★ 8/10 · Infra · 2026-01-09

Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc

Kubernetes v1.35 introduces a new security feature in the `kuberc` configuration that allows users to restrict which executables can be invoked by `kubeconfig` credential plugins. This mechanism mitigates supply-chain...

Captured 2026-01-09 18:30

Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc

Summary

Kubernetes v1.35 introduces a new security feature in the kuberc configuration that allows users to restrict which executables can be invoked by kubeconfig credential plugins. This mechanism mitigates supply-chain risks where a compromised or untrusted kubeconfig might attempt to execute arbitrary code via the users[n].exec.command field.

Key Points

  • Introduced as a beta feature in Kubernetes v1.35.
  • Does not require any feature gates to be enabled.
  • Available to all clients utilizing the client-go library by populating the ExecProvider.PluginPolicy struct on a REST config.
  • Supports three policy modes: AllowAll, DenyAll, and Allowlist.
  • The credentialPluginAllowlist supports both absolute paths and basenames (resolved via exec.LookPath).
  • Globbing and wildcards are currently not supported in the allowlist configuration.

Technical Details

The feature is managed via the kuberc configuration file using the kubectl.config.k8s.io/v1beta1 Preference kind. Users can control plugin execution by adding credentialPluginPolicy and credentialPluginAllowlist fields to this configuration.

When credentialPluginPolicy is set to DenyAll, kubectl will block any credential plugin not explicitly permitted, returning an error such as plugin "[name]" not allowed: policy set to "DenyAll". When using the Allowlist policy, the credentialPluginAllowlist field accepts a list of entries, each containing a name field. While providing a basename allows kubectl to locate the binary using exec.LookPath, using the full absolute path is the recommended security practice to further narrow the execution scope.

Future iterations of this feature are planned to include more granular requirements, such as checksum verification (e.g., validating a sha256 hash) and digital signature verification for allowed binaries.

Impact / Why It Matters

This update allows developers and platform engineers to implement a "least privilege" model for local authentication, preventing unauthorized code execution from untrusted kubeconfig files. It provides a critical layer of defense against supply-chain attacks targeting the credential retrieval process.

security kubernetes infrastructure

↳ Sources