6 Essential Facts About Kubernetes Service ExternalIPs Deprecation in v1.36

Kubernetes v1.36 marks a significant shift with the formal deprecation of the .spec.externalIPs field for Services. This change addresses long-standing security vulnerabilities and pushes users toward more secure alternatives. Here are six essential facts every cluster administrator should know.

1. What Is Service ExternalIPs and Why Was It Introduced?

The .spec.externalIPs field was an early Kubernetes attempt to provide cloud-load-balancer-like functionality for non-cloud clusters. It allowed administrators to specify additional IP addresses that a Service would respond on, essentially enabling traffic to reach the Service from outside the cluster without a load balancer. While convenient, this feature assumed every cluster user was fully trusted—a dangerous assumption that became a vector for security exploits. Originally designed for simplicity, it quickly became a liability as Kubernetes security practices evolved.

2. The Security Flaw: CVE-2020-8554 and Unauthorized IP Hijacking

The core problem is that externalIPs allows any user with Service creation or update permissions to claim arbitrary IP addresses (e.g., 192.0.2.4) and route traffic to their pods. This leads to IP hijacking, potentially intercepting traffic meant for other services or external endpoints. The vulnerability, documented in CVE-2020-8554, highlights that in clusters where not all users are fully trusted, the field opens the door to man-in-the-middle attacks and data theft. The exploit is especially dangerous in multi-tenant environments where RBAC might be misconfigured.

3. Previous Mitigations: Admission Controllers and Recommended Practices

Since Kubernetes 1.21, the project recommended disabling externalIPs entirely. To help enforce this, an admission controller called DenyServiceExternalIPs was introduced. Cluster administrators can enable this controller to block any use of the field at admission time. However, the Kubernetes Networking SIG hesitated to enable it by default due to concerns about breaking existing workloads. This left clusters in an insecure by default state, which the project now considers unacceptable. The mitigation shifted responsibility to administrators, but many were unaware of the risk or the tool available.

4. Deprecation in v1.36 and What It Means

In Kubernetes 1.36, the externalIPs field is formally deprecated. This means the feature is still functional but will be removed in a future release. Specifically, the kube-proxy implementation will stop honoring the field, and the Kubernetes conformance tests will be updated to require that conforming implementations do not support externalIPs. This deprecation signals a clear end-of-life timeline. Administrators using externalIPs should plan migration now to avoid Service disruptions later. The deprecation applies only to the .spec.externalIPs field—not to other uses of the term “external IP” (see next point).

5. Clarifying What Is NOT Deprecated: Other External IP References

The term “external IP” appears in several Kubernetes contexts, and it’s important not to confuse them. The deprecation covers only the .spec.externalIPs field in the Service API. It does not affect:

• The Node API’s .status.addresses field, which can list addresses of type ExternalIP for nodes.
• The kubectl output column “EXTERNAL-IP” for LoadBalancer Services, which shows the load balancer IP.

If you never set .spec.externalIPs in any Service resource, this deprecation does not impact you. However, as a precaution, enabling the DenyServiceExternalIPs admission controller is still recommended to prevent future accidental use.

6. Alternatives to ExternalIPs: Safer Ways to Expose Services

If you currently rely on externalIPs, you have several migration options:

• Manually managed LoadBalancer Services: Switch to type: LoadBalancer and assign the IP manually to the .status.loadBalancer.ingress field. This moves the IP from spec to status, so ordinary users (with RBAC restrictions) cannot modify it. It’s essentially the same behavior but more secure.
• NodePort or HostPort: Expose the Service on the host node IP with NodePort, or use HostPort in the pod spec.
• External DNS and Ingress: For HTTP/S workloads, use an Ingress controller with an external DNS record pointing to your cluster’s node IPs.

Example YAML for a manual LoadBalancer:

apiVersion: v1
kind: Service
metadata:
  name: my-example-service
spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: my-example-app
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080
status:
  loadBalancer:
    ingress:
    - ip: "192.0.2.4"

Conclusion: The deprecation of externalIPs in Kubernetes 1.36 is a welcome step toward a more secure default posture. By understanding the risks and alternatives, you can proactively migrate your Services and avoid future breaks. Enable the DenyServiceExternalIPs admission controller now, and evaluate your current usage of the field. The future of Kubernetes is safer—make sure your clusters are ready.