The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.
github.com/kubernetes/kubernetes/pkg/apiserver
{ "last_known_affected_version_range": "<= 1.2.0-alpha.5" }