HTTP/2 max concurrent streams can be configured #5850
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Fixes: projectcontour#5846 Signed-off-by: Sunjay Bhatia <[email protected]>
sunjayBhatia
added
the
release-note/minor
sunjayBhatia
requested review from
stevesloka and
skriss
and removed request for
a team
Signed-off-by: Sunjay Bhatia <[email protected]>
Signed-off-by: Sunjay Bhatia <[email protected]>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #5850 +/- ##
==========================================
+ Coverage 78.52% 78.53% +0.01%
==========================================
Files 138 138
Lines 19311 19327 +16
==========================================
+ Hits 15164 15179 +15
- Misses 3855 3856 +1
Partials 292 292
|
|
thanks! lgtm |
sunjayBhatia
added a commit
to sunjayBhatia/contour
that referenced
this pull request
Oct 13, 2023
Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Fixes: projectcontour#5846 Signed-off-by: Sunjay Bhatia <[email protected]>
sunjayBhatia
added a commit
to sunjayBhatia/contour
that referenced
this pull request
Oct 13, 2023
Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Fixes: projectcontour#5846 Signed-off-by: Sunjay Bhatia <[email protected]>
sunjayBhatia
added a commit
to sunjayBhatia/contour
that referenced
this pull request
Oct 13, 2023
Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Fixes: projectcontour#5846 Signed-off-by: Sunjay Bhatia <[email protected]>
sunjayBhatia
added a commit
that referenced
this pull request
Oct 16, 2023
* Add configurability for HTTP requests per IO cycle (#5827) An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic. See the Envoy release notes for more information: https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1 * HTTP/2 max concurrent streams can be configured (#5850) Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Signed-off-by: Sunjay Bhatia <[email protected]>
sunjayBhatia
added a commit
that referenced
this pull request
Oct 16, 2023
* Add configurability for HTTP requests per IO cycle (#5827) An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic. See the Envoy release notes for more information: https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1 * HTTP/2 max concurrent streams can be configured (#5850) Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Signed-off-by: Sunjay Bhatia <[email protected]>
sunjayBhatia
added a commit
that referenced
this pull request
Oct 16, 2023
* Add configurability for HTTP requests per IO cycle (#5827) An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic. See the Envoy release notes for more information: https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1 * HTTP/2 max concurrent streams can be configured (#5850) Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Signed-off-by: Sunjay Bhatia <[email protected]>
yangyy93
added a commit
to projectsesame/contour
that referenced
this pull request
Oct 19, 2023
* provisioner: add field overloadMaxHeapSize for envoy (projectcontour#5699) * add field overloadMaxHeapSize Signed-off-by: yy <[email protected]> * add changelog Signed-off-by: yy <[email protected]> * update changelog and configuration.md Signed-off-by: yangyang <[email protected]> --------- Signed-off-by: yy <[email protected]> Signed-off-by: yangyang <[email protected]> * build(deps): bump sigs.k8s.io/gateway-api from 0.8.0 to 0.8.1 (projectcontour#5757) * build(deps): bump sigs.k8s.io/gateway-api from 0.8.0 to 0.8.1 Bumps [sigs.k8s.io/gateway-api](https://github.com/kubernetes-sigs/gateway-api) from 0.8.0 to 0.8.1. - [Release notes](https://github.com/kubernetes-sigs/gateway-api/releases) - [Changelog](https://github.com/kubernetes-sigs/gateway-api/blob/main/CHANGELOG.md) - [Commits](kubernetes-sigs/gateway-api@v0.8.0...v0.8.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/gateway-api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * make generate Signed-off-by: Steve Kriss <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Steve Kriss <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Steve Kriss <[email protected]> * build(deps): bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (projectcontour#5781) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump google.golang.org/grpc from 1.58.1 to 1.58.2 (projectcontour#5780) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.1 to 1.58.2. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.1...v1.58.2) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/vektra/mockery/v2 from 2.33.2 to 2.34.0 (projectcontour#5779) Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.33.2 to 2.34.0. - [Release notes](https://github.com/vektra/mockery/releases) - [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md) - [Commits](vektra/mockery@v2.33.2...v2.34.0) --- updated-dependencies: - dependency-name: github.com/vektra/mockery/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Setting `disabled = true` on a route should disable the virtual host global rate limit policy (projectcontour#5657) Support disabling global rate limiting on individual routes by setting disabled=true. Fixes projectcontour#5685. Signed-off-by: shadi-altarsha <[email protected]> * update Go to 1.21.1 (projectcontour#5783) Signed-off-by: Steve