Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update kube-rbac-proxy to v0.15.0 #18984

Merged
merged 2 commits into from
Nov 6, 2023
Merged

Update kube-rbac-proxy to v0.15.0 #18984

merged 2 commits into from
Nov 6, 2023

Conversation

aledbf
Copy link
Member

@aledbf aledbf commented Oct 30, 2023
edited by github-actions bot
Loading

Description

Also disables HTTP2.
Changelog https://github.com/brancz/kube-rbac-proxy/releases/tag/v0.15.0

Summary generated by Copilot

🤖 Generated by Copilot at 2251e37

Update kube-rbac-proxy image and disable HTTP/2 support. This improves the security and compatibility of the proxy with the Kubernetes API server.

Preview status

Gitpod was successfully deployed to your preview environment.

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • with-integration-tests=workspace
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@aledbf aledbf marked this pull request as ready for review October 30, 2023 15:06
@aledbf aledbf requested a review from a team November 5, 2023 13:56
Furisto
Furisto reviewed Nov 6, 2023
View reviewed changes
install/installer/pkg/common/common.go
@@ -505,6 +505,7 @@ func KubeRBACProxyContainerWithConfig(ctx *RenderContext) *corev1.Container {
"--logtostderr",
fmt.Sprintf("--insecure-listen-address=[$(IP)]:%d", baseserver.BuiltinMetricsPort),
fmt.Sprintf("--upstream=http://127.0.0.1:%d/", baseserver.BuiltinMetricsPort),
"--http2-disable",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why disable it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last two releases are related to CVEs that exploit HTTP/2. Also, we don't need/use any HTTP/2 feature.

@roboquat roboquat merged commit 0fba511 into main Nov 6, 2023
15 checks passed
@roboquat roboquat deleted the aledbf/kube-rbac-proxy branch November 6, 2023 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Furisto Furisto Furisto approved these changes

Assignees
No one assigned
Labels
size/XS team: team-engine
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aledbf @Furisto @roboquat