Kubernetes v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc

Kubectl utilizes credential plugins, executables specified in kubeconfig files, for authentication. This feature, while useful, raises security concerns as these plugins run with user privileges. An attacker could exploit compromised kubeconfig generation pipelines to execute malicious code. Kubernetes 1.35 introduces a beta feature for managing these plugins via credential plugin policies. Users can set policies in their kuberc configuration files to control which plugins can run. The `credentialPluginPolicy` can be set to `AllowAll`, `DenyAll`, or `Allowlist`. The `Allowlist` option allows specific plugins, by either full path or basename. Full paths are preferable for enhanced security, excluding globbing and wildcard usage. Future enhancements include checksum verification and digital signature checks for increased security. The Kubernetes community welcomes feedback and contributions to further improve this security feature. Users are encouraged to participate in discussions within the sig-cli and sig-auth channels. This security addition provides a way for users to restrict and control the execution of credential plugins within their environments.