ASA-2018-00069 – Kubernetes: Proxy request handling in kube-apiserver can leave vulnerable TCP connections

With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.