The commercial K8S vendors seem to be doing the patch all the way back. Smart move by them to signal to the enterprise the value of using a commercially supported K8S distribution over something like kops or kubeadm.
I know however that there is a LTS-SIG that’s trying to figure out what Kubernetes is, and for how long old releases should be supported.
The Kubernetes project is pretty explicit about only supporting 3 minor versions back, which gives you a full 3 quarters to figure out if the changes break anything you have deployed and fix those cases. If that's too fast, you're probably an Enterprise anyway and uncomfortable with anything but vendor support.
Quite normal in this space, see Docker for example.
I was expecting something that altered more rather than a bunch of length checks. But I guess that's how security is sometimes.
for anybody else, we abstract k8s away.
In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.