From 9a0e87881161042c02820a5bb5ec6d0ff8394fcd Mon Sep 17 00:00:00 2001
From: Jan Chaloupka <jchaloup@redhat.com>
Date: Sun, 22 Oct 2023 19:29:12 +0200
Subject: [PATCH] [1.27] CVE 2023 44487 fixes

---
 cmd/descheduler/app/options/options.go | 2 ++
 cmd/descheduler/app/server.go          | 2 ++
 docs/cli/descheduler.md                | 1 +
 3 files changed, 5 insertions(+)

diff --git a/cmd/descheduler/app/options/options.go b/cmd/descheduler/app/options/options.go
index b00053de0..56e00b8af 100644
--- a/cmd/descheduler/app/options/options.go
+++ b/cmd/descheduler/app/options/options.go
@@ -43,6 +43,7 @@ type DeschedulerServer struct {
 	EventClient    clientset.Interface
 	SecureServing  *apiserveroptions.SecureServingOptionsWithLoopback
 	DisableMetrics bool
+	EnableHTTP2    bool
 }
 
 // NewDeschedulerServer creates a new DeschedulerServer with default parameters
@@ -92,6 +93,7 @@ func (rs *DeschedulerServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&rs.PolicyConfigFile, "policy-config-file", rs.PolicyConfigFile, "File with descheduler policy configuration.")
 	fs.BoolVar(&rs.DryRun, "dry-run", rs.DryRun, "Execute descheduler in dry run mode.")
 	fs.BoolVar(&rs.DisableMetrics, "disable-metrics", rs.DisableMetrics, "Disables metrics. The metrics are by default served through https://localhost:10258/metrics. Secure address, resp. port can be changed through --bind-address, resp. --secure-port flags.")
+	fs.BoolVar(&rs.EnableHTTP2, "enable-http2", false, "If http/2 should be enabled for the metrics and health check")
 
 	componentbaseoptions.BindLeaderElectionFlags(&rs.LeaderElection, fs)
 
diff --git a/cmd/descheduler/app/server.go b/cmd/descheduler/app/server.go
index 91dcd20aa..914b9980d 100644
--- a/cmd/descheduler/app/server.go
+++ b/cmd/descheduler/app/server.go
@@ -63,6 +63,8 @@ func NewDeschedulerCommand(out io.Writer) *cobra.Command {
 				return
 			}
 
+			SecureServing.DisableHTTP2 = !s.EnableHTTP2
+
 			var factory registry.LogFormatFactory
 			if s.Logging.Format == "json" {
 				factory = jsonLog.Factory{}
diff --git a/docs/cli/descheduler.md b/docs/cli/descheduler.md
index a0fde58dc..7b2671ad7 100644
--- a/docs/cli/descheduler.md
+++ b/docs/cli/descheduler.md
@@ -21,6 +21,7 @@ descheduler [flags]
       --descheduling-interval duration           Time interval between two consecutive descheduler executions. Setting this value instructs the descheduler to run in a continuous loop at the interval specified.
       --disable-metrics                          Disables metrics. The metrics are by default served through https://localhost:10258/metrics. Secure address, resp. port can be changed through --bind-address, resp. --secure-port flags.
       --dry-run                                  Execute descheduler in dry run mode.
+      --enable-http2                             If http/2 should be enabled for the metrics and health check
   -h, --help                                     help for descheduler
       --http2-max-streams-per-connection int     The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default.
       --kubeconfig string                        File with kube configuration. Deprecated, use client-connection-kubeconfig instead.