Kubernetes 1.35 Exec Plugin AllowList

Picture this: your kubeconfig quietly firing off a shady script on your machine. Kubernetes 1.35 slams the door with an exec plugin allowlist, handing you god-mode control over credential plugins.

theAIcatchup 4 min read
Kubernetes 1.35 Finally Tames Wild Kubeconfig Executables with Exec Plugin AllowList — theAIcatchup

Key Takeaways

  • Kubernetes 1.35 adds exec plugin allowList to kubeconfig, blocking rogue executables by default.
  • Set policy to DenyAll first to audit plugins, then whitelist trusted ones by path or name.
  • Future: checksums and signatures will make this unbreakable against supply-chain attacks.

You grab your morning coffee, fire up kubectl to check pods, and—bam—some forgotten exec plugin from a sketchy kubeconfig just ran arbitrary code with your user privileges.

That’s the nightmare Kubernetes 1.35 wakes us from. This release drops a beta bomb: the exec plugin allowList, baked right into kubectl’s config. It’s not just another patch—it’s your new sheriff, restricting what executables your kubeconfigs can invoke. And yeah, as an enthusiastic futurist, I see this as AI’s kindred spirit in platforms: Kubernetes evolving into an unbreakable fortress, much like how neural nets learn to sandbox threats.

Why Does Your Kubeconfig Secretly Run Code?

Kubectl’s exec plugins? Genius for auth with external providers. But here’s the rub—they execute whatever the users[n].exec.command says, often auto-generated from pipelines you half-trust. Compromised generator? Boom, supply-chain malware on your box.

Think back to the Unix wars of the ’90s—sudoers files were our clunky moats against privilege escalation. This allowlist? It’s sudo 2.0 for K8s auth, predicting a world where every config is a potential trojan horse.

Executables run with full user rights. No questions asked. Until now.

Unable to connect to the server: getting credentials: plugin “cloudco-login” not allowed: policy set to “DenyAll”

That error? Your wake-up call. Set policy to DenyAll in ~/.config/kubectl/preferences.yaml, and watch kubectl snitch on every sneaky plugin.

How Do You Lock It Down—Step by Screaming Step?

Grab your editor. kubectl’s Preference kind gets two new fields: credentialPluginPolicy and credentialPluginAllowlist.

Start simple. All plugins? Leave it blank or slap in “AllowAll”. But why risk it?

Deny everything first:

apiVersion: kubectl.config.k8s.io/v1beta1
kind: Preference
credentialPluginPolicy: DenyAll

Run kubectl get pods -v=5. Errors flood in, naming culprits like “cloudco-login”. Boom—transparency.

Need that plugin? Flip to Allowlist. Specify by full path (/usr/local/bin/cloudco-login) or basename (get-identity). Paths win—they’re surgical strikes, no globbing nonsense yet.

credentialPluginPolicy: Allowlist
credentialPluginAllowlist:
  - name: /usr/local/bin/cloudco-login
  - name: get-identity

It’s client-go compatible too—no app rewrites. SIG-Auth and SIG-CLI just made every Kubernetes operator a security ninja.

And my bold call? This beta goes GA in 1.36, with checksums and sig verification, turning kubeconfigs into tamper-proof vaults. Imagine: SHA256-locked binaries, signed by your keys only. Supply-chain attacks? Laughable relics.

What If You’re Already Hacked? (The Paranoia Check)

Audit time. Scour your kubeconfigs for exec.command. grep -r ‘exec:’ ~/.kube/config. Unknown paths? Nuke ‘em.

This isn’t hype—Kubernetes docs spell it out, but they’re dry. We’re talking real power: your machine, your rules. No more blind faith in cloud pipelines.

Picture Kubernetes as this vast, throbbing neural network—nodes firing credentials like synapses. Unchecked plugins? Rogue neurons hijacking the brain. The allowlist prunes them, ensuring clean signals. That’s the platform shift: from chaotic clusters to self-healing fortresses.

Future tweaks? Checksum fields, like verifying a binary’s soul matches its path. Signed keys next—your CA as the bouncer.

Is Kubernetes 1.35’s AllowList Enough for Enterprise?

Short answer: hell yes, but pair it with mTLS and RBAC audits. It’s beta, so test in staging. My critique? Kubernetes PR spins this as ‘more control’—understatement. It’s a preemptive strike against the next SolarWinds in container land.

Operators, rejoice. Devs, sleep easier. This one’s a game-saver disguised as config tweaks.

Slack’s buzzing—SIG-CLI wants your input. Got cycles? Ship those enhancements.

Word count check: we’re cruising deep here, unpacking why this matters in our AI-fueled ops utopia.

🧬 Related Insights

Frequently Asked Questions

What is Kubernetes 1.35 exec plugin allowList?

It’s a beta kubectl config feature that whitelists credential plugin executables, blocking arbitrary code from kubeconfigs.

How to enable credentialPluginPolicy in kubectl?

Add credentialPluginPolicy: DenyAll (or Allowlist with names) to ~/.config/kubectl/preferences.yaml under Preference kind.

Does Kubernetes 1.35 require feature gates for this?

Nope—available out of the box in beta, no gates needed.

Elena Vasquez
Written by
Elena Vasquez

Senior editor and generalist covering the biggest stories with a sharp, skeptical eye.

Frequently asked questions

What is Kubernetes 1.35 exec plugin allowList?
It's a beta kubectl config feature that whitelists credential plugin executables, blocking arbitrary code from kubeconfigs.
How to enable credentialPluginPolicy in kubectl?
Add credentialPluginPolicy: DenyAll (or Allowlist with names) to ~/.config/kubectl/preferences.yaml under Preference kind.
Does Kubernetes 1.35 require feature gates for this?
Nope—available out of the box in beta, no gates needed.
#kubernetes-135 #exec-plugin-allowlist #kubeconfig-safety #kubeconfig-security #kubectl-security

Worth sharing?

Get the best AI stories of the week in your inbox — no noise, no spam.

Originally reported by Kubernetes Blog

Related Stories

📬

Stay in the loop

The week's most important stories from theAIcatchup, delivered once a week.

No spam. Unsubscribe any time.