CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

The rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).

In the following versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig():

• v1.12.0-v1.12.4
• v1.13.0

What is the impact?

• k8s.io/client-go users that use the rest.AnonymousClientConfig() method directly with client config loaded with rest.InClusterConfig() receive back a client config which can still send the loaded service account token with requests.

How was the issue fixed?

• In 1.12.5+ and 1.13.1+, rest.InClusterConfig() was modified to return a client config that is safe to use with the rest.AnonymousClientConfig() method (Plumb token and token file through rest.Config #71713)
• In v1.15.0, the rest.AnonymousClientConfig() will also exclude the config.Transport and config.WrapTransport fields, in addition to the explicit credential-carrying fields. (Exclude custom transports when constructing AnonymousClientConfig() #75771)

How do I resolve the issue?

• Upgrade k8s.io/client-go to kubernetes-1.12.5, kubernetes-1.13.1, kubernetes-1.14.0, or higher
• or manually clear the config.WrapTransport and config.Transport fields in addition to calling rest.AnonymousClientConfig()

Thanks to Oleg Bulatov of Red Hat for reporting this issue.

/area security
/kind bug
/sig auth
/sig api-machinery
/assign
/close