Skip to content

release-1.24: Backport #5827 and #5850#5853

Merged
sunjayBhatia merged 3 commits intoprojectcontour:release-1.24from
sunjayBhatia:1.24-req-io-cycle
Oct 16, 2023
Merged

release-1.24: Backport #5827 and #5850#5853
sunjayBhatia merged 3 commits intoprojectcontour:release-1.24from
sunjayBhatia:1.24-req-io-cycle

Conversation

@sunjayBhatia
Copy link
Member

@sunjayBhatia sunjayBhatia commented Oct 13, 2023
edited
Loading

Commit messages:

An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic.

See the Envoy release notes for more information:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

Also fixes omitempty tags on MaxRequestsPerIOCycle field.

@sunjayBhatia
Add configurability for HTTP requests per IO cycle (projectcontour#5827)
9d99d15 
An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1.
This change allows configuring the http.max_requests_per_io_cycle Envoy
runtime setting via Contour configuration to allow administrators of
Contour to prevent abusive connections from starving resources from
others. The default is left as the existing behavior, that is no limit,
so as not to impact existing valid traffic.

See the Envoy release notes for more information:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
@sunjayBhatia sunjayBhatia added the release-note/none-required Marks a PR as not requiring a release note. Should only be used for very small changes. label Oct 13, 2023
@sunjayBhatia sunjayBhatia requested a review from a team as a code owner October 13, 2023 16:52
@sunjayBhatia sunjayBhatia requested review from skriss, stevesloka and tsaarni and removed request for a team October 13, 2023 16:52
@sunjayBhatia
HTTP/2 max concurrent streams can be configured (projectcontour#5850)
c78c69b 
Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

Also fixes omitempty tags on MaxRequestsPerIOCycle field.

Fixes: projectcontour#5846

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
@sunjayBhatia sunjayBhatia changed the title release-1.24: Backport #5827 release-1.24: Backport #5827 and #5850 Oct 13, 2023
@sunjayBhatia
lint fix
357a4d7 
Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
@codecov
Copy link

codecov bot commented Oct 16, 2023

Codecov Report

Merging #5853 (357a4d7) into release-1.24 (4d50ef8) will increase coverage by 0.00%.
The diff coverage is 82.05%.

Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##           release-1.24    #5853   +/-   ##
=============================================
  Coverage         77.62%   77.62%           
=============================================
  Files               137      137           
  Lines             16883    16915   +32     
=============================================
+ Hits              13105    13131   +26     
- Misses             3524     3529    +5     
- Partials            254      255    +1
Files Coverage Δ
cmd/contour/servecontext.go 80.93% <100.00%> (+0.10%) ⬆️
internal/envoy/v3/listener.go 98.42% <100.00%> (+0.02%) ⬆️
internal/envoy/v3/runtime.go 100.00% <100.00%> (ø)
internal/xdscache/v3/listener.go 91.48% <100.00%> (+0.07%) ⬆️
internal/xdscache/v3/runtime.go 100.00% <100.00%> (ø)
pkg/config/parameters.go 86.14% <50.00%> (-0.84%) ⬇️
cmd/contour/serve.go 22.20% <0.00%> (-0.10%) ⬇️

@sunjayBhatia sunjayBhatia merged commit e86620a into projectcontour:release-1.24 Oct 16, 2023
@sunjayBhatia sunjayBhatia deleted the 1.24-req-io-cycle branch October 16, 2023 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tsaarni tsaarni tsaarni approved these changes

@stevesloka stevesloka Awaiting requested review from stevesloka stevesloka is a code owner automatically assigned from projectcontour/maintainers

@skriss skriss Awaiting requested review from skriss skriss is a code owner automatically assigned from projectcontour/maintainers

Assignees

No one assigned

Labels

release-note/none-required Marks a PR as not requiring a release note. Should only be used for very small changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunjayBhatia @tsaarni