http2: trim connetions and buffers

Set max streams per connection to 100. Limit frame size and buffer to 256 kb. Limit connection buffer to 256 kb * 100.
ibihim · Oct 19, 2023 · ab150f0 · ab150f0
1 parent 7a0795e
commit ab150f0
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
@@ -135,6 +135,8 @@ type completedProxyRunOptions struct {
 	upstreamForceH2C bool
 	upstreamCABundle *x509.CertPool
 
+	http2Options *http2.Server
+
 	auth *proxy.Config
 	tls  *options.TLSConfig
 
@@ -251,6 +253,19 @@ func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) {
 		return nil, fmt.Errorf("failed to instantiate Kubernetes client: %w", err)
 	}
 
+	// At least 99% of serialized resources in surveyed clusters were smaller than 256kb.
+	// This should be big enough to accommodate most API POST requests in a single frame,
+	// and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`.
+	// https://github.com/kubernetes/kubernetes/blob/c3809672aa7b437ee3be4e227c182f0ef5f5e2b9/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go#L175C1-L206
+	const resourceBody99Percentile = 256 * 1024
+	completed.http2Options = &http2.Server{
+		IdleTimeout:                  90 * time.Second,
+		MaxConcurrentStreams:         100,
+		MaxReadFrameSize:             resourceBody99Percentile,
+		MaxUploadBufferPerStream:     resourceBody99Percentile,
+		MaxUploadBufferPerConnection: resourceBody99Percentile * 100,
+	}
+
 	return completed, nil
 }
 
@@ -411,7 +426,7 @@ func Run(cfg *completedProxyRunOptions) error {
 			srv.TLSConfig.MinVersion = version
 			srv.TLSConfig.ClientAuth = tls.RequestClientCert
 
-			if err := http2.ConfigureServer(srv, nil); err != nil {
+			if err := http2.ConfigureServer(srv, cfg.http2Options); err != nil {
 				return fmt.Errorf("failed to configure http2 server: %w", err)
 			}
 
@@ -441,7 +456,7 @@ func Run(cfg *completedProxyRunOptions) error {
 					TLSConfig: srv.TLSConfig.Clone(),
 				}
 
-				if err := http2.ConfigureServer(proxyEndpointsSrv, nil); err != nil {
+				if err := http2.ConfigureServer(proxyEndpointsSrv, cfg.http2Options); err != nil {
 					return fmt.Errorf("failed to configure http2 server: %w", err)
 				}
 
@@ -472,7 +487,7 @@ func Run(cfg *completedProxyRunOptions) error {
 	}
 	{
 		if cfg.insecureListenAddress != "" {
-			srv := &http.Server{Handler: h2c.NewHandler(mux, &http2.Server{})}
+			srv := &http.Server{Handler: h2c.NewHandler(mux, cfg.http2Options)}
 
 			l, err := net.Listen("tcp", cfg.insecureListenAddress)
 			if err != nil {