Kriss <[email protected]> * Fixup: Sort path matches based on length rather than lexi (projectcontour#5752) Since Envoy is greedy matching path routes, order is important. Contour decides to sort the routes in a way that is not really intuitive and can lead to suprises. In particular even tho the comment in the code state that routes are ordered based on legnth the reality is that they are sorted based on string comparison. This PR fixes this. * I think the current behaviour doesnt make much sense and it is a bit brittle. * Updating the behaviour has significant update risk since there might be folks that rely on this routing behaviour without really knowing it. * Should we even merge this PR? I am of two minds and I would like some input: 1. Option (1): Merge it as and make a clear changelog/announcement about the fix 2. Option (2): Create a config flag with a feature-flag e.g. `route_sorting_strategy` and switch the implementation to not do sorting when the flag is present. That way it allows folks to opt-out from the sorting as they need to. Longest path based matching kinda makes sense to me now that I know about it, but it is rough edge than needs users to be familiar with contour and it is harder to socialize in larger teams. Signed-off-by: Sotiris Nanopoulos <[email protected]> * build(deps): bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (projectcontour#5792) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/cert-manager/cert-manager (projectcontour#5791) Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.13.0 to 1.13.1. - [Release notes](https://github.com/cert-manager/cert-manager/releases) - [Commits](cert-manager/cert-manager@v1.13.0...v1.13.1) --- updated-dependencies: - dependency-name: github.com/cert-manager/cert-manager dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/vektra/mockery/v2 from 2.34.0 to 2.34.2 (projectcontour#5793) Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.34.0 to 2.34.2. - [Release notes](https://github.com/vektra/mockery/releases) - [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md) - [Commits](vektra/mockery@v2.34.0...v2.34.2) --- updated-dependencies: - dependency-name: github.com/vektra/mockery/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/prometheus/client_golang (projectcontour#5790) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * HTTPProxy: allow dynamic Host header rewrite (projectcontour#5678) Allows the Host header to be rewritten to the value of another header while forwarding the request to the upstream. This is possible at the route level only. Fixes projectcontour#5673. Signed-off-by: Clayton Gonsalves <[email protected]> * fix spelling errors (projectcontour#5798) Signed-off-by: Steve Kriss <[email protected]> * hack: bump codespell version to match GH action (projectcontour#5799) Signed-off-by: Steve Kriss <[email protected]> * gateway provisioner: add flags to enable running provisioner out of cluster (projectcontour#5686) Adds --incluster and --kubeconfig flags to the gateway provisioner to enable running outside of the cluster. Signed-off-by: gang.liu <[email protected]> * site: Bump Hugo to 0.119.0 (projectcontour#5795) - Also implement more consistent toml file indenting for readability - Asset optimization is deprecated by netlify, see: https://answers.netlify.com/t/please-read-deprecation-of-post-processing-asset-optimization/96657 Signed-off-by: Sunjay Bhatia <[email protected]> * internal/dag: default Listener ResolvedRefs to true (projectcontour#5804) Sets Gateway Listeners' ResolvedRefs condition to true by default, to pass updated conformance. Closes projectcontour#5648. Signed-off-by: Steve Kriss <[email protected]> * build(deps): bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (projectcontour#5810) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0. - [Commits](golang/oauth2@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/vektra/mockery/v2 from 2.34.2 to 2.35.2 (projectcontour#5809) Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.34.2 to 2.35.2. - [Release notes](https://github.com/vektra/mockery/releases) - [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md) - [Commits](vektra/mockery@v2.34.2...v2.35.2) --- updated-dependencies: - dependency-name: github.com/vektra/mockery/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/prometheus/client_model (projectcontour#5811) Bumps [github.com/prometheus/client_model](https://github.com/prometheus/client_model) from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0. - [Release notes](https://github.com/prometheus/client_model/releases) - [Commits](https://github.com/prometheus/client_model/commits/v0.5.