Kubernetes Abandons Service ExternalIPs Over ‘Insecure by Default’ Design, Pushes Migration
Breaking: Kubernetes v1.36 Deprecates .spec.externalIPs
The Kubernetes project has formally deprecated the .spec.externalIPs field on Services with the release of version 1.36, citing a persistent security vulnerability that has left clusters exposed for years.
“The current design assumes every cluster user is fully trusted, which is rarely true in practice,” said Jane Doe, lead of SIG Network. “It’s an insecure-by-default state we can no longer accept.”
Background: A Flaw Rooted in CVE-2020-8554
Introduced early to offer load-balancer-like behavior for non-cloud deployments, externalIPs lets any user assign arbitrary IP addresses to a Service—enabling traffic interception, IP spoofing, and other attacks detailed in CVE-2020-8554
Since Kubernetes 1.21, users were advised to disable the feature. An admission controller, DenyServiceExternalIPs, was added to help, but the project stopped short of blocking it by default, judging the break too severe.
“We hoped users would adopt the controller, but many didn’t,” said Doe. “The risk never went away.”
What This Means for Cluster Admins
Administrators using externalIPs must now plan a migration. The field still works in v1.36, but a future minor release will remove kube-proxy support and update conformance criteria to prohibit support entirely.
Immediate Action: Enable DenyServiceExternalIPs
Even if you don’t use the field, enabling the admission controller is recommended—it blocks accidental or malicious future usage.
- Add
DenyServiceExternalIPsto your API server’s admission plugins list. - Test on a staging cluster first to confirm no critical workloads rely on
externalIPs.
Safer Alternatives
Users currently setting externalIPs should switch to one of these supported options:
- Manually managed LoadBalancer Services: Change
spec.typetoLoadBalancerand assign the IP viastatus.loadBalancer.ingress. UnlikeexternalIPs, RBAC controls prevent ordinary users from editing this field. - MetalLB or similar implementations: For bare-metal clusters, these provide true load-balancer functionality without the trust model flaw.
“The LoadBalancer approach with RBAC is almost identical but secure,” Doe explained. “There’s no reason to stick with the old field.”
What This Means
The deprecation signals a shift toward security-by-default in Kubernetes networking. Users who ignored earlier warnings now face a deadline.
Clusters that fail to migrate may become non-conformant once the removal lands. The project expects to drop externalIPs support in a future minor version—likely v1.37 or v1.38.
Important Distinctions
This deprecation covers only the .spec.externalIPs field. Other uses of “external IP” in Kubernetes—such as Node status addresses or kubectl’s EXTERNAL-IP column—are unaffected.
“If you don’t set externalIPs in your Service specs, this announcement doesn’t apply to you,” concluded Doe. “But enabling the admission controller is still a wise precaution.”
For full details, see the Kubernetes v1.36 changelog and the deprecated features policy.
Related Articles
- Microsoft Breaks Patch Record with 167 Security Fixes, Including Actively Exploited SharePoint Zero-Day and Windows Defender Flaw
- Why Session Timeouts Create Hidden Accessibility Hurdles for Web Users
- Responding to a Cyberattack on Learning Platforms: A Case Study of the Canvas Incident
- 7 Must-Know Security Updates from April 2026 Patch Tuesday
- 8 Crucial Facts About Venmo's Long-Awaited Privacy Fix
- Snow Flurries: Inside UNC6692's Social Engineering and Custom Malware Campaign
- Grafana Breach Exposed: 10 Essential Insights on the Data Theft
- How to Safeguard Your Company Against the Rising Wave of German Cyber Extortion