Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.13, 4.12, 4.14
Component/s: HyperShift
Labels:
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Setting --goaway-chance=0.001 helps to mitigate authenticated HTTP/2 DoS attacks on the kube apiserver. This is similar to how the `UnauthenticatedHTTP2DOSMitigation` feature flag helps to mitigated unauthenticated attacks. This flag is currently not configurable and set to 0.

Version-Release number of selected component (if applicable):

All releases

How reproducible:

Steps to Reproduce:

1. git clone git@github.com:secengjeff/rapidresetclient.git
2. cd rapidresetclient
3. go build -o rapidresetclient
4. BASE_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
5. ./rapidresetclient -url "${BASE_URL}/livez/ping" -wait=100 -delay=10 -requests=10000 -concurrency=100

Actual results:

Runs forever

Expected results:

Eventually hits broken pipe errors

Additional info:

links to

openshift/hypershift#6019: OCPBUGS-23177: Add annotation to configure KAS goaway-chance

Assignee:: Seth Jennings

Reporter:: Bryan Jones (Inactive)

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/11/10 9:31 PM

Updated:: 2025/07/24 11:42 PM

Resolved:: 2024/07/01 7:08 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates