Monis Khan
800a8eaba7
Prevent rapid reset http2 DOS on API server
...
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.
The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.
For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections. They can use http2, but with the performance of http1
(with keep-alive disabled).
Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default). For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection). An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.
For all other clients, we rely on the golang.org/x/net fix in
b225e7ca6d
2023-10-12 16:54:07 -04:00
Kubernetes Prow Robot
7ee2af5cc5
Merge pull request #121117 from MadhavJivrajani/bump-x-net
...
[CVE-2023-39325] .: bump golang.org/x/net to v0.17.0
2023-10-10 20:59:46 +02:00
Madhav Jivrajani
fc7c951d5a
.: bump golang.org/x/net to v0.17.0
...
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
2023-10-10 23:07:19 +05:30
Kubernetes Prow Robot
87611b10db
Merge pull request #121072 from danwinship/kube-proxy-unit-tests
...
Fix regression in cmd/kube-proxy/app unit test speed
2023-10-10 19:07:16 +02:00
Kubernetes Prow Robot
46c307868f
Merge pull request #119176 from carlory/fix-118893-2
...
nodeports: scheduler queueing hints
2023-10-10 19:07:07 +02:00
Kubernetes Prow Robot
a6b8954de1
Merge pull request #120868 from pohly/dra-helper-name-lookup
...
k8s.io/dynamic-resource-allocation: fix compatibility with Kubernetes 1.27
2023-10-10 17:59:50 +02:00
Kubernetes Prow Robot
755644a169
Merge pull request #121082 from pohly/ginkgo-gomega-update
...
dependencies: ginkgo v2.13.0, gomega v1.28.0
2023-10-10 15:50:41 +02:00
Kubernetes Prow Robot
09edfe4ebb
Merge pull request #121067 from carlory/cleanup-e2enode-framework-equal
...
e2e_node: stop using deprecated framework.ExpectEqual
2023-10-10 14:44:55 +02:00
Kubernetes Prow Robot
38c6bd810f
Merge pull request #120871 from pohly/dra-unsuitable-nodes-selected-node
...
k8s.io/dynamic-resource-allocation: fix potential scheduling deadlock
2023-10-10 14:44:46 +02:00
Kubernetes Prow Robot
4a92b00db9
Merge pull request #121064 from carlory/cleanup-e2e-apimachinery-framework-equal
...
e2e_apimachinery: stop using deprecated framework.ExpectEqual
2023-10-10 13:33:02 +02:00
Kubernetes Prow Robot
4b9e15e0fe
Merge pull request #120873 from pohly/dra-e2e-test-driver-enhancements
...
e2e dra: enhance test driver
2023-10-10 13:32:55 +02:00
Kubernetes Prow Robot
69c3b23abd
Merge pull request #121101 from pohly/golangci-lint-scripts
...
hack: fix update of golangci-lint verify scripts
2023-10-10 11:19:47 +02:00
Patrick Ohly
f538be659c
hack: fix update of golangci-lint verify scripts
...
b190ea0c9
2023-10-10 09:03:20 +02:00
Kubernetes Prow Robot
e4d473cd00
Merge pull request #121086 from pohly/golangci-lint-scripts
...
hack: update golangci-lint verify scripts
2023-10-09 22:54:29 +02:00
Kubernetes Prow Robot
e1788034c6
Merge pull request #120046 from chansuke/feature/update-the-function-to-get-nodes
...
Optimize test for scalability by using `GetBoundedReadySchedulableNodes()`
2023-10-09 21:44:21 +02:00
Kubernetes Prow Robot
46860a27cc
Merge pull request #119443 from SataQiu/fix-kubectl-20230719
...
kubectl: ensure '--duration' must be positive for 'kubectl create token' command
2023-10-09 21:44:12 +02:00
Kubernetes Prow Robot
2b5d2cf910
Merge pull request #120338 from pohly/dra-helper-unsuitablenodes-fix
...
dra helper: skip allocated claims during UnsuitableNodes calculation
2023-10-09 20:32:58 +02:00
Kubernetes Prow Robot
e224fc75ca
Merge pull request #116885 from mengjiao-liu/contextual-logging-scheduler-plugin-examples
...
Migrated `pkg/scheduler/framework/plugins/examples/` to use contextual logging
2023-10-09 20:32:46 +02:00
Patrick Ohly
b190ea0c96
hack: update golangci-lint verify scripts
...
Instead of invoking verify-golangci-lint.sh directly from Prow jobs,
those Prow jobs should use "make verify WHAT=...". The advantage is
that the common code for running verify targets will be used, which
includes producing JUnit files.
Providing simple wrappers for strict linting of PRs (=
verify-golangci-lint-pr.sh) and event stricter linting of PRs with hints
enabled (= verify-golangci-lint-pr-hints.sh) enables those WHAT targets.
2023-10-09 20:14:47 +02:00
Patrick Ohly
79355caa56
dependencies: ginkgo v2.13.0, gomega v1.28.0
...
Besides simply staying up-to-date, ginkgo v2.13.0 adds a `PreviewSpecs` which
will be used for introspection of the E2E test suites.
2023-10-09 19:27:06 +02:00
Kubernetes Prow Robot
246aba8912
Merge pull request #121073 from cpanato/update-distroless-ip
...
Bump distroless-iptables to v0.3.3
2023-10-09 17:58:58 +02:00
Kubernetes Prow Robot
57d3cc6605
Merge pull request #121054 from SataQiu/clean-crisocket-20231008
...
kubeadm: clean up unnecessary references to UnknownCRISocket
2023-10-09 15:37:35 +02:00
Kubernetes Prow Robot
59424358cc
Merge pull request #121071 from cpanato/update-bot
...
