Kubernetes v1.35: Tightening Security with Exec Plugin Allowlists
In an era where security breaches are a constant threat, Kubernetes v1.35's new feature to restrict executables invoked by kubeconfigs is a game changer. This capability allows you to define a clear policy on which credential plugins kubectl can execute, significantly reducing the risk of unauthorized access and potential exploits.
The mechanism is straightforward. You can enforce this policy by modifying your kuberc configuration file to include two key fields: credentialPluginPolicy and credentialPluginAllowlist. The credentialPluginPolicy can be set to AllowAll, DenyAll, or Allowlist, with the default being AllowAll. When you specify Allowlist, you must also define the credentialPluginAllowlist, which details the exact plugins that are permitted. For instance, you might configure it to allow only specific plugins like /usr/local/bin/cloudco-login and get-identity. This level of granularity helps ensure that only trusted plugins can be executed, thus bolstering your security posture.
In production, be mindful of the implications of setting your policy to DenyAll. If you do, any attempt to use a plugin not explicitly allowed will result in errors, such as "plugin 'cloudco-login' not allowed: policy set to 'DenyAll'." This feature is in beta and available without feature gates, so you can adopt it right away. However, always test configurations in a staging environment before rolling them out to production to avoid disruptions.
Key takeaways
- →Configure `credentialPluginPolicy` to control plugin execution.
- →Use `credentialPluginAllowlist` to specify allowed credential plugins.
- →Beware of the `DenyAll` policy, which can block necessary plugins.
- →Test your configuration in a staging environment before production deployment.
Why it matters
Implementing an exec plugin allowlist can drastically reduce the attack surface of your Kubernetes cluster, protecting sensitive credentials from being compromised by unauthorized plugins.
Code examples
1apiVersion: kubectl.config.k8s.io/v1beta1
2kind: Preference
3credentialPluginPolicy: Allowlist
4credentialPluginAllowlist:
5- name: /usr/local/bin/cloudco-login
6- name: get-identityapiVersion: kubectl.config.k8s.io/v1beta1
kind: Preference
credentialPluginPolicy: AllowAllapiVersion: kubectl.config.k8s.io/v1beta1
kind: Preference
credentialPluginPolicy: DenyAllWhen NOT to use this
The official docs don't call out specific anti-patterns here. Use your judgment based on your scale and requirements.
Want the complete reference?
Read official docsUnified observability — logs, uptime monitoring, and on-call in one place. Used by 50,000+ engineering teams to ship faster and sleep better.
Try Better Stack free →Securing GitHub Actions: Best Practices for Dependency Management
In a world where CI/CD pipelines are critical, securing your GitHub Actions dependencies is non-negotiable. Pinning versions and enforcing strict permissions can prevent vulnerabilities from third-party actions. Let's dive into how to implement these strategies effectively.
Unlocking Performance with Kubernetes Pod-Level Resource Managers
Kubernetes v1.36 introduces Pod-Level Resource Managers, a game changer for performance-sensitive workloads. This feature allows for hybrid resource allocation models, enhancing efficiency without compromising NUMA alignment.
Streamline Your Hybrid Kubernetes Networking with EKS Hybrid Nodes Gateway
Hybrid cloud environments are complex, but the Amazon EKS Hybrid Nodes gateway simplifies networking between on-premises and cloud resources. By leveraging Cilium's VXLAN Tunnel Endpoint feature, it creates seamless connections that keep your applications running smoothly.
Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.