Merge branch 'main' into fix_external_prometheus

linkerd · Nov 1, 2023 · 1c66de7 · 1c66de7
2 parents 3f3280f + 141ffdf
commit 1c66de7
Show file tree

Hide file tree

Showing 23 changed files with 298 additions and 149 deletions.
diff --git a/linkerd.io/assets/scss/styles.scss b/linkerd.io/assets/scss/styles.scss
@@ -368,6 +368,14 @@
       .enterprise-support__entry-content {
         order: 1;
       }
+      .enterprise-support__entry-description {
+        > * {
+          margin-bottom: 24px;
+        }
+        > :last-child {
+          margin-bottom: 0;
+        }
+      }
       .enterprise-support__entry-image {
         order: 2;
       }

diff --git a/linkerd.io/content/2-edge/getting-started/_index.md b/linkerd.io/content/2-edge/getting-started/_index.md
@@ -25,10 +25,8 @@ Finally, you'll "mesh" a application by adding Linkerd's *data plane* to it.
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup

diff --git a/linkerd.io/content/2-edge/tasks/multicluster.md b/linkerd.io/content/2-edge/tasks/multicluster.md
@@ -106,7 +106,7 @@ With a valid trust anchor and issuer credentials, we can install Linkerd on your
 
 ```bash
 # first, install the Linkerd CRDs in both clusters
-linkerd install --crds |
+linkerd install --crds \
   | tee \
     >(kubectl --context=west apply -f -) \
     >(kubectl --context=east apply -f -)

diff --git a/linkerd.io/content/2.10/getting-started/_index.md b/linkerd.io/content/2.10/getting-started/_index.md
@@ -25,10 +25,8 @@ more of your own services by adding Linkerd's *data plane* to them.
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup

diff --git a/linkerd.io/content/2.11/getting-started/_index.md b/linkerd.io/content/2.11/getting-started/_index.md
@@ -25,10 +25,8 @@ Finally, you'll "mesh" a application by adding Linkerd's *data plane* to it.
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup

diff --git a/linkerd.io/content/2.12/getting-started/_index.md b/linkerd.io/content/2.12/getting-started/_index.md
@@ -25,10 +25,8 @@ Finally, you'll "mesh" a application by adding Linkerd's *data plane* to it.
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup

diff --git a/linkerd.io/content/2.12/tasks/multicluster.md b/linkerd.io/content/2.12/tasks/multicluster.md
@@ -106,7 +106,7 @@ With a valid trust anchor and issuer credentials, we can install Linkerd on your
 
 ```bash
 # first, install the Linkerd CRDs in both clusters
-linkerd install --crds |
+linkerd install --crds \
   | tee \
     >(kubectl --context=west apply -f -) \
     >(kubectl --context=east apply -f -)

diff --git a/linkerd.io/content/2.13/getting-started/_index.md b/linkerd.io/content/2.13/getting-started/_index.md
@@ -25,10 +25,8 @@ Finally, you'll "mesh" a application by adding Linkerd's *data plane* to it.
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup

diff --git a/linkerd.io/content/2.13/tasks/multicluster.md b/linkerd.io/content/2.13/tasks/multicluster.md
@@ -106,7 +106,7 @@ With a valid trust anchor and issuer credentials, we can install Linkerd on your
 
 ```bash
 # first, install the Linkerd CRDs in both clusters
-linkerd install --crds |
+linkerd install --crds \
   | tee \
     >(kubectl --context=west apply -f -) \
     >(kubectl --context=east apply -f -)

diff --git a/linkerd.io/content/2.14/getting-started/_index.md b/linkerd.io/content/2.14/getting-started/_index.md
@@ -25,10 +25,8 @@ Finally, you'll "mesh" a application by adding Linkerd's *data plane* to it.
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup
@@ -71,7 +69,11 @@ To install the CLI manually, run:
 curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
-Be sure to follow the instructions to add it to your path.
+Be sure to follow the instructions to add it to your path:
+
+```bash
+export PATH=$HOME/.linkerd2/bin:$PATH
+```
 
 (Alternatively, if you use [Homebrew](https://brew.sh), you can install the CLI
 with `brew install linkerd`. You can also download the CLI directly via the

diff --git a/linkerd.io/content/2.14/tasks/multicluster.md b/linkerd.io/content/2.14/tasks/multicluster.md
@@ -106,7 +106,7 @@ With a valid trust anchor and issuer credentials, we can install Linkerd on your
 
