What is Kubernetes 1.35 credential plugin allowlist?

It's a beta config in kubectl to restrict which executables kubeconfigs can run for auth, blocking supply-chain risks via policies like DenyAll or whitelists.

How do I enable kubeconfig exec plugin policy in kubectl?

Add credentialPluginPolicy and credentialPluginAllowlist to your kubectl Preference in ~/.kube/config—start with DenyAll to audit.

Will Kubernetes 1.35 break my existing credential plugins?

Only if you set restrictive policies; defaults allow all, so test DenyAll first to whitelist needed ones like cloud logins.

🔒 Security & Privacy

Kubernetes 1.35: Taming Wild Kubeconfig Executables with AllowLists

Your kubeconfig might be running mystery code on your machine. Kubernetes 1.35 slams the door with exec plugin allowLists—simple, beta-ready security that feels like a bouncer for your credentials.

theAIcatchup Apr 07, 2026 3 min read

⚡ Key Takeaways

Kubernetes 1.35 adds beta credentialPluginPolicy and allowlist to kubeconfigs, curbing arbitrary exec risks. 𝕏
Set DenyAll to audit plugins, then whitelist paths or basenames for tight control. 𝕏
Future: checksums and signatures—turning plugins into trusted fortresses. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#credential plugin #credential plugin allowlist #credential plugins #exec plugins #kubectl config #v1.35

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Kubernetes Blog

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Kubernetes 1.35 Cracks Open Mutable PV Node Affinity — A Stateful Revolution in Alpha

React Server Components' Perfect-Score RCE Flaw Exposes Millions of Apps

Anthropic's One-Line Fumble Leaks Billions in Code

WAIaaS Delivers Instant Push and Telegram Approvals for Rampaging AI Crypto Agents

Stay in the loop