What is Kubernetes 1.35 credential plugin allowlist?

It's a beta config in kubectl to restrict which executables kubeconfigs can run for auth, blocking supply-chain risks via policies like DenyAll or whitelists.

How do I enable kubeconfig exec plugin policy in kubectl?

Add credentialPluginPolicy and credentialPluginAllowlist to your kubectl Preference in ~/.kube/config—start with DenyAll to audit.

Will Kubernetes 1.35 break my existing credential plugins?

Only if you set restrictive policies; defaults allow all, so test DenyAll first to whitelist needed ones like cloud logins.

🔒 Security & Privacy

Kubernetes 1.35: Taming Wild Kubeconfig Executables with AllowLists

Your kubeconfig might be running mystery code on your machine. Kubernetes 1.35 slams the door with exec plugin allowLists—simple, beta-ready security that feels like a bouncer for your credentials.

Open Source Beat Apr 07, 2026 3 min read

⚡ Key Takeaways

Kubernetes 1.35 adds beta credentialPluginPolicy and allowlist to kubeconfigs, curbing arbitrary exec risks. 𝕏
Set DenyAll to audit plugins, then whitelist paths or basenames for tight control. 𝕏
Future: checksums and signatures—turning plugins into trusted fortresses. 𝕏

Published by

Open Source Beat

Community-driven. Code-first.

#Kubernetes 1.35 #credential plugin #credential plugin allowlist #credential plugins #exec plugin allowlist #exec plugins #kubeconfig #kubeconfig security #kubectl config #kubernetes #supply chain security #v1.35

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Kubernetes Blog

⚡ Key Takeaways

The 60-Second TL;DR

Open Source Beat

Share this article

Worth sharing?

Related Stories

Kubernetes 1.35 Cracks Open Mutable PV Node Affinity — A Stateful Revolution in Alpha

Kubernetes Debugging's Dirty Secret: From Quick Fixes to Breach Backdoors

36 Fake Strapi Plugins Poison npm, Steal Guardarian Wallets

GitHub's Supply Chain Security Push: Real Fixes or Microsoft PR Polish?

Stay in the loop