 ```bash
 # first, install the Linkerd CRDs in both clusters
-linkerd install --crds |
+linkerd install --crds \
   | tee \
     >(kubectl --context=west apply -f -) \
     >(kubectl --context=east apply -f -)

diff --git a/linkerd.io/content/2.9/getting-started/_index.md b/linkerd.io/content/2.9/getting-started/_index.md
@@ -25,10 +25,8 @@ more services by adding the *data plane* proxies. (See the
 
 {{< note >}}
 This page contains quick start instructions intended for non-production
-installations. For production-oriented configurations, we suggest alternative
-approaches, such as the [Linkerd Production
-Toolkit](https://buoyant.io/linkerd/getting-started/) by Buoyant, which includes
-continuous monitoring, vulnerability alerts, and upgrade assistance for Linkerd.
+installations. For production-oriented configurations, we suggest reviewing
+resources in [Going to Production](/going-to-production/).
 {{< /note >}}
 
 ## Step 0: Setup

diff --git a/linkerd.io/content/blog/2023/1011-cve-2023-44487.md b/linkerd.io/content/blog/2023/1011-cve-2023-44487.md
@@ -0,0 +1,130 @@
+---
+title: 'How Linkerd became resilient to CVE-2023-44487, a HTTP/2 DDOS vulnerability, six months prior to its disclosure'
+author: 'william'
+date: 2023-10-12T00:00:00+00:00
+thumbnail: /images/djim-loic-ft0-Xu4nTvA-unsplash.jpg
+draft: false
+featured: false
+slug: linkerd-cve-2023-44487
+tags: [Linkerd]
+---
+
+![A fast-moving clock](/images/djim-loic-ft0-Xu4nTvA-unsplash.jpg)
+
+Yesterday, [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), a
+DDOS vulnerability in many HTTP/2 implementations, was disclosed. This is a very
+interesting attack involving the specifics of how HTTP/2 multiplexes concurrent
+requests on the same TCP connection, and there are several great writeups on how
+it works—see e.g. Cloudflare's [HTTP/2 Rapid Reset: deconstructing the
+record-breaking
+attack](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
+and Google's [How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS
+attack](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
+for details of how this attack works and the consequences.
+
+We're happy to report that due to Linkerd's internal security policies and the
+security-awareness and rapid response of the Rust community, all recent versions
+of Linkerd are resilient to this class of DDOS attack. In fact, Linkerd has been
+resilient to these attacks since April of this year!
+
+Specifically, versions of Linkerd that are resilient to CVE-2023-44487 include:
+
+* All versions of Linkerd 2.14.x
+* Linkerd 2.13.1 and all later minor versions of Linkerd 2.13
+* Linkerd 2.12.5 and all later minor versions of Linkerd 2.12
+
+Linkerd solved this vulnerability 6 months ago thanks in part to our dependency
+handling procedures, but mostly thanks to the the security-mindedness of the
+Rust community.
+
+Let's see just how this feat happened.
+
+## Linkerd is a security-first project
+
+It's no understatement to say that Linkerd treats security as a critical
+requirement. Organizations around the world rely on Linkerd for everything from
+protecting sensitive customer medical and financial data, to scheduling COVID
+tests, to building 911 call centers. For some people, Linkerd is quite literally
+a life-or-death project.
+
+Part of that approach is the choice of technologies like Rust, of course, which
+allow us to avoid an entire class of buffer overflow exploits and other
+vulnerabilities that are [endemic to languages like C and
+C++](https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/).
+
+But another, just as important part is simply how seriously the project takes
+potential security vulnerabilities. Tracing the path to resolution for
+CVE-2023-44487 is a great example of that. Here's how it happened:
+
+This issue was first tracked as a vulnerability in the Rust community as
+[RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html) on
+April 14, 2023. At that point it had actually [already been fixed in
+`h2`](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected),
+the underlying library that Linkerd uses to handle HTTP/2 requests, as a change
+that had gone out [on April 12th, two days
+earlier](https://github.com/hyperium/h2/pull/668).
+
+The fix was published in [`h2`
+v0.3.17](https://rustsec.org/advisories/RUSTSEC-2023-0034.html). Linkerd
+automatically flagged that dependency [on April
