GHSA-6m9f-pj6w-w87g

$ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io NAME WEBHOOKS AGE rancher.cattle.io 0 19h

#!/bin/bash set -euo pipefail function prereqs() { if ! [ -x "$(command -v kubectl)" ]; then echo "error: kubectl is not installed." >&2 exit 1 fi if [[ -z "$(kubectl config view -o jsonpath='{.clusters[].cluster.server}')" ]]; then echo "error: No kubernetes cluster found on kubeconfig." >&2 exit 1 fi } function restart_deployment(){ kubectl rollout restart deployment rancher-webhook -n cattle-system kubectl rollout status deployment rancher-webhook -n cattle-system --timeout=30s } function workaround() { echo "Cluster: $(kubectl config view -o jsonpath='{.clusters[].cluster.server}')" if ! kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io > /dev/null 2>&1; then echo "webhook rancher.cattle.io not found, restarting deployment:" restart_deployment echo "waiting for webhook configuration" sleep 15s fi local -i webhooks webhooks="$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io --no-headers | awk '{ print $2 }')" if [ "${webhooks}" == "0" ]; then echo "Webhook misconfiguration status: Cluster is affected by CVE-2023-22651" echo "Running workaround:" kubectl delete validatingwebhookconfiguration rancher.cattle.io restart_deployment ret=$? if [ $ret -eq 0 ]; then echo "Webhook restored, CVE-2023-22651 is fixed" else echo "error trying to restart deployment. try again in a few seconds." fi else echo "Webhook misconfiguration status: not present (skipping)" fi echo "Done" } function main() { prereqs workaround } main