Disable HTTP/2 in Metric server

Disable HTTP/2 to avoid CVE HTTP/2 Rapid reset see https://issues.redhat.com/browse/ECOPROJECT-1739 Signed-off-by: Carlo Lobrano <[email protected]>
medik8s · Oct 20, 2023 · 2835be8 · 2835be8
1 parent 0b67dbc
commit 2835be8
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -76,8 +77,17 @@ func main() {
 
 	printVersion()
 
+	// Disable HTTP/2 support to avoid issues with CVE HTTP/2 Rapid Reset.
+	// Currently, the metrics server enables/disables HTTP/2 support only if SecureServing is enabled, which is not.
+	// Adding the disabling logic anyway to avoid future issues.
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling HTTP/2 support")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
 	metricsOpts := server.Options{
 		BindAddress: metricsAddr,
+		TLSOpts:     []func(*tls.Config){disableHTTP2},
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{