It was found that Kubernetes did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.
Clients using SSL certs for auth show the subject CN of their intermediate cert
not their entity cert.
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.1
Red Hat OpenShift Enterprise 3.2
Red Hat OpenShift Container Platform 3.3
Via RHSA-2016:2064 https://access.redhat.com/errata/RHSA-2016:2064