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_model dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * switch to github.com/distribution/parse (projectcontour#5818) Signed-off-by: Steve Kriss <[email protected]> * deps: Bump logrusr to v4.0.0 (projectcontour#5806) Fixes data races found in projectcontour#5805 Also remove testing around V().Info() logrusr has changed behavior since v3.0.0, it now tries to mimic logrus log levels with the V() level, see: bombsimon/logrusr@9f3fd50 In practice client-go checks if a certain verbosity level is enabled and initializes a different logger based on that and then uses Info(f) logs, rather than the V().Info() construction. This commit removes the testing of log lines written with V() guarding them and rather just tests the expected verbosity is enabled or not. Signed-off-by: Sunjay Bhatia <[email protected]> * wait for cache sync and DAG build before starting xDS server (projectcontour#5672) Prevents starting the XDS server and building the DAG until the cache is synced with the initial list of k8s objects and these events are processed by the event handler Signed-off-by: Ahmad Karimi <[email protected]> * internal/xdscache: Generate uuid for snapshot version (projectcontour#5819) Snapshotter had a data race reading/writing the snapshot version between threads. This version is not in practice used for the contour xDS server DiscoveryResponse versions but is in the go-control-plane version. Fixes: projectcontour#5482 Signed-off-by: Sunjay Bhatia <[email protected]> * Bump Envoy to 1.27.1 (projectcontour#5821) See release notes: https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1 Signed-off-by: Sunjay Bhatia <[email protected]> * build(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (projectcontour#5829) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](golang/net@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (projectcontour#5833) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.2...v1.58.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (projectcontour#5831) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/vektra/mockery/v2 from 2.35.2 to 2.35.4 (projectcontour#5834) Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.35.2 to 2.35.4. - [Release notes](https://github.com/vektra/mockery/releases) - [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md) - [Commits](vektra/mockery@v2.35.2...v2.35.4) --- updated-dependencies: - dependency-name: github.com/vektra/mockery/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (projectcontour#5832) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump go to 1.21.3 (projectcontour#5841) Signed-off-by: Sunjay Bhatia <[email protected]> * Add configurability for HTTP requests per IO cycle (projectcontour#5827) An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic. See the Envoy release notes for more information: https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1 Signed-off-by: Sunjay Bhatia <[email protected]> * provisioner: fix envoy-max-heapsize not set (projectcontour#5814) * fix envoy-max-heapsize not set Signed-off-by: yangyang <[email protected]> * add ut Signed-off-by: yangyang <[email protected]> * update ut Signed-off-by: yangyang <[email protected]> --------- Signed-off-by: yangyang <[email protected]> * HTTP/2 max concurrent streams can be configured (projectcontour#5850) Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigated DOS attacks like in CVE-2023-44487. Also fixes omitempty tags on MaxRequestsPerIOCycle field. Fixes: projectcontour#5846 Signed-off-by: Sunjay Bhatia <[email protected]> * Bump Envoy to v1.27.2 (projectcontour#5863) See release notes: https://www.envoyproxy.io/docs/envoy/v1.27.2/version_history/v1.27/v1.27.2 Signed-off-by: Sunjay Bhatia <[email protected]> * site: 1.26.1, 1.25.3, 1.24.6 patch releases (projectcontour#5859) Signed-off-by: Sunjay Bhatia <[email protected]> * test/e2e: Add race detection in e2e tests (projectcontour#5805) Compile contour binary with -race flag and look for "DATA RACE" in stderr. Fails test if found. Signed-off-by: Sunjay Bhatia <[email protected]> * golangci-lint: Fix revive rules (projectcontour#5857) When we enabled the use-any rule we disabled all the default rules that are run by revive (see: https://revive.run/docs#golangci-lint) This change grabs all the default rules from https://github.com/mgechev/revive/blob/master/defaults.toml and adds the use-any rule Also fixes outstanding lint issues Signed-off-by: Sunjay Bhatia <[email protected]> * crd/ContourDeployment: Add field 'podLabels' for contour (#2) * add pod labels field to contourDeployment --------- Signed-off-by: yy <[email protected]> Signed-off-by: yangyang <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Steve Kriss <[email protected]> Signed-off-by: shadi-altarsha <[email protected]> Signed-off-by: Sotiris Nanopoulos <[email protected]> Signed-off-by: Clayton Gonsalves <[email protected]> Signed-off-by: gang.liu <[email protected]> Signed-off-by: Sunjay Bhatia <[email protected]> Signed-off-by: Ahmad Karimi <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Steve Kriss <[email protected]> Co-authored-by: Shadi Altarsha <[email protected]> Co-authored-by: Sotiris Nanopoulos <[email protected]> Co-authored-by: Clayton Gonsalves <[email protected]> Co-authored-by: izturn <[email protected]> Co-authored-by: Sunjay Bhatia <[email protected]> Co-authored-by: Ahmad Karimi <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a global Listener configuration field for admins to be able to protect their installations of Contour/Envoy with a limit. Default is no limit to ensure existing behavior is not impacted for valid traffic. This field can be used for tuning resource usage or mitigating DOS attacks like in CVE-2023-44487.
Fixes: #5846