File expose-DisableHTTP2-flag-in-SecureServingOption... of Package kubernetes1.25.35817

Overview Repositories Revisions Requests Users Attributes Meta

File expose-DisableHTTP2-flag-in-SecureServingOptions.patch of Package kubernetes1.25.35817

From e2503e50381cc9cc2e4a4c90f0738e54992558f8 Mon Sep 17 00:00:00 2001
From: Jayapriya Pai <janantha@redhat.com>
Date: Tue, 5 Dec 2023 11:41:58 +0530
Subject: [PATCH] Expose DisableHTTP2 flag in SecureServingOptions

This is to mitigate CVE-2023-44487
until the Go standard library and golang.org/x/net
are fully fixed.

Signed-off-by: Jayapriya Pai <janantha@redhat.com>
---
 staging/src/k8s.io/apiserver/pkg/server/options/serving.go  | 6 ++++++
 .../src/k8s.io/apiserver/pkg/server/options/serving_test.go | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
index 842ab7ee0d1..21a2736e107 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
@@ -44,6 +44,8 @@ type SecureServingOptions struct {
 	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
 	// "tcp4", and "tcp6".
 	BindNetwork string
+	// DisableHTTP2Serving indicates that http2 serving should not be enabled.
+	DisableHTTP2Serving bool
 	// Required set to true means that BindPort cannot be zero.
 	Required bool
 	// ExternalAddress is the address advertised, even if BindAddress is a loopback. By default this
@@ -163,6 +165,9 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	}
 	fs.IntVar(&s.BindPort, "secure-port", s.BindPort, desc)
 
+	fs.BoolVar(&s.DisableHTTP2Serving, "disable-http2-serving", s.DisableHTTP2Serving,
+		"If true, HTTP2 serving will be disabled [default=false]")
+
 	fs.StringVar(&s.ServerCert.CertDirectory, "cert-dir", s.ServerCert.CertDirectory, ""+
 		"The directory where the TLS certs are located. "+
 		"If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.")
@@ -256,6 +261,7 @@ func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
 	*config = &server.SecureServingInfo{
 		Listener:                     s.Listener,
 		HTTP2MaxStreamsPerConnection: s.HTTP2MaxStreamsPerConnection,
+		DisableHTTP2:                 s.DisableHTTP2Serving,
 	}
 	c := *config
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
index f1ca80cb2e8..460e1884e65 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
@@ -286,7 +286,8 @@ func TestServerRunWithSNI(t *testing.T) {
 						KeyFile:  serverKeyFile,
 					},
 				},
-				SNICertKeys: namedCertKeys,
+				DisableHTTP2Serving: true,
+				SNICertKeys:         namedCertKeys,
 			}).WithLoopback()
 			// use a random free port
 			ln, err := net.Listen("tcp", "127.0.0.1:0")
-- 
2.46.0

Places

File expose-DisableHTTP2-flag-in-SecureServingOptions.patch of Package kubernetes1.25.35817

Places