disable http2 for metrics and webhooks by default (#356)

* disable http2 for metrics and webhooks by default It appears that mitigating the recent http2 vulnerabilities (see CVE-2023-44487 and CVE-2023-39325) requires [more than just a library update to golang.org/x/net][1]. Until better mitigations have been developed, disable http2 in both the metrics and webhooks servers. [1]: kubernetes/kubernetes#121197 Signed-off-by: Andy Sadler <[email protected]> * cleanup http2 disabling methods Until better mitigations are in place, disable HTTP2 in all cases. Don't leave an option in place to re-enable it. Signed-off-by: Andy Sadler <[email protected]> * fix generated drift Signed-off-by: Andy Sadler <[email protected]> --------- Signed-off-by: Andy Sadler <[email protected]>
servicebinding · Nov 7, 2023 · e6c1633 · e6c1633
1 parent 00db1d5
commit e6c1633
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/main.go b/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"os"
 	"time"
@@ -59,6 +60,10 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
+func disableHTTP2(t *tls.Config) {
+	t.NextProtos = []string{"http/1.1"}
+}
+
 func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
@@ -83,10 +88,12 @@ func main() {
 		Scheme: scheme,
 		Metrics: server.Options{
 			BindAddress: metricsAddr,
+			TLSOpts:     []func(*tls.Config){disableHTTP2},
 		},
 		WebhookServer: &webhook.DefaultServer{
 			Options: webhook.Options{
-				Port: 9443,
+				Port:    9443,
+				TLSOpts: []func(*tls.Config){disableHTTP2},
 			},
 		},
 		Cache: cache.Options{