KEP-3104 Feature Blog entry #52987
KEP-3104 Feature Blog entry #52987
Conversation
Signed-off-by: Peter Engelbert <[email protected]>
k8s-ci-robot
added
the
do-not-merge/work-in-progress
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
k8s-ci-robot
added
area/blog
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
language/en
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Hi @pmengelbert thank you for opening this feture blog placeholder PR. I also see 81 changed files, is it correct? EDIT: can you also confirm that this is the feature blog placeholder PR for kubernetes/enhancements#3104? |
k8s-ci-robot
added
size/XS
fixed
that was because the branch was synced with
Specifically, it's for the addition of the credential plugin allowlist, which was recently added to KEP 3104 via an update. |
|
Nice, thank you @pmengelbert ! |
|
Hi @pmengelbert 👋 v1.35 Communications team here, @helayoty as author of #52897, I'd like you to be a writing buddy for @pmengelbert on this PR. Please:
|
|
@graz-dev, it looks as though two numbers have been transposed in the
issues. My issue is 52987, and @helayoty 's issue is 52897 -- they contain
the same numbers but in different orders.
…On Mon, Nov 17, 2025 at 4:15 AM Graziano Casto ***@***.***> wrote:
*graz-dev* left a comment (kubernetes/website#52987)
<#52987 (comment)>
Hi @pmengelbert <https://github.com/pmengelbert> 👋 v1.35 Communications
team here,
@helayoty <https://github.com/helayoty> as author of #52897
<#52897>, I'd like you to be a writing
buddy <https://kubernetes.io/docs/contribute/blog/writing-buddy/> for @XX
<https://github.com/XX> on this PR.
Please:
- Review this PR, paying attention to the guidelines
<https://kubernetes.io/docs/contribute/blog/guidelines/> and review
hints
<https://kubernetes.io/docs/contribute/blog/writing-buddy/#pull-request-review>
- Update your own PR based on any best practices you identify that
should be applied
- Remember to be compassionate with your fellow article author
—
Reply to this email directly, view it on GitHub
<#52987 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AIXSO56BOFQ2DCGMYQ2UL3T35GG2VAVCNFSM6AAAAACKN2HLUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNBQG4YTQNRWGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Signed-off-by: Peter Engelbert <[email protected]>
k8s-ci-robot
removed
the
size/XS
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Hi @pmengelbert the meaning of my message is heaving @helayoty as a buddy for you to review the content of this PR since it is the author of another feature blog (#52897). |
|
Hi @pmengelbert 👋 -- this is Graziano (@graz-dev) from the v1.35 Communications Team! Just a friendly reminder that we are approaching the feature blog "ready for review" deadline: Friday 21st November. We ask you to have the blog PR in non-draft state, and all write-up to be complete, so that we can start the blog review from SIG Docs Blog team. If you have any questions or need help, please don't hesitate to reach out to me or any of the Communications Team members. We are here to help you! |
|
/assign @helayoty |
| @@ -0,0 +1,105 @@ | |||
| --- | |||
| layout: blog | |||
| title: "Kubernetes v1.35: Protect your Machine from Untrusted Executables with the Credential Plugin Policy and Allowlist" | |||
There was a problem hiding this comment.
I'd recommend shorten the blog title.
| To give the user more control over what gets run on their system, kubernetes | ||
| 1.35 adds the credential plugin policy and allowlist. This is available to all |
There was a problem hiding this comment.
- What clients? Why does kuberc have more impact? This needs clarification or the statement should be reconsidered
- What state is this feature at? (alpha, beta, GA)
- Does user need to enable any feature gate/config? If yes, we need to mention it.
There was a problem hiding this comment.
Agree, only kubectl reads and knows kuberc, if there are other consumers, we don't quite care about that. So let's explicitly say kubectl here.
| --- | ||
|
|
||
| Did you know that `kubectl` can run arbitrary executables -- including shell | ||
| scripts -- with the full priveleges of the invoking user, and without your |
| you probably see the problem: do you know what your `kubeconfig` is running on | ||
| your machine? Do you trust the pipeline that generated your `kubeconfig`? | ||
|
|
||
| To give the user more control over what gets run on their system, kubernetes |
There was a problem hiding this comment.
This statement is confusing, I'd probably say that SIG-Auth and SIG-CLI decided to add to Kubernetes 1.35.
| you probably see the problem: do you know what your `kubeconfig` is running on | ||
| your machine? Do you trust the pipeline that generated your `kubeconfig`? |
There was a problem hiding this comment.
I'd add few scenarios for the actual threats. (supply chain attacks, compromised pipelines, etc... )
There was a problem hiding this comment.
It would be nice, I agree.
| If you *don't know* whether or not you're using exec credential plugins, try | ||
| setting your policy to `DenyAll`: |
There was a problem hiding this comment.
Is there any config user need to consider for the rollout?
There was a problem hiding this comment.
I'd rather ask, how user can verify what breaks when they try to use it. Eg. if you run into issues try running kubectl get pods with increased logging --verbosity=5 or whatever log-level will provide sufficient information for the user to identify problems. Bonus points if you can point explicit log lines that will suggest what's failing and why.
