Kubernetes v1.35 introduces a credential plugin policy and allowlist feature to enhance security by restricting which executables can be run through kubeconfigs. Users can specify executables in the `users[n].exec.command` field of a kubeconfig, which can lead to potential risks if compromised. This feature allows kubeconfigs to fetch credentials from external identity providers, but it also opens the door for supply-chain attacks that could execute arbitrary commands on a user's machine. To mitigate these risks, Kubernetes now allows users to enforce a policy on credential plugins. This can be done without writing additional application code by modifying the kuberc configuration file. Users can choose from three policies: AllowAll (the default, which permits all plugins), DenyAll (which blocks all plugins and helps identify which ones are in use), and Allowlist (which permits only specified plugins). For the Allowlist, users can define allowed entries either by full path or by basename, although using full paths is recommended for tighter security. Future enhancements may include additional requirements for allowlist entries, such as checksum verification or restrictions based on trusted signing keys. The Kubernetes team is seeking feedback from users to improve this feature and encourage community contributions to its development.