Kubernetes 1.36 marks a significant turning point for cluster security: the .spec.externalIPs field for Services is formally deprecated. This feature, once an early attempt to mimic load-balancer behavior in non-cloud environments, has long been a security weak point. In this listicle, we explore the reasons behind this deprecation, what it means for your clusters, and how to prepare for its eventual removal.
1. What Is .spec.externalIPs and Why Is It Being Deprecated?
The .spec.externalIPs field allowed you to assign arbitrary IP addresses to a Service, making it respond on those IPs as if it had a load balancer. Originally designed for bare-metal or on-premise clusters lacking cloud load balancers, this feature assumed all cluster users were fully trusted. In reality, that assumption is rarely safe. Since Kubernetes 1.21, the community strongly recommended disabling it, but it remained enabled by default. Now, with version 1.36, the field is officially deprecated, signaling that future releases will strip out the implementation from kube-proxy and update conformance requirements.
2. The Security Nightmare: CVE-2020-8554
The primary driver for deprecation is the security vulnerability cataloged as CVE-2020-8554. This flaw allows any user who can create or modify a Service to hijack arbitrary IPs, including those belonging to other services or external hosts. An attacker could intercept traffic, launch man-in-the-middle attacks, or exfiltrate data. Even with RBAC, the externalIPs field was inconsistently protected. The Kubernetes Security Audit highlighted this as a top risk, and the project has been working toward secure defaults ever since.
3. From Recommendation to Mandate: The Deprecation Timeline
The journey began with Kubernetes 1.21, which recommended disabling .spec.externalIPs and introduced the DenyServiceExternalIPs admission controller. However, SIG Network deemed a full default disable too disruptive. Over subsequent releases, the community grew increasingly uncomfortable with the insecure by default stance. Kubernetes 1.36 finally marks the official deprecation. Expect that in the next minor version (likely 1.37 or 1.38), kube-proxy will stop implementing the behavior, and conformance tests will require implementations to ignore the field.
4. How to Protect Your Cluster Now: The DenyServiceExternalIPs Admission Controller
Even if you don't use externalIPs, you should enable the DenyServiceExternalIPs admission controller as a precaution. This controller rejects any Service that sets .spec.externalIPs, preventing accidental or malicious use. To enable it, pass --enable-admission-plugins=DenyServiceExternalIPs to the API server. In multi-tenant clusters or environments with untrusted users, this is a critical hardening step that doesn’t break existing workloads (unless they rely on the deprecated field).
5. What About "External IP"? Avoiding Terminology Confusion
The phrase "external IP" is overloaded in Kubernetes. This deprecation only affects the .spec.externalIPs field on Services. It does not affect:
- The
ExternalIPtype in the Node.status.addressesfield – these represent node public IPs and are safe. - The
EXTERNAL-IPcolumn shown bykubectlfor LoadBalancer Services – that shows the cloud load balancer IP and remains valid.
If you are not setting externalIPs in your Service manifests, this change does not apply to you. But still consider enabling the admission controller for future-proofing.
6. Alternative: Switch to Manually Managed LoadBalancer Services
The simplest (though not ideal) alternative is to change your Service type from ClusterIP to LoadBalancer and assign a load balancer IP manually. For example, replace externalIPs: ["192.0.2.4"] with spec.loadBalancerIP: "192.0.2.4" and set type: LoadBalancer. The key advantage: the IP goes into .status, not .spec, so with RBAC normal users cannot modify it. However, this only works well in environments with a functioning load balancer controller (e.g., MetalLB for bare metal).
7. Better Alternatives: Modern Solutions for Non-Cloud Clusters
For production environments, consider more robust approaches:
- MetalLB: A bare-metal load balancer that assigns IPs via a pool, integrating with
type: LoadBalancer. - ExternalDNS: To automatically map public DNS to your Services.
- Gateway API: The new standard for advanced traffic routing, with support for multiple gateways and better security.
- Network Policies: To restrict traffic at the IP level without relying on
externalIPs.
These alternatives provide the same (or better) functionality while respecting security boundaries and avoiding the pitfalls of CVE-2020-8554.
Conclusion
The deprecation of .spec.externalIPs in Kubernetes 1.36 is a welcome security improvement. While it may require some migration effort, the long-term benefits—reduced attack surface, clearer security posture, and alignment with modern networking practices—far outweigh the inconvenience. Start by enabling the DenyServiceExternalIPs admission controller, audit your existing Services, and plan to adopt one of the alternatives before the feature is fully removed. Your cluster will be safer for it.