Ah got it. Done :) |
|
@graz-dev What is the right format to add blog file? Create a folder under |
| you probably see the problem: do you know what your `kubeconfig` is running on | ||
| your machine? Do you trust the pipeline that generated your `kubeconfig`? |
There was a problem hiding this comment.
It would be nice, I agree.
| you probably see the problem: do you know what your `kubeconfig` is running on | ||
| your machine? Do you trust the pipeline that generated your `kubeconfig`? | ||
|
|
||
| To give the user more control over what gets run on their system, kubernetes |
There was a problem hiding this comment.
This statement is confusing, I'd probably say that SIG-Auth and SIG-CLI decided to add to Kubernetes 1.35.
| To give the user more control over what gets run on their system, kubernetes | ||
| 1.35 adds the credential plugin policy and allowlist. This is available to all |
There was a problem hiding this comment.
Agree, only kubectl reads and knows kuberc, if there are other consumers, we don't quite care about that. So let's explicitly say kubectl here.
| If you *don't know* whether or not you're using exec credential plugins, try | ||
| setting your policy to `DenyAll`: |
There was a problem hiding this comment.
I'd rather ask, how user can verify what breaks when they try to use it. Eg. if you run into issues try running kubectl get pods with increased logging --verbosity=5 or whatever log-level will provide sufficient information for the user to identify problems. Bonus points if you can point explicit log lines that will suggest what's failing and why.
| If you *are* using credential plugins, you'll quickly find out what `kubectl` is | ||
| trying to execute. You'll get an error like the following. | ||
|
|
||
| > Unable to connect to the server: getting credentials: plugin "cloudco-login" not allowed: policy set to "DenyAll" |
There was a problem hiding this comment.
This should be move to previous paragraph where you covered DenyAll.
| `exec.LookPath`. Both forms (basename and full path) are acceptable, but the | ||
| full path is preferable because it narrows the scope of allowed binaries even | ||
| further. | ||
|
|
There was a problem hiding this comment.
Probably worth explaining if glob-ing is allowed, and the different between AND-ed and OR-ed names, as described in #52877 where I asked for explicit examples.
|
|
||
| ## Get involved | ||
|
|
||
| The credential plugin policy and allowlist has reached beta, and we are very interested |
There was a problem hiding this comment.
This is misleading, let's be explicit that kuberc is beta, Plugin Policy is just part of the extensions happening while we're at beta. I don't want to give false impressions and confuse our users.
There was a problem hiding this comment.
Was not trying to intentionally mislead, it's an artifact of using the prior kuberc blog post as scaffolding. I'll fix this.
There was a problem hiding this comment.
This issue is not resolved yet. The blog should be explicit about this distinction to avoid confusing users.
My mistake! Thanks for the clarification. This is my first time through the process :) |
pmengelbert
changed the title
Co-authored-by: Maciej Szulik <[email protected]>
* Add note explaining that globbing does not work * Add examples of threats * Capitalize Kubernetes * Clean up second paragraph * * Clean up language * * Describe how it's available to users of `client-go` * * Clarify no feature gates are needed * * Clarify this is a beta feature Signed-off-by: Peter Engelbert <[email protected]>
|
/remove-language fr it ko pt zh |
k8s-ci-robot
removed
language/fr
|
/assign @benjaminapetersen |
|
|
||
| ## Get involved | ||
|
|
||
| The credential plugin policy and allowlist has reached beta, and we are very interested |
There was a problem hiding this comment.
This issue is not resolved yet. The blog should be explicit about this distinction to avoid confusing users.
| To give the user more control over what gets run on their system, Sig-Auth and | ||
| Sig-CLI added the credential plugin policy and allowlist as a beta feature to |
There was a problem hiding this comment.
| To give the user more control over what gets run on their system, Sig-Auth and | |
| Sig-CLI added the credential plugin policy and allowlist as a beta feature to | |
| To give the user more control over what gets run on their system, [SIG-Auth](https://git.k8s.io/community/sig-auth) and | |
| [SIG-CLI](https://git.k8s.io/community/sig-cli) added the credential plugin policy and allowlist as a beta feature to |
There was a problem hiding this comment.
Even better: SIG Auth and SIG CLI (with a space); that's what our style guide recommends.
| credentialPluginPolicy: DenyAll | ||
| ``` | ||
|
|
||
| ### Selectively Allowing Plugins |
There was a problem hiding this comment.
Since the below paragraph nicely flows into the debugging DenyAll, I'd probably move this paragraph start after the next paragraph. Specifically, after the example log message. So that you'll have:
### Selectively Allowing Plugins
What if you need the `cloudco-login` plugin...There was a problem hiding this comment.
(nit) We prefer to write headings in sentence case.
|
|
||
| ## Get involved | ||
|
|
||
| The credential plugin policy and allowlist has reached beta, and we are very interested |
There was a problem hiding this comment.