Update publishing-bot rules for active release branches that uses go1.20 to Go 1.20.9
2023-10-09 13:23:43 +02:00
cpanato
a6b0a6c484
Bump distroless-iptables to v0.3.3
...
Signed-off-by: cpanato <ctadeu@gmail.com>
2023-10-09 13:18:46 +02:00
Dan Winship
f3c786cbda
Fix regression in cmd/kube-proxy/app unit test speed
2023-10-09 07:08:22 -04:00
cpanato
e86e756c27
Update publishing-bot rules for active release branches that uses go1.20 to Go 1.20.9
...
Signed-off-by: cpanato <ctadeu@gmail.com>
2023-10-09 11:38:01 +02:00
carlory
d5d7fb595e
e2e_node: stop using deprecated framework.ExpectEqual
2023-10-09 16:42:42 +08:00
carlory
5f74461bcd
e2e_apimachinery: stop using deprecated framework.ExpectEqual
2023-10-09 15:44:20 +08:00
Mengjiao Liu
9cca527c4b
Migrated pkg/scheduler/framework/plugins/examples/ to use contextual logging
2023-10-09 11:43:17 +08:00
Kubernetes Prow Robot
cdc026fad1
Merge pull request #119915 from AxeZhan/rollout_e2e
...
Add a kubectl rollout undo e2e test
2023-10-09 04:53:29 +02:00
Kubernetes Prow Robot
3fc8c32425
Merge pull request #121051 from carlory/cleanup-e2e-apps-framework-equal
...
fix incorrect Consistently due to missing assignment when create a newAsyncAssertion
2023-10-08 21:53:52 +02:00
SataQiu
c3bf541ede
kubeadm: clean up unnecessary references to UnknownCRISocket
2023-10-08 16:57:45 +08:00
carlory
bb02d0feba
fix incorrect Consistently due to missing assignment when create a newAsyncAssertion
2023-10-08 13:23:46 +08:00
Kubernetes Prow Robot
10827a193a
Merge pull request #121045 from my-git9/fixetcdutk
...
kubeadm: fix wrong ut for util/etcd
2023-10-08 07:03:01 +02:00
Kubernetes Prow Robot
4b2225701e
Merge pull request #120819 from fusida/fix-master-e2e
...
e2e: set liveness probe timeout seconds for conformance test
2023-10-08 07:02:52 +02:00
Kubernetes Prow Robot
d3559bf77f
Merge pull request #120595 from jsafrane/fix-detach-uncertain
...
Mark a volume as uncertain-attached after detach error
2023-10-08 05:54:01 +02:00
Kubernetes Prow Robot
c486a08b41
Merge pull request #119735 from akankshapanse/fix_kubelet_target_dir_issue
...
Do not fail volume attach or publish operation at kubelet if target path directory already exists on the node.
2023-10-08 05:53:48 +02:00
carlory
7cba35f651
nodeports: scheduler queueing hints
...
Co-authored-by: Kensei Nakada <handbomusic@gmail.com>
Co-authored-by: Aldo Culquicondor <1299064+alculquicondor@users.noreply.github.com>
2023-10-08 11:34:43 +08:00
Kubernetes Prow Robot
b74e286dc9
Merge pull request #120925 from bzsuni/cleanup/sets/scheduler
...
use generic sets in scheduler
2023-10-07 19:07:31 +02:00
xin.li
20db4ef3d6
kubeadm: fix wrong ut for util/etcd
...
Signed-off-by: xin.li <xin.li@daocloud.io>
2023-10-07 21:57:20 +08:00
Kubernetes Prow Robot
0554675d78
Merge pull request #121020 from chendave/set_opt
...
kubeadm: Optimize the logic to override the arguments
2023-10-07 11:58:31 +02:00
Kubernetes Prow Robot
bb06804e52
Merge pull request #120828 from SataQiu/fix-kubeadm-cri-20230922
...
kubeadm: fix the bug that kubeadm always do CRI detection when --config is passed even if it is not required by the subcommand
2023-10-07 11:58:22 +02:00
SataQiu
4a8267f26b
kubectl: ensure '--duration' must be positive for 'kubectl create token' command
2023-10-07 11:19:33 +08:00
Kubernetes Prow Robot
fc479f41b3
Merge pull request #121028 from aojea/external_node
...
kubelet: cloud-provider external addresses
2023-10-07 03:03:01 +02:00
Kubernetes Prow Robot
9bea6bda05
Merge pull request #121021 from cpanato/update-go-1212
...
[go] Bump images, dependencies and versions to go 1.21.2
2023-10-06 22:34:58 +02:00
Kubernetes Prow Robot
e339e03ff8
Merge pull request #120814 from Jefftree/fix-openapiv2-aggregator-apiservice
...
Fix AddUpdateAPIService for openapiv2
2023-10-06 21:21:32 +02:00
Kubernetes Prow Robot
0f16895f50
Merge pull request #121015 from Lukasz-AWS/add-hpa-object-type-nil-check
...
Add nil checks for hpa object target type values
2023-10-06 19:20:23 +02:00
Kubernetes Prow Robot
9af7096c89
Merge pull request #120968 from borg-land/remove-kubeup-tests-1
...
Remove an e2e test specific to kubeup clusters - Part One
2023-10-06 19:20:11 +02:00
Jefftree
89adbb4b4a
Unit & integration tests for OpenAPIV2 AddUpdateAPIService
2023-10-06 12:57:57 -04:00
Jefftree
83fb504e46
Fix 120878 - Refactor cacheabledownloader so handler can be updated and fix AddUpdateAPIService to update handler
2023-10-06 12:57:56 -04:00
