What is Kubernetes 1.35 exec plugin allowList?

It's a beta kubectl config feature that whitelists credential plugin executables, blocking arbitrary code from kubeconfigs.

How to enable credentialPluginPolicy in kubectl?

Add credentialPluginPolicy: DenyAll (or Allowlist with names) to ~/.config/kubectl/preferences.yaml under Preference kind.

Does Kubernetes 1.35 require feature gates for this?

Nope—available out of the box in beta, no gates needed.

🤖 AI Dev Tools

Kubernetes 1.35 Finally Tames Wild Kubeconfig Executables with Exec Plugin AllowList

Picture this: your kubeconfig quietly firing off a shady script on your machine. Kubernetes 1.35 slams the door with an exec plugin allowlist, handing you god-mode control over credential plugins.

DevTools Feed Apr 03, 2026 3 min read 11 views

Illustration of a locked Kubernetes kubeconfig blocking rogue executables

⚡ Key Takeaways

Kubernetes 1.35 adds exec plugin allowList to kubeconfig, blocking rogue executables by default. 𝕏
Set policy to DenyAll first to audit plugins, then whitelist trusted ones by path or name. 𝕏
Future: checksums and signatures will make this unbreakable against supply-chain attacks. 𝕏

Published by

DevTools Feed

Ship faster. Build smarter.

#Kubernetes 1.35 #exec plugin allowlist #kubeconfig safety #kubeconfig security #kubectl security #supply chain attacks

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by Kubernetes Blog

⚡ Key Takeaways

The 60-Second TL;DR

DevTools Feed

Share this article

Worth sharing?

Related Stories

GitHub Actions 2026: Lockfiles and Policies to Bulletproof CI/CD

Rust's Aegis-Scan Catches npm Malware npm Audit Ignores—Here's Why It Matters

ESLint Creator Nicholas Zakas: GitHub's npm Fixes Are Mere Table Stakes

790,000 Downloads a Month: TeamPCP Hijacks CI/CD Pipelines at Scale

Stay in the loop