patch all deployments and stateful sets containers in your kubernetes cluster for log4shell CVE-2021-44228 by appending environment variable that prevents the exploit. .

patch-all-containers-for-cve-2021-44228.py

# patch all deployments and stateful sets containers in your kubernetes cluster for 
# log4shell CVE-2021-44228 by appending environment variable that prevents the exploit. 

from kubernetes import client, config

config.load_kube_config()
apps_api = client.AppsV1Api()
deployments = apps_api.list_deployment_for_all_namespaces()
stateful_sets = apps_api.list_stateful_set_for_all_namespaces()

env_var_definition = {'name': 'LOG4J_FORMAT_MSG_NO_LOOKUPS', 'value': 'true', 'value_from': None}

def has_log4j_env_var(env_vars):
    return any([ var.name == 'LOG4J_FORMAT_MSG_NO_LOOKUPS' for var in env_vars ])

def patch_app(app, kind):
    changed = False
    for container in app.spec.template.spec.containers:
        if container.env is None:
            container.env = []
        if not has_log4j_env_var(container.env):
            changed = True
            container.env.append(env_var_definition)
    if changed:
        try:
            print("patching %s %s in %s" % (kind, app.metadata.name, app.metadata.namespace) )
            if kind == 'deployment':
                apps_api.patch_namespaced_deployment(name=app.metadata.name, namespace=app.metadata.namespace, body=app)
            else:
                apps_api.patch_namespaced_stateful_set(name=app.metadata.name, namespace=app.metadata.namespace, body=app)
            print("patched %s %s in %s" % (kind, app.metadata.name, app.metadata.namespace) )
        except:
            print("some error occured while patching %s %s in %s" % (kind, app.metadata.name, app.metadata.namespace) )       

for deployment in deployments.items:
    patch_app(deployment, 'deployment')
for stateful_set in stateful_sets.items:
    patch_app(stateful_set, 'sts')