In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig() Upstream issue: https://github.com/kubernetes/kubernetes/issues/76797
Created containernetworking-cni tracking bugs for this issue: Affects: epel-7 [bug 1703224] Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1703220] Created kubernetes:1.1/kubernetes tracking bugs for this issue: Affects: fedora-29 [bug 1703219] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1703223]
Upstream Commit: https://github.com/kubernetes/kubernetes/pull/71713/commits/dba85e58debadfcb66aff2b68ba8bcc2eafeac2d
Gluster ships very old kubernetes version v1.5.5 which is not affected by this vulnerability.
Statement: This issue does not affect the version of Kubernetes(embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable functionality.
Created kubernetes:openshift-3.10/origin tracking bugs for this issue: Affects: fedora-29 [bug 1714287]