🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks #484
Conversation
camilamacedo86
requested review from
perdasilva,
joelanford,
bentito and
tmshort
and removed request for
a team
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #484 +/- ##
==========================================
- Coverage 38.23% 37.89% -0.35%
==========================================
Files 15 15
Lines 1224 1235 +11
==========================================
Hits 468 468
- Misses 706 717 +11
Partials 50 50 ☔ View full report in Codecov by Sentry. |
camilamacedo86
force-pushed
the
fix-webhook-cve
branch
from
e701977 to
2b3a5af
Compare
Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197
camilamacedo86
force-pushed
the
fix-webhook-cve
branch
from
2b3a5af to
979f29b
Compare
camilamacedo86
requested review from
jianzhangbjz
and removed request for
bentito
|
This one we need to backport. |
camilamacedo86
changed the title
camilamacedo86
changed the title
camilamacedo86
changed the title
The CNCF project does not currently backport to previous release versions, but this will be available in future releases of this project. |
| // - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) | ||
| // While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. | ||
| // For details, see: https://github.com/kubernetes/kubernetes/issues/121197 | ||
| setupLog.Info("disabling http/2") |
There was a problem hiding this comment.
can we indicate that this is for webhooks? We ought to be disabling HTTP/2 for more than just webhooks, and it would be good, to specify it.
There was a problem hiding this comment.
It will be used for metrics as well when we get both PR merged:
This one and #460
So, how do you think we could make it clearer?
Any ideas?
There was a problem hiding this comment.
You're saying that tlsOpts will be used for multiple Servers? If that's the case, I guess it's ok, but I would like to see a bit more, but we can save that for later.
There was a problem hiding this comment.
we can shape in a follow after get both merged for sure 👍
Thank you
Given that we just released this, and the installed customer base is small, I agree with this. |
camilamacedo86
changed the title
cab110e
Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with:
While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197