The kubectl command-line tool has a hidden capability that most Kubernetes administrators don't think twice about: it can execute arbitrary programs on your machine with your full user privileges. This happens through the exec credential plugin mechanism, a legitimate feature designed to integrate external identity providers with cluster authentication. But here's the catch—if someone compromises the pipeline that generates your kubeconfig file, they could inject malicious executables that run every time you interact with your cluster.
Kubernetes 1.35 introduces a beta feature that gives administrators granular control over which credential plugins kubectl can execute. The new credential plugin policy and allowlist system, developed jointly by SIG-Auth and SIG-CLI, addresses a supply-chain vulnerability that has existed since exec plugins were introduced. While this feature has been available programmatically through the client-go library, version 1.35 makes it accessible to anyone using kubectl through simple configuration file changes.
Understanding the Security Gap
The exec credential plugin system works by reading the users[n].exec.command field in your kubeconfig file and running whatever executable is specified there. This design makes perfect sense for legitimate use cases—cloud providers and enterprise identity systems need a way to fetch short-lived credentials dynamically. The problem emerges when you consider the trust chain.
Most kubeconfig files aren't written by hand. They're generated by automation pipelines, downloaded from cluster provisioning tools, or created by infrastructure-as-code systems. If any point in that chain gets compromised—whether through a supply-chain attack on a dependency, a compromised CI/CD pipeline, or a malicious insider—an attacker could modify the exec.command field to point to malicious code. Every kubectl command you run would then execute that code with your privileges, potentially exfiltrating credentials, installing backdoors, or pivoting to other systems on your network.
The New Control Mechanism
The solution centers on a new configuration file called kuberc that kubectl reads on startup. By adding two fields—credentialPluginPolicy and credentialPluginAllowlist—you can enforce restrictions on plugin execution without modifying your application code. This works for any tool built on the client-go library, not just kubectl itself.
The policy field accepts three values. Setting it to AllowAll maintains backward compatibility and permits any plugin to run. The DenyAll option blocks all credential plugins entirely, which serves as a useful diagnostic tool. If you're unsure whether your workflows depend on exec plugins, set the policy to DenyAll and see what breaks. The error messages will tell you exactly which plugins kubectl is attempting to execute.
The most practical option is Allowlist, which requires you to explicitly enumerate trusted plugins. When you combine this with the credentialPluginAllowlist field, you create a whitelist of approved executables. Each entry can specify either a basename like "cloudco-login" or a full path like "/usr/local/bin/cloudco-login". Full paths are preferable because they prevent path-based attacks where a malicious binary with the same name gets placed earlier in your PATH variable.
Practical Implementation Strategies
Start by auditing your current kubeconfig files. Run kubectl with increased verbosity (--verbosity 5) to see exactly what's happening during authentication. Look for any exec sections in your kubeconfig and identify the executables being called. Many organizations discover they're running plugins they didn't know existed, often remnants from old cluster configurations or deprecated authentication methods.
For teams managing multiple clusters, standardize your kuberc configuration across all developer workstations. Distribute a baseline kuberc file through your configuration management system that sets the policy to Allowlist and includes only your organization's approved credential plugins. This creates a consistent security posture and makes it easier to detect anomalies.
Consider the operational impact before deploying restrictive policies. If you set DenyAll or use an incomplete allowlist, developers will lose cluster access until the configuration is corrected. Roll out changes gradually, starting with non-production environments, and provide clear documentation about which plugins are approved and how to request additions to the allowlist.
Technical Limitations and Workarounds
The current implementation doesn't support wildcards or glob patterns in the allowlist. You can't specify "/usr/local/bin/cloud*" to match multiple cloud provider plugins. Each executable requires its own allowlist entry. This design choice prioritizes security over convenience—explicit enumeration prevents attackers from exploiting pattern matching to sneak in malicious binaries.
Basename matching uses Go's exec.LookPath function, which searches your PATH environment variable. This introduces a subtle security consideration: if an attacker can modify your PATH to include a directory they control, they could place a malicious binary that matches an allowlisted basename. Always prefer full path specifications in production environments.
The feature is currently in beta, meaning the API might change before reaching stable status. However, beta features in Kubernetes are typically production-ready and enabled by default. The main risk is potential breaking changes in future versions, though the Kubernetes project maintains strong backward compatibility guarantees for beta APIs.
What's Coming Next
The SIG-CLI team is exploring additional verification mechanisms beyond simple name matching. Checksum verification would allow you to specify a SHA-256 hash alongside the executable path, ensuring that only a specific version of the binary can run. This would protect against scenarios where an attacker replaces a legitimate plugin with a modified version at the same path.
Code signing verification is another proposed enhancement. Instead of trusting a specific binary, you could trust any binary signed by a particular key. This would simplify plugin updates—when your cloud provider releases a new version of their credential plugin, it would automatically be trusted as long as it carries the correct signature. This approach mirrors how operating systems handle application trust and would integrate well with existing software distribution practices.
Broader Implications for Kubernetes Security
This feature represents a shift in how Kubernetes approaches client-side security. Historically, the project focused heavily on cluster-side controls—RBAC, network policies, pod security standards. Client-side security often got less attention, operating on an implicit trust model where the person running kubectl was assumed to be working with trusted configurations.
As Kubernetes adoption has grown, so has the sophistication of attacks targeting the ecosystem. Supply-chain compromises, compromised developer workstations, and malicious insiders are real threats that organizations face. The credential plugin policy acknowledges that kubeconfig files can't be blindly trusted, even when they come from your own infrastructure.
Organizations should view this feature as part of a defense-in-depth strategy. It won't prevent all attacks, but it raises the bar for attackers and provides an additional layer of protection. Combined with other security practices—code signing for your automation pipelines, regular audits of cluster access patterns, and principle of least privilege for service accounts—it contributes to a more robust security posture.
