Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc
Kubectl utilizes credential plugins, executables specified in kubeconfig files, for authentication. This feature, while useful, raises security concerns as these plugins run with user privileges. An attacker could exploit compromised kubeconfig generation pipelines to execute malicious code. Kubernetes 1.35 introduces a beta feature for managing these plugins via credential plugin policies. Users can set policies in their kuberc configuration files to control which plugins can run. The credentialPluginPolicy can be set to AllowAll, DenyAll, or Allowlist. The Allowlist option allows specific plugins, by either full path or basename. Full paths are preferable for enhanced security, excluding globbing and wildcard usage. Future enhancements include checksum verification and digital signature checks for increased security. The Kubernetes community welcomes feedback and contributions to further improve this security feature. Users are encouraged to participate in discussions within the sig-cli and sig-auth channels. This security addition provides a way for users to restrict and control the execution of credential plugins within their environments.
credentialPluginPolicycan be set toAllowAll,DenyAll, orAllowlist. TheAllowlistoption allows specific plugins, by either full path or basename. Full paths are preferable for enhanced security, excluding globbing and wildcard usage. Future enhancements include checksum verification and digital signature checks for increased security. The Kubernetes community welcomes feedback and contributions to further improve this security feature. Users are encouraged to participate in discussions within the sig-cli and sig-auth channels. This security addition provides a way for users to restrict and control the execution of credential plugins within their environments.