File expose-DisableHTTP2-flag-in-SecureServingOptions.patch of Package kubernetes1.24.35689
From e2503e50381cc9cc2e4a4c90f0738e54992558f8 Mon Sep 17 00:00:00 2001
From: Jayapriya Pai <janantha@redhat.com>
Date: Tue, 5 Dec 2023 11:41:58 +0530
Subject: [PATCH] Expose DisableHTTP2 flag in SecureServingOptions
This is to mitigate CVE-2023-44487
until the Go standard library and golang.org/x/net
are fully fixed.
Signed-off-by: Jayapriya Pai <janantha@redhat.com>
---
staging/src/k8s.io/apiserver/pkg/server/options/serving.go | 6 ++++++
.../src/k8s.io/apiserver/pkg/server/options/serving_test.go | 3 ++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
index 842ab7ee0d1..21a2736e107 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
@@ -44,6 +44,8 @@ type SecureServingOptions struct {
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
// "tcp4", and "tcp6".
BindNetwork string
+ // DisableHTTP2Serving indicates that http2 serving should not be enabled.
+ DisableHTTP2Serving bool
// Required set to true means that BindPort cannot be zero.
Required bool
// ExternalAddress is the address advertised, even if BindAddress is a loopback. By default this
@@ -163,6 +165,9 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
}
fs.IntVar(&s.BindPort, "secure-port", s.BindPort, desc)
+ fs.BoolVar(&s.DisableHTTP2Serving, "disable-http2-serving", s.DisableHTTP2Serving,
+ "If true, HTTP2 serving will be disabled [default=false]")
+
fs.StringVar(&s.ServerCert.CertDirectory, "cert-dir", s.ServerCert.CertDirectory, ""+
"The directory where the TLS certs are located. "+
"If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.")
@@ -256,6 +261,7 @@ func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
*config = &server.SecureServingInfo{
Listener: s.Listener,
HTTP2MaxStreamsPerConnection: s.HTTP2MaxStreamsPerConnection,
+ DisableHTTP2: s.DisableHTTP2Serving,
}
c := *config
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
index f1ca80cb2e8..460e1884e65 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
@@ -286,7 +286,8 @@ func TestServerRunWithSNI(t *testing.T) {
KeyFile: serverKeyFile,
},
},
- SNICertKeys: namedCertKeys,
+ DisableHTTP2Serving: true,
+ SNICertKeys: namedCertKeys,
}).WithLoopback()
// use a random free port
ln, err := net.Listen("tcp", "127.0.0.1:0")
--
2.46.0