From 36338edb6cff81ced39fc294be770038d2157822 Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Thu, 19 Oct 2023 10:53:10 +0200 Subject: [PATCH 1/2] Disable http/2 Additional remediations for CVE-2023-39325 CVE-2023-44487: Disable HTTP/2 on: - Webhook server - Metrics server - FLP and Console plugin via env GODEBUG Also bump all k8s / contorller-runtime dependencies Stop support for go1.19, add support for go1.21 (still uses 1.20 for builds) --- .../netobserv-operator.clusterserviceversion.yaml | 2 +- config/default/manager_auth_proxy_patch.yaml | 2 +- config/manager/manager.yaml | 2 +- controllers/consoleplugin/consoleplugin_objects.go | 1 + controllers/constants/constants.go | 9 ++++++++- controllers/flowcollector_controller_test.go | 2 +- controllers/flowlogspipeline/flp_common_objects.go | 1 + main.go | 14 +++++++++++++- 8 files changed, 27 insertions(+), 6 deletions(-) diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml index 8f2ab1412..628d02f8e 100644 --- a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml +++ b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml @@ -932,7 +932,7 @@ spec: - --v=10 - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.4 name: kube-rbac-proxy ports: - containerPort: 8443 diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 9657d186c..4ea1b4e2c 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -18,7 +18,7 @@ spec: - "--flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE)" - "--console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN)" - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.4 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 83d653383..4ab8c710d 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -64,7 +64,7 @@ spec: cpu: 100m memory: 100Mi - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.4 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go index 7797eaeef..bbd67504a 100644 --- a/controllers/consoleplugin/consoleplugin_objects.go +++ b/controllers/consoleplugin/consoleplugin_objects.go @@ -271,6 +271,7 @@ func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec { Resources: *b.desired.ConsolePlugin.Resources.DeepCopy(), VolumeMounts: b.volumes.AppendMounts(volumeMounts), Args: args, + Env: []corev1.EnvVar{constants.EnvNoHTTP2}, }}, Volumes: b.volumes.AppendVolumes(volumes), ServiceAccountName: constants.PluginName, diff --git a/controllers/constants/constants.go b/controllers/constants/constants.go index e0886ad7d..a1cf0a2c9 100644 --- a/controllers/constants/constants.go +++ b/controllers/constants/constants.go @@ -1,7 +1,10 @@ // Package constants defines some values that are shared across multiple packages package constants -import "k8s.io/apimachinery/pkg/types" +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) const ( DefaultOperatorNamespace = "netobserv" @@ -40,3 +43,7 @@ const ( var LokiIndexFields = []string{"SrcK8S_Namespace", "SrcK8S_OwnerName", "SrcK8S_Type", "DstK8S_Namespace", "DstK8S_OwnerName", "DstK8S_Type", "FlowDirection", "Duplicate"} var LokiConnectionIndexFields = []string{"_RecordType"} var FlowCollectorName = types.NamespacedName{Name: "cluster"} +var EnvNoHTTP2 = corev1.EnvVar{ + Name: "GODEBUG", + Value: "http2server=0", +} diff --git a/controllers/flowcollector_controller_test.go b/controllers/flowcollector_controller_test.go index 254d2d26b..196d4f001 100644 --- a/controllers/flowcollector_controller_test.go +++ b/controllers/flowcollector_controller_test.go @@ -335,7 +335,7 @@ func flowCollectorControllerSpecs() { Protocol: "UDP", })) Expect(cnt.Env).To(Equal([]v1.EnvVar{ - {Name: "GOGC", Value: "400"}, {Name: "GOMAXPROCS", Value: "33"}, + {Name: "GOGC", Value: "400"}, {Name: "GOMAXPROCS", Value: "33"}, {Name: "GODEBUG", Value: "http2server=0"}, })) }) diff --git a/controllers/flowlogspipeline/flp_common_objects.go b/controllers/flowlogspipeline/flp_common_objects.go index b166a4364..487a228a3 100644 --- a/controllers/flowlogspipeline/flp_common_objects.go +++ b/controllers/flowlogspipeline/flp_common_objects.go @@ -178,6 +178,7 @@ func (b *builder) podTemplate(hasHostPort, hostNetwork bool, annotations map[str for _, pair := range helper.KeySorted(b.desired.Processor.Debug.Env) { envs = append(envs, corev1.EnvVar{Name: pair[0], Value: pair[1]}) } + envs = append(envs, constants.EnvNoHTTP2) container := corev1.Container{ Name: constants.FLPName, diff --git a/main.go b/main.go index 7fb8baea5..db0dd9b84 100644 --- a/main.go +++ b/main.go @@ -18,6 +18,7 @@ package main import ( "context" + "crypto/tls" "flag" "fmt" _ "net/http/pprof" @@ -81,6 +82,7 @@ func main() { var enableLeaderElection bool var probeAddr string var pprofAddr string + var enableHTTP2 bool var versionFlag bool config := operator.Config{} @@ -95,6 +97,7 @@ func main() { flag.StringVar(&config.FlowlogsPipelineImage, "flowlogs-pipeline-image", "quay.io/netobserv/flowlogs-pipeline:main", "The image of Flowlogs Pipeline") flag.StringVar(&config.ConsolePluginImage, "console-plugin-image", "quay.io/netobserv/network-observability-console-plugin:main", "The image of the Console Plugin") flag.BoolVar(&config.DownstreamDeployment, "downstream-deployment", false, "Either this deployment is a downstream deployment ot not") + flag.BoolVar(&enableHTTP2, "enable-http2", enableHTTP2, "If HTTP/2 should be enabled for the metrics and webhook servers.") flag.BoolVar(&versionFlag, "v", false, "print version") opts := zap.Options{ Development: true, @@ -117,13 +120,22 @@ func main() { os.Exit(1) } + disableHTTP2 := func(c *tls.Config) { + if enableHTTP2 { + return + } + c.NextProtos = []string{"http/1.1"} + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Metrics: server.Options{ BindAddress: metricsAddr, + TLSOpts: []func(*tls.Config){disableHTTP2}, }, WebhookServer: webhook.NewServer(webhook.Options{ - Port: 9443, + Port: 9443, + TLSOpts: []func(*tls.Config){disableHTTP2}, }), PprofBindAddress: pprofAddr, HealthProbeBindAddress: probeAddr, From 4793d5216b66b43fba29634aee64cca7eb1a3c8a Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Mon, 23 Oct 2023 08:43:36 +0200 Subject: [PATCH 2/2] bump again rbac proxy, use --http2-disable --- bundle/manifests/netobserv-operator.clusterserviceversion.yaml | 3 ++- config/default/manager_auth_proxy_patch.yaml | 3 ++- config/manager/manager.yaml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml index 628d02f8e..844af61ab 100644 --- a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml +++ b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml @@ -930,9 +930,10 @@ spec: - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 + - --http2-disable - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.4 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 name: kube-rbac-proxy ports: - containerPort: 8443 diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 4ea1b4e2c..594749e00 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -18,12 +18,13 @@ spec: - "--flowlogs-pipeline-image=$(RELATED_IMAGE_FLOWLOGS_PIPELINE)" - "--console-plugin-image=$(RELATED_IMAGE_CONSOLE_PLUGIN)" - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.4 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - "--v=10" + - "--http2-disable" ports: - containerPort: 8443 protocol: TCP diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 4ab8c710d..16dd546cb 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -64,12 +64,13 @@ spec: cpu: 100m memory: 100Mi - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.4 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - "--v=10" + - "--http2-disable" ports: - containerPort: 8443 protocol: TCP