UPSTREAM: 484: Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (#484)

camilamacedo86 · camilamacedo86 · commit 4f2ccfb29669 · 2025-01-09T17:31:08.000Z
Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197 Signed-off-by: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -159,13 +159,22 @@ func main() {
 		log.Fatalf("Failed to initialize certificate watcher: %v", err)
 	}
 
+	tlsOpts := func(config *tls.Config) {
+		config.GetCertificate = cw.GetCertificate
+		// Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with:
+		// - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3)
+		// - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8)
+		// While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks.
+		// For details, see: https://github.com/kubernetes/kubernetes/issues/121197
+		setupLog.Info("disabling http/2")
+		config.NextProtos = []string{"http/1.1"}
+	}
+
 	// Create webhook server and configure TLS
 	webhookServer := crwebhook.NewServer(crwebhook.Options{
 		Port: webhookPort,
 		TLSOpts: []func(*tls.Config){
-			func(cfg *tls.Config) {
-				cfg.GetCertificate = cw.GetCertificate
-			},
+			tlsOpts,
 		},
 	})
 
