Breaking: Kubernetes v1.36 Officially Deprecates Service ExternalIPs
The Kubernetes project has formally deprecated the .spec.externalIPs field for Services in the v1.36 release, citing unresolved security vulnerabilities. This feature, originally designed to offer cloud load-balancer-like functionality for non-cloud clusters, is now considered a persistent threat vector.
Discovered in CVE-2020-8554, the externalIPs API assumes all cluster users are fully trusted—a assumption that is rarely true in production environments. This flaw enables various security exploits, including IP spoofing and traffic hijacking.
"The security problems are still there, and as a project we're increasingly unhappy with the 'insecure by default' state of the feature," said a spokesperson for the Kubernetes SIG Network. "We strongly advise all users to stop using .spec.externalIPs and enable the DenyServiceExternalIPs admission controller immediately."
Background: A Long-Standing Security Issue
Since Kubernetes 1.21, the project has recommended disabling .spec.externalIPs. An admission controller, DenyServiceExternalIPs, was added to facilitate this, but enabling it by default was deemed too disruptive at the time.
Now, with better alternatives available, the community has decided to remove the feature entirely in a future minor release. "We expect that a future minor release of Kubernetes will drop implementation of the behavior from kube-proxy and update the conformance criteria to require that conforming implementations do not provide support," the SIG Network added.
Alternatives to ExternalIPs
If you are using .spec.externalIPs, the easiest migration is to switch to a manually-managed type: LoadBalancer Service. However, this approach is essentially the same as externalIPs, with one key difference: the load balancer IP is placed in .status, not .spec. With RBAC enabled, ordinary users cannot edit it by default, greatly reducing the attack surface.
Other alternatives include using node ports, host networking, or third-party load balancers such as MetalLB. The Kubernetes documentation provides step-by-step migration guides for each option.
What This Means for Your Cluster
If you are not setting externalIPs in any of your Services, this deprecation does not directly affect you. However, as a precaution, enable the DenyServiceExternalIPs admission controller to block any future use of the field.
For those still using externalIPs, immediate action is required: plan migration now to avoid breakage in future Kubernetes versions. The deprecation signals that full removal is imminent, and clusters relying on this feature will fail conformance tests.
Note: The term "external IP" is overloaded in Kubernetes. This deprecation only applies to the .spec.externalIPs field on Services, not to Node external IPs or the EXTERNAL-IP column shown by kubectl for LoadBalancer Services.