Skip to content

[KEP-3104] Update KEP with credential plugin allowlist #5479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[KEP-3104] Update KEP with credential plugin allowlist #5479

wants to merge 5 commits into from
+35 −1

Conversation

pmengelbert
Copy link

@pmengelbert pmengelbert commented Aug 13, 2025
edited
Loading

  • One-line PR description: Update kuberc KEP with credential plugin allowlist
  • Other comments:

Currently, the kubeconfig may specify arbitrary binaries to run as
client-go credential plugins. Due to the fact that kubeconfig files are
often generated, and because they contain a lot of noise, there is
significant friction in manually inspecting the kubeconfig for
suspicious binaries after it is generated.

To encourage secure behavior, we want to introduce an allowlist to the
kuberc, which will describe the conditions under which a binary plugin
may be run. Currently the only condition is the name (absolute path or
basename of a binary found in PATH).

@pmengelbert
Update kuberc KEP with credential plugin allowlist
1496033 
Currently, the kubeconfig may specify arbitrary binaries to run as
client-go credential plugins. Due to the fact that kubeconfig files are
often generated, and because they contain a lot of noise, there is
significant friction in manually inspecting the kubeconfig for
suspicious binaries after it is generated.

To encourage secure behavior, we want to introduce an allowlist to the
kuberc, which will describe the conditions under which a binary plugin
may be run. Currently the only condition is the name (absolute path or
basename of a binary found in `PATH`).

Signed-off-by: Peter Engelbert <[email protected]>
@pmengelbert
Revise based on feedback
ce844ec 
- Describe behavior when allowlist is `nil`
- Describe behavior when allowlist is empty
- Describe future plans for field additions

Signed-off-by: Peter Engelbert <[email protected]>
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Aug 13, 2025
edited
Loading

CLA Not Signed

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pmengelbert
Once this PR has been reviewed and has the lgtm label, please assign mpuckett159 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from ardaguclu August 13, 2025 21:06
@k8s-ci-robot k8s-ci-robot added the kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory label Aug 13, 2025
@k8s-ci-robot k8s-ci-robot requested a review from soltysh August 13, 2025 21:06
@k8s-ci-robot k8s-ci-robot added the sig/cli Categorizes an issue or PR as relevant to SIG CLI. label Aug 13, 2025
@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Aug 13, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @pmengelbert!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 13, 2025
@github-project-automation github-project-automation bot moved this to Needs Triage in SIG CLI Aug 13, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @pmengelbert. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 13, 2025
@enj
Copy link
Member

enj commented Aug 14, 2025

/sig auth

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Aug 14, 2025
@enj
Copy link
Member

enj commented Aug 14, 2025

This LGTM from a SIG Auth perspective (I added us as a participating SIG).

@enj
Copy link
Member

enj commented Aug 14, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 14, 2025
@pmengelbert
Fix typos
692b82e 
Signed-off-by: Peter Engelbert <[email protected]>
@pmengelbert
Update TOC for KEP 3104
f8ed9ae 
Signed-off-by: Peter Engelbert <[email protected]>
@enj enj added this to SIG Auth Aug 15, 2025
@enj enj moved this to Needs Triage in SIG Auth Aug 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ardaguclu ardaguclu Awaiting requested review from ardaguclu

@soltysh soltysh Awaiting requested review from soltysh

Assignees
No one assigned
Labels
cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
SIG Auth
Status: Needs Triage
SIG CLI
Status: Needs Triage
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pmengelbert @k8s-ci-robot @enj