Kubernetes v1.36 Sounds Death Knell for Service ExternalIPs: Security Risks Force Deprecation

Breaking: Kubernetes v1.36 Formally Deprecates Service ExternalIPs

The Kubernetes project has officially deprecated the .spec.externalIPs field for Services in version 1.36, citing severe security flaws that have persisted since the feature's introduction. This marks the first step toward complete removal of the functionality in a future minor release.

Kubernetes v1.36 Sounds Death Knell for Service ExternalIPs: Security Risks Force Deprecation

Immediate action required: Organizations using externalIPs are urged to migrate to safer alternatives, such as manually managed LoadBalancer services or the DenyServiceExternalIPs admission controller, to prevent potential exploits described in CVE-2020-8554.

Background

The .spec.externalIPs field was an early attempt to simulate cloud load-balancer behavior in non-cloud clusters. However, the API assumes all cluster users are fully trusted—a dangerous premise that allows unprivileged attackers to hijack traffic or intercept data.

Quote from SIG Network: “As a project, we've grown increasingly uncomfortable with the ‘insecure by default’ nature of this feature. We now have robust alternatives, and continued support would compromise cluster security.”

Since Kubernetes 1.21, the community recommended disabling externalIPs and provided an admission controller (DenyServiceExternalIPs) to enforce this. But the project held off on full deprecation to avoid a breaking change – a hesitation it now deems no longer acceptable.

What This Means

With v1.36, the field is formally deprecated. A future minor release will remove the implementation from kube-proxy and update conformance criteria to require that all conformant implementations drop support. This timeline is intentionally aggressive to close the security gap quickly.

Recommendation: Cluster administrators should immediately enable the DenyServiceExternalIPs admission controller to block any new or existing use of the field. If your services currently use externalIPs, migration to a LoadBalancer service with manual IP assignment is the simplest secure path—though Kubernetes advises using a properly managed external load balancer for production.

Alternatives to ExternalIPs

Users have several migration options, each with varying complexity and security profiles:

Manually managed LoadBalancer Services – Replace externalIPs by setting type: LoadBalancer and assigning an IP via .status.loadBalancer.ingress. Unlike externalIPs, this field is protected by RBAC, preventing ordinary users from modifying it.
External load balancers – For cloud-agnostic clusters, consider solutions like MetalLB or kube-vip that fully implement the LoadBalancer type.
NodePorts – For simple exposure, a NodePort service can bind to a known port, though this lacks the same flexibility.

Example migration: A Service previously using externalIPs: ["192.0.2.4"] should be converted to type: LoadBalancer and the IP assigned to .status.loadBalancer.ingress[0].ip. This ensures only privileged RBAC users can control the IP.

Terminology Clarification

The term “external IP” has multiple meanings in Kubernetes. This deprecation applies exclusively to the Service field .spec.externalIPs. It does not affect:

The Node's .status.addresses field, which may list a node's public IP as an ExternalIP type.
The EXTERNAL-IP column shown by kubectl get svc for LoadBalancer services—that is a status field, not a spec field.

If none of your Services set .spec.externalIPs, this deprecation does not apply. However, enabling the admission controller proactively is still recommended to prevent accidental future misuse.

About the Author

This breaking news was compiled from official Kubernetes changelogs, the Kubernetes repository, and statements from the SIG Network team.

Tags: