|
| 1 | +From a0fd4b065528566eec54fe207aa5e3131babc378 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Monis Khan < [email protected]> |
| 3 | +Date: Sat, 7 Oct 2023 21:50:37 -0400 |
| 4 | +Subject: [PATCH] Prevent rapid reset http2 DOS on API server |
| 5 | + |
| 6 | +This change fully addresses CVE-2023-44487 and CVE-2023-39325 for |
| 7 | +the API server when the client is unauthenticated. |
| 8 | + |
| 9 | +The changes to util/runtime are required because otherwise a large |
| 10 | +number of requests can get blocked on the time.Sleep calls. |
| 11 | + |
| 12 | +For unauthenticated clients (either via 401 or the anonymous user), |
| 13 | +we simply no longer allow such clients to hold open http2 |
| 14 | +connections. They can use http2, but with the performance of http1 |
| 15 | +(with keep-alive disabled). |
| 16 | + |
| 17 | +Since this change has the potential to cause issues, the |
| 18 | +UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to |
| 19 | +remove this protection (it is enabled by default). For example, |
| 20 | +when the API server is fronted by an L7 load balancer that is set up |
| 21 | +to mitigate http2 attacks, unauthenticated clients could force |
| 22 | +disable connection reuse between the load balancer and the API |
| 23 | +server (many incoming connections could share the same backend |
| 24 | +connection). An API server that is on a private network may opt to |
| 25 | +disable this protection to prevent performance regressions for |
| 26 | +unauthenticated clients. |
| 27 | + |
| 28 | +For all other clients, we rely on the golang.org/x/net fix in |
| 29 | +https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd |
| 30 | +That change is not sufficient to adequately protect against a |
| 31 | +motivated client - future changes to Kube and/or golang.org/x/net |
| 32 | +will be explored to address this gap. |
| 33 | + |
| 34 | +The Kube API server now uses a max stream of 100 instead of 250 |
| 35 | +(this matches the Go http2 client default). This lowers the abuse |
| 36 | +limit from 1000 to 400. |
| 37 | + |
| 38 | +Signed-off-by: Monis Khan < [email protected]> |
| 39 | + |
| 40 | +Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb |
| 41 | + |
| 42 | +Modified-by: corvus-callidus < [email protected]> |
| 43 | +- Remove patch for test file that isn't present in AzL3 package source |
| 44 | +- Adjust remaining patch to apply to AzL3's package version |
| 45 | + |
| 46 | +--- |
| 47 | + vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go | 15 +++++++++------ |
| 48 | + 12 files changed, 9 insertions(+), 6 deletions(-) |
| 49 | + |
| 50 | +diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go |
| 51 | +index d738725ca..3674914f7 100644 |
| 52 | +--- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go |
| 53 | ++++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go |
| 54 | +@@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct { |
| 55 | + // OnError will block if it is called more often than the embedded period time. |
| 56 | + // This will prevent overly tight hot error loops. |
| 57 | + func (r *rudimentaryErrorBackoff) OnError(error) { |
| 58 | ++ now := time.Now() // start the timer before acquiring the lock |
| 59 | + r.lastErrorTimeLock.Lock() |
| 60 | +- defer r.lastErrorTimeLock.Unlock() |
| 61 | +- d := time.Since(r.lastErrorTime) |
| 62 | +- if d < r.minPeriod { |
| 63 | +- // If the time moves backwards for any reason, do nothing |
| 64 | +- time.Sleep(r.minPeriod - d) |
| 65 | +- } |
| 66 | ++ d := now.Sub(r.lastErrorTime) |
| 67 | + r.lastErrorTime = time.Now() |
| 68 | ++ r.lastErrorTimeLock.Unlock() |
| 69 | ++ |
| 70 | ++ // Do not sleep with the lock held because that causes all callers of HandleError to block. |
| 71 | ++ // We only want the current goroutine to block. |
| 72 | ++ // A negative or zero duration causes time.Sleep to return immediately. |
| 73 | ++ // If the time moves backwards for any reason, do nothing. |
| 74 | ++ time.Sleep(r.minPeriod - d) |
| 75 | + } |
| 76 | + |
| 77 | + // GetCaller returns the caller of the function that calls it. |
0 commit comments