GHSA-p4rx-7wvg-fwrc

### Impact
_What kind of vulnerability is it? Who is impacted?_
All versions of CRI-O running on cgroupv2 nodes.
Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, [support was added](https://github.com/cri-o/cri-o/pull/4479) to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: `io.kubernetes.cri-o.UnifiedCgroup`, which was supposed to be filtered from the [list of allowed annotations](https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107) . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
1.29.1, 1.28.3, 1.27.3

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
use cgroupv1

### References
_Are there any links users can visit to find out more?_