Re: Release Exception for KEP-3104

[Jordan Liggitt]

I think the exception request is reasonable:

• impactful functionality to make available
• off-by-default / opt-in, ~no risk to users who don't opt into the new feature, no change in default behavior
• a bounded timeline for the exception (EOD Tuesday, 11/11)
• several rounds of detailed reviews from sig-cli, sig-auth, and API reviewers have already been completed; I suspect we're down to one more round of updates required

That said, I am not confident I'll have review time to give the updates it between now and Tuesday.

I'm +1 on approving the exception and trying to get it in, but if it isn't merged by EOD Tuesday, it will just miss (we wouldn't extend the exception because of reviewer availability).

On Friday, November 7, 2025 at 9:59:34 AM UTC-5 i...@monis.app wrote:

+1 from me, this is off by default behavior that fixes a long standing security issue with client-go credential plugins.

On Wednesday, November 5, 2025 at 9:01:00 AM UTC-5 Peter Engelbert wrote:

I am resending this since one of the email addresses had a typo, thereby splitting the thread.

• Enhancement name:
• Add client-go credential plugin allowlist to kuberc
• Enhancement status (alpha/beta/stable):
• beta
• SIG:
• sig-cli, sig-auth, sig-api-machinery
• k/enhancements repo issue #:
• #3104
• PR #’s:
• https://github.com/kubernetes/kubernetes/pull/134870
• Additional time needed (in calendar days, due end of day AoE):
• 5 (depending on reviewer availability)
• Reason this enhancement is critical for this milestone: 
• Not critical - Beta feature launch
• Risks from adding code late:
• Low: All feature code is behind a Beta API
• Risks from cutting enhancement:
• Lengthened timeline on useful user security knob
• Enhancement proposal approved for 1.35

Additional time will be used by reviewers from sig-auth and sig-api-machinery who need to weigh in, as well as myself in addressing feedback from the additional reviews.