From a2a0a7521027c2887855dcc0c16857c79f720826 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Thu, 9 Jan 2025 11:28:51 +0800 Subject: [PATCH] =?UTF-8?q?Cleanup=C3=AF:=20only=20initiate=20http2=20serv?= =?UTF-8?q?er=20options=20when=20http2=20is=20not=20disabled?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../apiserver/pkg/server/secure_serving.go | 50 +++++++++---------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go index 21225d2a8f1..867c7efac2c 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go @@ -172,33 +172,31 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur ReadHeaderTimeout: 32 * time.Second, // just shy of requestTimeoutUpperBound } - // At least 99% of serialized resources in surveyed clusters were smaller than 256kb. - // This should be big enough to accommodate most API POST requests in a single frame, - // and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`. - const resourceBody99Percentile = 256 * 1024 - - http2Options := &http2.Server{ - IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout - } - - // shrink the per-stream buffer and max framesize from the 1MB default while still accommodating most API POST requests in a single frame - http2Options.MaxUploadBufferPerStream = resourceBody99Percentile - http2Options.MaxReadFrameSize = resourceBody99Percentile - - // use the overridden concurrent streams setting or make the default of 250 explicit so we can size MaxUploadBufferPerConnection appropriately - if s.HTTP2MaxStreamsPerConnection > 0 { - http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection) - } else { - // match http2.initialMaxConcurrentStreams used by clients - // this makes it so that a malicious client can only open 400 streams before we forcibly close the connection - // https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd - http2Options.MaxConcurrentStreams = 100 - } - - // increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams - http2Options.MaxUploadBufferPerConnection = http2Options.MaxUploadBufferPerStream * int32(http2Options.MaxConcurrentStreams) - if !s.DisableHTTP2 { + // At least 99% of serialized resources in surveyed clusters were smaller than 256kb. + // This should be big enough to accommodate most API POST requests in a single frame, + // and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`. + const resourceBody99Percentile = 256 * 1024 + + http2Options := &http2.Server{ + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + // shrink the per-stream buffer and max framesize from the 1MB default while still accommodating most API POST requests in a single frame + MaxUploadBufferPerStream: resourceBody99Percentile, + MaxReadFrameSize: resourceBody99Percentile, + } + + // use the overridden concurrent streams setting or make the default of 250 explicit so we can size MaxUploadBufferPerConnection appropriately + if s.HTTP2MaxStreamsPerConnection > 0 { + http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection) + } else { + // match http2.initialMaxConcurrentStreams used by clients + // this makes it so that a malicious client can only open 400 streams before we forcibly close the connection + // https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd + http2Options.MaxConcurrentStreams = 100 + } + + // increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams + http2Options.MaxUploadBufferPerConnection = http2Options.MaxUploadBufferPerStream * int32(http2Options.MaxConcurrentStreams) // apply settings to the server if err := http2.ConfigureServer(secureServer, http2Options); err != nil { return nil, nil, fmt.Errorf("error configuring http2: %v", err)