Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc

2026-01-09

5 min read

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Kubernetes v1.35 introduces a beta feature to restrict which executables kubeconfigs can invoke via exec plugins, protecting against supply-chain attacks.

•kubectl can silently run arbitrary executables specified in the users[n].exec.command field of a kubeconfig, posing a security risk
•The new credentialPluginPolicy field in kuberc supports three modes: AllowAll (default), DenyAll, and Allowlist
•The Allowlist mode lets users specify allowed plugins by full path or basename via credentialPluginAllowlist in kuberc
•Full path entries are preferred over basename as they narrow the scope of allowed binaries more precisely
•Future enhancements may include checksum verification (e.g., sha256) and trusted signing key validation for allowed binaries

Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

April 02, 2026

Announcing managed daemon support for Amazon ECS Managed Instances

Top Infrastructure and GKE Sessions at Cloud Next '26

Run real-time and async inference on the same infrastructure with GKE Inference Gateway