Added flag to disable http/2

anshuman-agarwala · anshuman-agarwala · commit cc6dc28a6d43 · 2025-02-04T13:58:15.000+05:30
diff --git a/main.go b/main.go
@@ -19,6 +19,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -62,6 +63,7 @@ var (
 	logOptions           = logs.NewOptions()
 	webhookPort          int
 	webhookCertDir       string
+	disableHTTP2         bool
 
 	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -130,6 +132,9 @@ func initFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/",
 		"The webhook certificate directory, where the server should find the TLS certificate and key.")
 
+	fs.BoolVar(&disableHTTP2, "disable-http2", true, "http/2 should be disabled due to its vulnerabilities. More specifically, disabling http/2 will"+
+		" prevent from being vulnerable to the HTTP/2 Stream Cancellation and Rapid Reset CVEs.")
+
 	logsv1.AddFlags(logOptions, fs)
 	flags.AddManagerOptions(fs, &managerOptions)
 }
@@ -199,6 +204,15 @@ func main() {
 		}
 	}
 
+	if disableHTTP2 {
+		metricsOptions.TLSOpts = append(metricsOptions.TLSOpts, func(c *tls.Config) {
+			setupLog.Info("disabling http/2")
+			c.NextProtos = []string{"http/1.1"}
+		})
+	} else {
+		setupLog.Info("WARNING: It is not recommended to enable http/2 due to https://github.com/kubernetes/kubernetes/issues/121197")
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:           scheme,
 		LeaderElection:   enableLeaderElection,
