Kubernetes v1.36 marks a turning point for one of its oldest and most controversial features: the .spec.externalIPs field on Services. Originally designed to mimic cloud load‑balancer behavior in non‑cloud clusters, this feature has long been a security liability. With the official deprecation announced in this release, the project is steering users toward safer, more robust alternatives. Here are 10 critical things you need to understand about this change, why it matters, and how to prepare.
1. What Is .spec.externalIPs and Why Was It Created?
The .spec.externalIPs field allowed a Service to respond on additional IP addresses beyond its cluster-internal IP. In early Kubernetes, when cloud load‑balancer support was immature, this gave operators a way to expose Services to external traffic by simply setting an IP—much like assigning a load balancer IP manually. However, the design assumed every cluster user was fully trusted, creating a fragile foundation for security.
2. The Security Flaw: CVE‑2020‑8554
Any user able to create or edit a Service could set .spec.externalIPs to an arbitrary IP—even one owned by another service or a private network. This opened the door to IP hijacking, man‑in‑the‑middle attacks, and traffic redirection. CVE‑2020‑8554 documented this exploit, showing how an untrusted user could intercept traffic destined for other pods or external services. The vulnerability is the core reason the feature is now being deprecated.
3. Deprecation Begins in Kubernetes v1.36
As of v1.36, the .spec.externalIPs field is formally deprecated. This means the field still works, but using it will generate a warning. The deprecation is the first step toward complete removal in a future minor release. The Kubernetes project strongly advises all users to stop relying on this field and migrate to alternative solutions as soon as possible.
4. Past Warnings and the Long Road to Deprecation
The project has been warning about .spec.externalIPs since Kubernetes 1.21, recommending that users disable the feature. To ease the transition, an admission controller called DenyServiceExternalIPs was added. However, the SIG Network deemed enabling it by default too disruptive at the time. Now, with growing discomfort over the “insecure by default” state, the community decided that deprecation was necessary.
5. The DenyServiceExternalIPs Admission Controller
If you haven’t already, you can enable the DenyServiceExternalIPs admission controller in your cluster. This controller intercepts Service creation or update requests that include .spec.externalIPs and rejects them. It’s a simple, effective way to enforce the deprecation policy and prevent future misuse. Use –enable-admission-plugins=DenyServiceExternalIPs in your API server configuration.
6. What Will Happen in Future Releases?
Deprecation is only the beginning. The Kubernetes project plans to remove the implementation of .spec.externalIPs behavior from kube-proxy in a future minor version. Additionally, conformance criteria will be updated so that compliant implementations no longer support the feature. After that point, setting .spec.externalIPs may have no effect or might even be rejected entirely.
7. The “ExternalIP” Terminology Trap
The term “external IP” is overloaded in Kubernetes. There are three distinct uses:
- Service API: The deprecated
.spec.externalIPsfield. - Node API: The
.status.addresseslist includes anExternalIPtype (not deprecated). - kubectl output: For LoadBalancer Services, the column “EXTERNAL-IP” shows the load balancer IP (not deprecated).
This deprecation only affects the first one. If you never set .spec.externalIPs on any Service, you are unaffected. Still, enabling the admission controller is a good safety measure.
8. Alternative 1: Switch to LoadBalancer Type with Manual IP Assignment
The simplest alternative is to change your Service type from ClusterIP (or NodePort) to LoadBalancer and assign the IP manually through the .status.loadBalancer.ingress field. This is functionally similar to .spec.externalIPs, but with an important security benefit: the IP is stored in .status, not .spec, so RBAC policies prevent ordinary users from modifying it. Example:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: LoadBalancer
selector:
app: my-app
ports:
- port: 80
targetPort: 8080
status:
loadBalancer:
ingress:
- ip: "192.0.2.4"Note that this approach still carries some of the same manual overhead; it’s a stepping‑stone rather than a long‑term solution.
9. Alternative 2: Use NodePort with External Traffic Policies
For non‑cloud clusters, you can expose Services via NodePort combined with an external load balancer or firewall rules. Set externalTrafficPolicy: Local to preserve client source IPs and reduce hops. This approach is more secure because it doesn’t rely on a per‑Service API field that can be abused. Combine it with a network policy to restrict access.
10. Alternative 3: Deploy a Real Load Balancer
For production environments, consider using a dedicated load balancer like MetalLB (for bare metal), HAProxy, or an ingress controller. These tools provide proper load‑balancer functionality without the security risks of .spec.externalIPs. They integrate with Kubernetes through type: LoadBalancer and handle IP allocation, health checks, and routing. Migration to such solutions is the recommended long‑term path.
The deprecation of .spec.externalIPs in Kubernetes v1.36 is a welcome step toward a more secure platform. While the change may require some effort to migrate existing Services, the alternatives are now mature and well understood. Start by auditing your cluster for any use of the field, enable the DenyServiceExternalIPs admission controller, and plan your transition. Your cluster—and your users—will thank you.