Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-1.24: Backport #5827 and #5850 #5853

Merged
merged 3 commits into from
Oct 16, 2023
Merged

release-1.24: Backport #5827 and #5850 #5853

merged 3 commits into from
Oct 16, 2023

Conversation

sunjayBhatia
Copy link
Member

@sunjayBhatia sunjayBhatia commented Oct 13, 2023
edited
Loading

Commit messages:

An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic.

See the Envoy release notes for more information:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

Also fixes omitempty tags on MaxRequestsPerIOCycle field.

@sunjayBhatia
Add configurability for HTTP requests per IO cycle (projectcontour#5827)
9d99d15 
An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1.
This change allows configuring the http.max_requests_per_io_cycle Envoy
runtime setting via Contour configuration to allow administrators of
Contour to prevent abusive connections from starving resources from
others. The default is left as the existing behavior, that is no limit,
so as not to impact existing valid traffic.

See the Envoy release notes for more information:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

Signed-off-by: Sunjay Bhatia <[email protected]>
@sunjayBhatia sunjayBhatia added the release-note/none-required Marks a PR as not requiring a release note. Should only be used for very small changes. label Oct 13, 2023
@sunjayBhatia sunjayBhatia requested a review from a team as a code owner October 13, 2023 16:52
@sunjayBhatia sunjayBhatia requested review from stevesloka, skriss and tsaarni and removed request for a team October 13, 2023 16:52
@sunjayBhatia
HTTP/2 max concurrent streams can be configured (projectcontour#5850)
c78c69b 
Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

Also fixes omitempty tags on MaxRequestsPerIOCycle field.

Fixes: projectcontour#5846

Signed-off-by: Sunjay Bhatia <[email protected]>
@sunjayBhatia sunjayBhatia changed the title release-1.24: Backport #5827 release-1.24: Backport #5827 and #5850 Oct 13, 2023
@sunjayBhatia
lint fix
357a4d7 
Signed-off-by: Sunjay Bhatia <[email protected]>
@codecov
Copy link

codecov bot commented Oct 16, 2023

Codecov Report

Merging #5853 (357a4d7) into release-1.24 (4d50ef8) will increase coverage by 0.00%.
The diff coverage is 82.05%.

Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##           release-1.24    #5853   +/-   ##
=============================================
  Coverage         77.62%   77.62%           
=============================================
  Files               137      137           
  Lines             16883    16915   +32     
=============================================
+ Hits              13105    13131   +26     
- Misses             3524     3529    +5     
- Partials            254      255    +1
Files Coverage Δ
cmd/contour/servecontext.go 80.93% <100.00%> (+0.10%) ⬆️
internal/envoy/v3/listener.go 98.42% <100.00%> (+0.02%) ⬆️
internal/envoy/v3/runtime.go 100.00% <100.00%> (ø)
internal/xdscache/v3/listener.go 91.48% <100.00%> (+0.07%) ⬆️
internal/xdscache/v3/runtime.go 100.00% <100.00%> (ø)
pkg/config/parameters.go 86.14% <50.00%> (-0.84%) ⬇️
cmd/contour/serve.go 22.20% <0.00%> (-0.10%) ⬇️

@sunjayBhatia sunjayBhatia merged commit e86620a into projectcontour:release-1.24 Oct 16, 2023
19 checks passed
@sunjayBhatia sunjayBhatia deleted the 1.24-req-io-cycle branch October 16, 2023 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsaarni tsaarni tsaarni approved these changes

@stevesloka stevesloka Awaiting requested review from stevesloka stevesloka is a code owner automatically assigned from projectcontour/maintainers

@skriss skriss Awaiting requested review from skriss skriss is a code owner automatically assigned from projectcontour/maintainers

Assignees
No one assigned
Labels
release-note/none-required Marks a PR as not requiring a release note. Should only be used for very small changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sunjayBhatia @tsaarni