+13th](https://github.com/linkerd/linkerd2-proxy/commit/67306bc7ba19286352762362e4e1876ce5924442)
+through [GitHub's Dependabot](https://github.com/dependabot), the automated
+dependency tool that Linkerd uses to ensure it stays up-to-date with critical
+dependencies. The Linkerd team published the update as [proxy release
+v2.198.1](https://github.com/linkerd/linkerd2-proxy/releases/tag/release%2Fv2.198.1).
+
+On April 13th, this new proxy version [was pulled into the main Linkerd
+repo](https://github.com/linkerd/linkerd2/commit/19a404fd196e251e969ac6c4a552a3c7af698dc5).
+On April 14th, we pushed it to [Linkerd
+2.13.1](https://github.com/linkerd/linkerd2/releases/tag/stable-2.13.1)—two days
+after the underlying fix in `h2`, and the same day it was recognized as an
+vulnerability in the Rust ecosystem. The fix also went out on
+[edge-23.4.2](https://github.com/linkerd/linkerd2/releases/tag/edge-23.4.2) on
+April 21st, and from there it was in all future and stable releases.
+
+In short: **two days after the fix was made in the underlying Rust HTTP/2 library,
+it was already in the hands of Linkerd users as a stable release, and all
+Linkerd releases since April have been protected against this vulnerability.**
+While this vulnerability is making the news this week, Linkerd adopters have
+been protected for almost 6 months.
+
+## h2, hyper, and more
+
+But what is `h2` anyways? The [h2](https://github.com/hyperium/h2) library and
+its companion [hyper](https://hyper.rs/) are two of the foundational libraries
+that Linkerd uses to handle HTTP/2 requests in the proxy. HTTP/2 is used
+extensively by Linkerd: not only does Linkerd proxy application-initiated HTTP/2
+and gRPC (which uses HTTP/2) requests, Linkerd also transparently upgrades all
+HTTP/1 communication in between two meshed pods to HTTP/2! This is part of
+Linkerd's magic: by using `h2`, we can can dramatically reduce TCP connection
+usage and improve performance and resiliency for inter-service HTTP traffic
+without the application needing to do anything.
+
+Like much of the Rust async networking stack, these libraries represent the
+pinnacle of modern network programming. The Linkerd team has been heavily
+involved in `h2` for years. [Buoyant](https://buoyant.io), the primary sponsor
+of Linkerd, also sponsored significant portions of h2 development, and Linkerd
+maintainers occupy the third and fourth spots on the [`h2` contributor
+leaderboard](https://github.com/hyperium/h2/graphs/contributors).
+
+But ultimately it is to the credit of `h2` maintainer Sean McArthur that
+[CVE-2023-44487 was addressed six months
+ago](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected),
+allowing Linkerd to maintain its commitment to security and simplicity for its
+users everywhere around the globe. A heartfelt thanks to you, Sean.
+
+## Linkerd is for everyone
+
+Linkerd is a graduated project of the [Cloud Native Computing
+Foundation](https://cncf.io/). Linkerd is [committed to open
+governance.](/2019/10/03/linkerds-commitment-to-open-governance/) If you have
+feature requests, questions, or comments, we'd love to have you join our
+rapidly-growing community! Linkerd is hosted on
+[GitHub](https://github.com/linkerd/), and we have a thriving community on
+[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and
+the [mailing lists](/community/get-involved/). Come and join the fun!
+
+(Photo by [Djim
+Loic](https://unsplash.com/@loic?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash)
+on
+[Unsplash](https://unsplash.com/photos/ft0-Xu4nTvA?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash).)
diff --git a/linkerd.io/content/blog/_index.md b/linkerd.io/content/blog/_index.md
@@ -7,7 +7,7 @@ tags:
   - Tutorials &amp; How-To's
   - Video
 items:
-  - blog/2023/0912-linkerd-214
+  - blog/2023/1011-cve-2023-44487.md
   - blog/2023/0720-flat-networks.md
 description: Read the latest blog posts covering the Linkerd service mesh, from technical tutorials to announcements to what’s next on the roadmap.
 keywords: []

diff --git a/linkerd.io/content/blog/linkerd-hero-march.md b/linkerd.io/content/blog/linkerd-hero-march.md
@@ -11,7 +11,8 @@ tags:
 keywords: [hero]
 ---
 
-We are excited to announce that this month's Linkerd Hero is Naveen Nalam.
+We are excited to announce that this month's Linkerd Hero is
+[Naveen Nalam](https://www.linkedin.com/in/nnalam/).
 Congrats, Naveen!
 
 ## What are Linkerd Heroes?