• Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc Did you know that kubectl can run arbitrary executables, including shell scripts, with the full privileges of the invoking user, and without your knowledge? • Whenever you download or auto-generate a kubeconfig , the users[n].exec.command field can specify an executable to fetch credentials on your behalf. • Don’t get me wrong, this is an incredible feature that allows you to authenticate to the cluster with external identity providers. • Nevertheless, you probably see the problem: Do you know exactly what executables your kubeconfig is running on your system? • Do you trust the pipeline that generated your kubeconfig ? • If there has been a supply-chain attack on the code that generates the kubeconfig, or if the generating pipeline has been compromised, an attacker might well be doing unsavory things to your machine by tricking your kubeconfig into running arbitrary code.
Article Summaries:
- Kubernetes v1.35 introduces a beta feature that lets users control which executables are run by kubeconfig exec plugins. The change adds a credential plugin policy and allowlist to the kuberc configuration file, enabling policies such as AllowAll, DenyAll, or Allowlist. By default all plugins are allowed, but administrators can restrict execution to specific binaries or deny all, mitigating supply‑chain risks from compromised kubeconfig generators. The policy can be set via the client‑go library or directly in kubectl’s config, and detailed error messages help diagnose blocked plugins. This update enhances security without requiring feature gates.
Sources: