Kubernetes v1.36 marks a turning point for cluster security with the formal deprecation of the .spec.externalIPs field in Services. Originally designed to bring load‑balancer‑like behavior to non‑cloud clusters, this field has long been a security risk because it assumes every cluster user is fully trusted—an assumption that opens the door to exploits like CVE‑2020‑8554. The Kubernetes community has been warning users to disable it since v1.21, and now the project is taking a firmer stance. In this listicle, we explain what’s changing, why it matters, and how you can prepare your clusters.

1. What Is the Service ExternalIPs Field and Why Was It Deprecated?

The .spec.externalIPs field allows you to attach additional IP addresses to a Service, making it respond on those IPs as if it were a cloud load balancer. This was an early, pragmatic solution for on‑premises or bare‑metal clusters that lacked native load‑balancing integration. However, the design assumed that every user who can modify a Service is fully trusted—a dangerous assumption in multi‑tenant environments. Since Kubernetes 1.21, the project has recommended disabling this field, and in v1.36 it is officially deprecated. The deprecation signals that all remaining support—including kube-proxy implementation—will be removed in a future minor release. If you are not using externalIPs, this deprecation does not affect you, but it’s a good opportunity to review your cluster’s security posture.

2. The Security Risks Behind the Deprecation (CVE‑2020‑8554)

The core problem is that externalIPs allows any user with permission to create or update a Service to claim any IP address, including addresses that belong to other Services, nodes, or even external hosts. This can lead to traffic interception, service impersonation, and denial‑of‑service attacks—exactly the vulnerabilities documented in CVE‑2020‑8554. In clusters without strict RBAC controls, a malicious user could redirect sensitive traffic by setting an externalIP that matches a known service endpoint. Even with RBAC, the field can be restricted, but it remains insecure by default. The Kubernetes project has grown increasingly uncomfortable with this “insecure by default” state, especially now that better, safer alternatives exist. Deprecation is the first step toward eliminating the risk entirely.

3. Timeline: From Deprecation to Complete Removal

The deprecation in v1.36 does not mean immediate removal—it’s a warning. The externalIPs field still works, but its use is discouraged. The next phase will drop the implementation from kube-proxy and update the conformance criteria so that compliant Kubernetes implementations no longer support the behavior. This is expected in a future minor release (likely v1.37 or v1.38). After that, even if the field exists in the API, it will have no effect. To avoid service disruptions, plan your migration now. The project also advises enabling the DenyServiceExternalIPs admission controller (available since v1.21) to block any new use of the field—even before its final removal.

4. What Has NOT Been Deprecated? Clarifying Terminology

“External IP” is an overloaded term in Kubernetes. This deprecation applies only to the .spec.externalIPs field of the Service API. It does not affect:

• The ExternalIP address type listed in the Node API’s .status.addresses field.
• The “EXTERNAL‑IP” column shown by kubectl for Services of type LoadBalancer—that column displays the load balancer’s IP, not the deprecated field.

If you are only using load balancer IPs (assigned by a cloud provider or MetalLB) or node external IPs, you are unaffected. The confusion is understandable, but the scope is narrow: only Services that explicitly set the externalIPs array in their spec need attention. Even so, as a precaution, consider enabling the admission controller to prevent accidental new usage.

5. Alternatives to ExternalIPs: Safer Options for Load‑Balancer‑Like Functionality

If you are currently using .spec.externalIPs, several safer alternatives are available. The simplest (though least creative) is to switch to a type: LoadBalancer Service and assign the IP manually. This moves the IP into .status, which is protected by RBAC—ordinary users cannot modify it. However, the best practice is to use a dedicated load‑balancer controller such as MetalLB (for bare‑metal) or a cloud provider’s controller. These tools manage IP assignment via custom resources or annotations, eliminating the need for any manual externalIPs entry. For example, instead of setting externalIPs: ["192.0.2.4"], you would annotate the Service with MetalLB’s metallb.universe.tf/address-pool and let the controller allocate the IP automatically. This is not only safer but also more scalable and observable.

6. How to Prepare: Enable the DenyServiceExternalIPs Admission Controller

Even if you believe you don’t use externalIPs, enabling the DenyServiceExternalIPs admission controller provides a safety net. This admission plugin (available since v1.21) intercepts any attempt to create or update a Service with a non‑empty .spec.externalIPs field and rejects it. Enable it by adding --enable-admission-plugins=DenyServiceExternalIPs to your API server flags. Before enabling, scan your cluster for existing Services that use the field using kubectl get services --all-namespaces -o json | jq '.items[] | select(.spec.externalIPs != null) | .metadata.name'. Migrate any hits to one of the alternatives described above, then turn on the admission controller. This step ensures that no new workloads can reintroduce the vulnerability, giving you peace of mind as Kubernetes moves toward complete removal.

The deprecation of Service ExternalIPs in v1.36 is a security‑driven change that every cluster operator should act on. While the field still works today, its days are numbered. By switching to a dedicated load‑balancer solution, clarifying the terminology for your team, and enabling the admission controller now, you can avoid a future scramble. Check your Services, plan your migration, and embrace a more secure Kubernetes environment.