Kubernetes Abandons Service ExternalIPs Over ‘Insecure by Default’ Design, Pushes Migration

Breaking: Kubernetes v1.36 Deprecates .spec.externalIPs

The Kubernetes project has formally deprecated the .spec.externalIPs field on Services with the release of version 1.36, citing a persistent security vulnerability that has left clusters exposed for years.

“The current design assumes every cluster user is fully trusted, which is rarely true in practice,” said Jane Doe, lead of SIG Network. “It’s an insecure-by-default state we can no longer accept.”

Background: A Flaw Rooted in CVE-2020-8554

Introduced early to offer load-balancer-like behavior for non-cloud deployments, externalIPs lets any user assign arbitrary IP addresses to a Service—enabling traffic interception, IP spoofing, and other attacks detailed in CVE-2020-8554

Since Kubernetes 1.21, users were advised to disable the feature. An admission controller, DenyServiceExternalIPs, was added to help, but the project stopped short of blocking it by default, judging the break too severe.

“We hoped users would adopt the controller, but many didn’t,” said Doe. “The risk never went away.”

What This Means for Cluster Admins

Administrators using externalIPs must now plan a migration. The field still works in v1.36, but a future minor release will remove kube-proxy support and update conformance criteria to prohibit support entirely.

Immediate Action: Enable DenyServiceExternalIPs

Even if you don’t use the field, enabling the admission controller is recommended—it blocks accidental or malicious future usage.

• Add DenyServiceExternalIPs to your API server’s admission plugins list.
• Test on a staging cluster first to confirm no critical workloads rely on externalIPs.

Safer Alternatives

Users currently setting externalIPs should switch to one of these supported options:

• Manually managed LoadBalancer Services: Change spec.type to LoadBalancer and assign the IP via status.loadBalancer.ingress. Unlike externalIPs, RBAC controls prevent ordinary users from editing this field.
• MetalLB or similar implementations: For bare-metal clusters, these provide true load-balancer functionality without the trust model flaw.

“The LoadBalancer approach with RBAC is almost identical but secure,” Doe explained. “There’s no reason to stick with the old field.”

What This Means

The deprecation signals a shift toward security-by-default in Kubernetes networking. Users who ignored earlier warnings now face a deadline.

Clusters that fail to migrate may become non-conformant once the removal lands. The project expects to drop externalIPs support in a future minor version—likely v1.37 or v1.38.

Important Distinctions

This deprecation covers only the .spec.externalIPs field. Other uses of “external IP” in Kubernetes—such as Node status addresses or kubectl’s EXTERNAL-IP column—are unaffected.

“If you don’t set externalIPs in your Service specs, this announcement doesn’t apply to you,” concluded Doe. “But enabling the admission controller is still a wise precaution.”

For full details, see the Kubernetes v1.36 changelog and the deprecated features policy.