Maybe reword it to something like:
| The credential plugin policy and allowlist has reached beta, and we are very interested | |
| The credential plugin policy is still under development, and we are very interested |
this will drop the unnecessary confusion, and leave the necessary room for input. We have docs which explain the exact state of the feature, and we also mentioned that earlier in this document. So let's keep it simple 😄
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
|
||
| ## How it works | ||
|
|
||
| A full description of this functionality is available [in our official documentation](/docs/reference/kubectl/kuberc/), |
There was a problem hiding this comment.
| A full description of this functionality is available [in our official documentation](/docs/reference/kubectl/kuberc/), | |
| A full description of this functionality is available in our [official documentation](/docs/reference/kubectl/kuberc/) for kuberc, |
| kind: Preference | ||
| credentialPluginPolicy: DenyAll | ||
| ``` | ||
|
|
There was a problem hiding this comment.
| If you have more than one kubeconfig client context, it's a good | |
| idea to check each of them before you continue. | |
| credentialPluginPolicy: DenyAll | ||
| ``` | ||
|
|
||
| ### Selectively Allowing Plugins |
There was a problem hiding this comment.
(nit) We prefer to write headings in sentence case.
| (basename and full path) are acceptable, but the full path is preferable because | ||
| it narrows the scope of allowed binaries even further. | ||
|
|
||
| ### Future Enhancements |
There was a problem hiding this comment.
| ### Future Enhancements | |
| ### Future enhancements |
|
|
||
| ### Future Enhancements | ||
|
|
||
| Currently, an allowlist entry has only one field, `name`. In the future, we want |
There was a problem hiding this comment.
| Currently, an allowlist entry has only one field, `name`. In the future, we want | |
| Currently, an allowlist entry has only one field, `name`. In the future, we (Kubernetes SIG CLI) want |
There was a problem hiding this comment.
(avoid some people inferring that "we" means Microsoft)
| you'd like to see it solve. Or, if you have the cycles to contribute one of the | ||
| above enhancements, they'd be a great way to get started contributing to | ||
| Kubernetes. Feel free to join in the discussion on slack: | ||
| - [SIG-CLI](https://kubernetes.slack.com/archives/C2GL57FJ4), |
There was a problem hiding this comment.
| - [SIG-CLI](https://kubernetes.slack.com/archives/C2GL57FJ4), | |
| - [#sig-cli](https://kubernetes.slack.com/archives/C2GL57FJ4), |
| above enhancements, they'd be a great way to get started contributing to | ||
| Kubernetes. Feel free to join in the discussion on slack: | ||
| - [SIG-CLI](https://kubernetes.slack.com/archives/C2GL57FJ4), | ||
| - [SIG-Auth](https://kubernetes.slack.com/archives/C0EN96KUY). No newline at end of file |
There was a problem hiding this comment.
| - [SIG-Auth](https://kubernetes.slack.com/archives/C0EN96KUY). | |
| - [#sig-auth](https://kubernetes.slack.com/archives/C0EN96KUY). |
| To give the user more control over what gets run on their system, Sig-Auth and | ||
| Sig-CLI added the credential plugin policy and allowlist as a beta feature to | ||
| Kubernetes 1.35. This is available to all clients using the `client-go` library, | ||
| by filling out the `ExecProvider.PluginPolicy` struct on a REST config. To |
There was a problem hiding this comment.
This isn't especially linked to REST in the sense I'd recognize. Can we reword?
There was a problem hiding this comment.
Since this particular element is discussing client-go API bits, maybe strictly pointing to
ExecProvider.PluginPolicy type: https://github.com/kubernetes/client-go/blob/master/tools/clientcmd/api/types.go#L290 would help clarifying this?
| Sig-CLI added the credential plugin policy and allowlist as a beta feature to | ||
| Kubernetes 1.35. This is available to all clients using the `client-go` library, | ||
| by filling out the `ExecProvider.PluginPolicy` struct on a REST config. To | ||
| broaden the impact of this change, we made it easy to configure `kubectl` to use |
There was a problem hiding this comment.
| broaden the impact of this change, we made it easy to configure `kubectl` to use | |
| broaden the impact of this change, Kubernetes v1.35 also lets you manage this without | |
| writing a line of application code. You can configure `kubectl` to enforce |
?
| @@ -0,0 +1,114 @@ | |||
| --- | |||
| layout: blog | |||
| title: "Kubernetes v1.35: Protect your Machine from Untrusted Executables with the Credential Plugin Policy" | |||
There was a problem hiding this comment.
This could be snappier; what do you think of:
| title: "Kubernetes v1.35: Protect your Machine from Untrusted Executables with the Credential Plugin Policy" | |
| title: "Kubernetes v1.35: Protection Against Trojan Horse Kubeconfig Files" |
There was a problem hiding this comment.
I personally prefer the original.
There was a problem hiding this comment.
Is there a different version where people who only read the title can easily figure out what they are skipping?
There was a problem hiding this comment.
Not sure I understand what you're asking for, but I believe the original title answers the question what, maybe we can expand on the where part. As in, adding "in kuberc", although that makes it too long and somewhat clumsy.
|
Hi @pmengelbert, can you please implement the pending suggestions? Thank you. |
8 participants
Description
Issue
Closes: #