include this PR.

oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 30, 2023
@oshoval
Bump kube-rbac-proxy
359deec 
Includes openshift/kube-rbac-proxy#80
Affects CNAO and KMP.

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Since the image might change, it can't use
the variable which exists only on the latest candid 99.0.0,
but should have an hardcoded value per each release.

Signed-off-by: Or Shoval <oshoval@redhat.com>
oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this pull request Nov 30, 2023
@oshoval
Bump kube-rbac-proxy
84eb980 
Includes openshift/kube-rbac-proxy#80
Affects CNAO and KMP.

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Since the image might change, it can't use
the variable which exists only on the latest candid 99.0.0,
but should have an hardcoded value per each release.

Signed-off-by: Or Shoval <oshoval@redhat.com>
kubevirt-bot pushed a commit to k8snetworkplumbingwg/kubemacpool that referenced this pull request Dec 4, 2023
@oshoval
Bump kube-rbac-proxy (#404)
ad90843 
Includes openshift/kube-rbac-proxy#80

Signed-off-by: Or Shoval <oshoval@redhat.com>
kubevirt-bot pushed a commit to kubevirt/cluster-network-addons-operator that referenced this pull request Dec 4, 2023
@oshoval
Bump kube-rbac-proxy (#1653)
3a09351 
Includes openshift/kube-rbac-proxy#80
Affects CNAO and KMP.

KubeRbacProxyImageDefault was updated manually.
Each test/release/x.go file was updated according the version it had
in its variable.
Since the tests validate the release on the upgrade test,
both for the old and latest, if there were any errors we would see.

Since the image might change, it can't use
the variable which exists only on the latest candid 99.0.0,
but should have an hardcoded value per each release.

Signed-off-by: Or Shoval <oshoval@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-urbaniak s-urbaniak s-urbaniak left review comments

@deads2k deads2k Awaiting requested review from deads2k

@xingxingxia xingxingxia Awaiting requested review from xingxingxia

Assignees

@s-urbaniak s-urbaniak

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ibihim @s-urbaniak @openshift-ci-robot @wallylewis @xingxingxia @openshift-bot @ReToCode