Merge pull request #129538 from hzxuzhonghu/http2-clean

Cleanup: only initiate http2 server options when http2 is not disabled Kubernetes-commit: 2c9153576ec0eef9dfb4acac591874a71ff72cbb
2025-01-19 21:02:36 -08:00 · 2025-01-19 21:02:36 -08:00 · 6885e995e1
parent 0e1bb963f7 29de537bfa
commit 6885e995e1
3 changed files with 27 additions and 29 deletions
--- a/go.mod
+++ b/go.mod
@ -51,7 +51,7 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/square/go-jose.v2 v2.6.0
-	k8s.io/api v0.0.0-20250117041913-f4eb4916eca6
+	k8s.io/api v0.0.0-20250117201903-3bed2589d43a
 	k8s.io/apimachinery v0.0.0-20250117041610-45d29dc4d66f
 	k8s.io/client-go v0.0.0-20250116202332-9897373fe634
 	k8s.io/component-base v0.0.0-20250115203345-3fc0045268f4
--- a/go.sum
+++ b/go.sum
@ -361,8 +361,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.0.0-20250117041913-f4eb4916eca6 h1:GIjInra4+qQVg/Wn4BSur8iYQIZuhWCUbGkFsP9Z6Rg=
+k8s.io/api v0.0.0-20250117201903-3bed2589d43a h1:U5ELuHIj+ewCrRs1t07FA4dqy6VOUAgUwBoC05dRcwQ=
-k8s.io/api v0.0.0-20250117041913-f4eb4916eca6/go.mod h1:debU0NKc4t7H1OiSdtzEC/umfsIhOOg4Dz5YA0rfpTo=
+k8s.io/api v0.0.0-20250117201903-3bed2589d43a/go.mod h1:YGB38orWxSXzMXdSPGWLOwrcumsaTbYPKy3dnT0HbRs=
 k8s.io/apimachinery v0.0.0-20250117041610-45d29dc4d66f h1:kdbiV3iKvyIwzB+22TrgOu/F7Tkl3xTFpburE5oKTHU=
 k8s.io/apimachinery v0.0.0-20250117041610-45d29dc4d66f/go.mod h1:h8DnJz4KNjkQsP8iFir+s3sSBEK3Iy43bfB2gFjSR+A=
 k8s.io/client-go v0.0.0-20250116202332-9897373fe634 h1:Lsd7xmPPz0SUGV+LqbqpXG9y+tlWLuIY64g5kftCwHg=
--- a/pkg/server/secure_serving.go
+++ b/pkg/server/secure_serving.go
@ -172,33 +172,31 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur
 		ReadHeaderTimeout: 32 * time.Second, // just shy of requestTimeoutUpperBound
 	}
 	// At least 99% of serialized resources in surveyed clusters were smaller than 256kb.
 	// This should be big enough to accommodate most API POST requests in a single frame,
 	// and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`.
 	const resourceBody99Percentile = 256 * 1024
 	http2Options := &http2.Server{
 		IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout
 	}
 	// shrink the per-stream buffer and max framesize from the 1MB default while still accommodating most API POST requests in a single frame
 	http2Options.MaxUploadBufferPerStream = resourceBody99Percentile
 	http2Options.MaxReadFrameSize = resourceBody99Percentile
 	// use the overridden concurrent streams setting or make the default of 250 explicit so we can size MaxUploadBufferPerConnection appropriately
 	if s.HTTP2MaxStreamsPerConnection > 0 {
 		http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection)
 	} else {
 		// match http2.initialMaxConcurrentStreams used by clients
 		// this makes it so that a malicious client can only open 400 streams before we forcibly close the connection
 		// https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd
 		http2Options.MaxConcurrentStreams = 100
 	}
 	// increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams
 	http2Options.MaxUploadBufferPerConnection = http2Options.MaxUploadBufferPerStream * int32(http2Options.MaxConcurrentStreams)
 	if !s.DisableHTTP2 {
 		// At least 99% of serialized resources in surveyed clusters were smaller than 256kb.
 		// This should be big enough to accommodate most API POST requests in a single frame,
 		// and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`.
 		const resourceBody99Percentile = 256 * 1024
 		http2Options := &http2.Server{
 			IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout
 			// shrink the per-stream buffer and max framesize from the 1MB default while still accommodating most API POST requests in a single frame
 			MaxUploadBufferPerStream: resourceBody99Percentile,
 			MaxReadFrameSize:         resourceBody99Percentile,
 		}
 		// use the overridden concurrent streams setting or make the default of 250 explicit so we can size MaxUploadBufferPerConnection appropriately
 		if s.HTTP2MaxStreamsPerConnection > 0 {
 			http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection)
 		} else {
 			// match http2.initialMaxConcurrentStreams used by clients
 			// this makes it so that a malicious client can only open 400 streams before we forcibly close the connection
 			// https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd
 			http2Options.MaxConcurrentStreams = 100
 		}
 		// increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams
 		http2Options.MaxUploadBufferPerConnection = http2Options.MaxUploadBufferPerStream * int32(http2Options.MaxConcurrentStreams)
 		// apply settings to the server
 		if err := http2.ConfigureServer(secureServer, http2Options); err != nil {
 			return nil, nil, fmt.Errorf("error configuring http2: %v", err)