Its been known for quite sometime to not expose the dashboard. GKE explicitly disables it by default. TESLA's in-house cluster was pwned because their dashboard was publicly accessible etc.
Hard to call this “privilege escalation” if I’m reading this correctly?<p>It’s like a firewall default policy of ALLOW and complaining that packets are getting through.<p>There was a literal “Skip” button on the login page and the default account was granted permission to read certificate private keys. Did I get that right?
I am not surprised, in the general sense that someone has found a security bug in a large and complex piece of software.
This is basically another good example of why your control plane should be only accessible through a vpn/bastion.