Skip to content

Commit

Permalink
upgrade to latest dependencies (knative#14552) (#494)
Browse files Browse the repository at this point in the history
bumping knative.dev/pkg bd99f2f...56bfe0d:
  > 56bfe0d [release-1.11] [CVE-2023-44487] Disable http2 for webhooks (# 2875)
bumping knative.dev/caching 24ff723...ee89f75:
  > ee89f75 upgrade to latest dependencies (# 797)

Signed-off-by: Knative Automation <[email protected]>
Co-authored-by: Knative Automation <[email protected]>
  • Loading branch information
nak3 and knative-automation authored Oct 24, 2023
1 parent b504942 commit e86912b
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 8 deletions.
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ require (
k8s.io/code-generator v0.26.5
k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
knative.dev/caching v0.0.0-20230718155311-24ff72399d90
knative.dev/caching v0.0.0-20231012200751-ee89f751874f
knative.dev/hack v0.0.0-20230712131415-ddae80293c43
knative.dev/networking v0.0.0-20231012062757-a5958051caf8
knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7
knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626
sigs.k8s.io/yaml v1.3.0
)

Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1007,14 +1007,14 @@ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+O
k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
knative.dev/caching v0.0.0-20230718155311-24ff72399d90 h1:FTywJXyLNTMA4XbWIXHh+4aHrLIIkSlGAl9yNTJhipY=
knative.dev/caching v0.0.0-20230718155311-24ff72399d90/go.mod h1:4IprjglzaLM1+/S+7OcMhxL3h15Uh0glFiV4NcJftD8=
knative.dev/caching v0.0.0-20231012200751-ee89f751874f h1:Uzb2EYN7hTTBGO/dis/gRv+Xsp8WKoepiHMyCxQCJD4=
knative.dev/caching v0.0.0-20231012200751-ee89f751874f/go.mod h1:wUsSFu6nUj7/j5GwpLB3wQfjTQODNl9Exb7wmtoGOYY=
knative.dev/hack v0.0.0-20230712131415-ddae80293c43 h1:3SE06uNfSFGm/5XS+0trbyCUpgsOaBeyhPQU8FPNFz8=
knative.dev/hack v0.0.0-20230712131415-ddae80293c43/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
knative.dev/networking v0.0.0-20231012062757-a5958051caf8 h1:oZMbAAXyiDZUYoQ4qEjL6uxXrL1xBVfEyQJx8sP0XEg=
knative.dev/networking v0.0.0-20231012062757-a5958051caf8/go.mod h1:XwZwqJoLZR92N6F/sj8lHxttnry/Kiz+OgG8+uVuYn0=
knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7 h1:y3qbfYX1SuSr/1ysXvKfpV8q/kCwWLWieCUgAhBUHmQ=
knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7/go.mod h1:g+UCgSKQ2f15kHYu/V3CPtoKo5F1x/2Y1ot0NSK7gA0=
knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626 h1:qFE+UDBRg6cpF5LbA0sv1XK4XZ36Z7aTRCa+HcuxnNQ=
knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626/go.mod h1:g+UCgSKQ2f15kHYu/V3CPtoKo5F1x/2Y1ot0NSK7gA0=
pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U=
pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
Expand Down
18 changes: 18 additions & 0 deletions vendor/knative.dev/pkg/webhook/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,17 @@ type Options struct {
// ControllerOptions encapsulates options for creating a new controller,
// including throttling and stats behavior.
ControllerOptions *controller.ControllerOptions

// EnableHTTP2 enables HTTP2 for webhooks.
// Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go
// standard library and golang.org/x/net are fully fixed.
// Right now, it is possible for authenticated and unauthenticated users to
// hold open HTTP2 connections and consume huge amounts of memory.
// See:
// * https://github.com/kubernetes/kubernetes/pull/121120
// * https://github.com/kubernetes/kubernetes/issues/121197
// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
EnableHTTP2 bool
}

// Operation is the verb being operated on
Expand Down Expand Up @@ -237,12 +248,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error {
QuietPeriod: wh.Options.GracePeriod,
}

// If TLSNextProto is not nil, HTTP/2 support is not enabled automatically.
nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){}
if wh.Options.EnableHTTP2 {
nextProto = nil
}

server := &http.Server{
ErrorLog: log.New(&zapWrapper{logger}, "", 0),
Handler: drainer,
Addr: fmt.Sprint(":", wh.Options.Port),
TLSConfig: wh.tlsConfig,
ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6
TLSNextProto: nextProto,
}

var serve = server.ListenAndServe
Expand Down
4 changes: 2 additions & 2 deletions vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1281,7 +1281,7 @@ k8s.io/utils/net
k8s.io/utils/pointer
k8s.io/utils/strings/slices
k8s.io/utils/trace
# knative.dev/caching v0.0.0-20230718155311-24ff72399d90
# knative.dev/caching v0.0.0-20231012200751-ee89f751874f
## explicit; go 1.18
knative.dev/caching/config
knative.dev/caching/pkg/apis/caching
Expand Down Expand Up @@ -1345,7 +1345,7 @@ knative.dev/networking/pkg/http/stats
knative.dev/networking/pkg/ingress
knative.dev/networking/pkg/k8s
knative.dev/networking/pkg/prober
# knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7
# knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626
## explicit; go 1.18
knative.dev/pkg/apiextensions/storageversion
knative.dev/pkg/apiextensions/storageversion/cmd/migrate
Expand Down

0 comments on commit e86912b

Please sign in to comment.