Kubernetes Sounds Death Knell for Insecure Service ExternalIPs Feature

The Kubernetes project has formally deprecated the .spec.externalIPs field for Services in version 1.36, citing critical security vulnerabilities that have plagued the feature for years. This marks a decisive move toward eliminating a known attack vector that allows unprivileged users to intercept traffic.

Quote from SIG Network: “The security problems are still there, and as a project we're increasingly unhappy with the insecure-by-default state of the feature,” said a SIG Network representative. “Now that better alternatives exist for non-cloud clusters, it's time to sunset this unsafe API.”

A future minor release is expected to remove the behavior entirely from kube-proxy and update conformance criteria to bar support for externalIPs in conforming implementations.

Background: Why ExternalIPs Was a Security Nightmare

The .spec.externalIPs field was an early attempt to give non-cloud clusters load-balancer-like capabilities. However, the design assumed all cluster users are fully trusted. In practice, that assumption is rarely safe.

According to CVE-2020-8554, an attacker who can create or update a Service can set an arbitrary external IP, such as that of a cloud metadata server, enabling traffic interception or denial-of-service. Since Kubernetes 1.21, the project has recommended disabling the field via the DenyServiceExternalIPs admission controller, but the feature remained enabled by default.

“At the time, SIG Network felt blocking the functionality by default was too large a breaking change to consider,” the representative explained. “But the risk has only grown, and the project no longer tolerates this insecure default.”

Alternatives to ExternalIPs

If you currently use .spec.externalIPs, the project urges migration to one of the following safer options:

• Manually-managed LoadBalancer Services: Switch to type: LoadBalancer and assign a load balancer IP by hand. This places the IP in .status, which, with RBAC, cannot be edited by ordinary users—a critical security improvement.
• MetalLB or other load-balancer implementations: For bare-metal and non-cloud environments, projects like MetalLB provide dynamic IP assignment without the trust flaws of externalIPs.
• NodePort or HostPort: For simple cases, exposing Services via NodePort or using host networking can work, though with less flexibility.

A sample Service definition currently using externalIPs can be updated by removing the externalIPs line and using a LoadBalancer with a manually assigned IP, as shown in the background section.

What This Means for Your Clusters

Immediate action is not required, but the deprecation signals that support will end soon. Users who rely on .spec.externalIPs should plan to migrate before the feature is removed entirely.

The project recommends enabling the DenyServiceExternalIPs admission controller immediately as a precaution against accidental or malicious use. This can be done without breaking existing Services that already use the field, but it will block new attempts.

“If you are not setting externalIPs on any Service, this deprecation does not affect you,” the SIG Network representative clarified. “But as a best practice, enable the admission controller to maintain a security-hardened posture.”

Administrators should also audit their existing Services to identify any using externalIPs and migrate to the alternatives listed in the alternatives section. The timeline for full removal is not yet set, but the next minor release after 1.36 is likely to begin the phase-out of kube-proxy support.

For detailed migration guidance, refer to the official Kubernetes documentation or consult community resources such as MetalLB. The deprecation notice in v1.36 is the clearest signal yet that this feature is on its way out.