Kubernetes v1.36 Deprecates and Removes Service ExternalIPs Field to Address Inherent Security Risks
Kubernetes has announced the formal deprecation and upcoming removal of the .spec.externalIPs field within Service resources. Originally intended to provide cloud-like load balancing for non-cloud environments, the feature relies on an outdated security model. The API assumes all users with service creation permissions are fully trusted, which creates significant risks in multi-tenant environments.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
Strong cloud alternative for startups and developer-led infrastructure decisions.
View DigitalOceanHigh-value hosting and deployment path for frontend and cloud readers.
View VercelA strong security and edge platform match across CDN, Zero Trust, and app protection.
View CloudflareComparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Security Model | Implicit trust allowing any user to claim any external IP address | Strict validation via admission controllers or managed providers |
| Traffic Control | Simple NAT via kube-proxy without protocol-level validation | Advanced routing and TLS termination through Ingress or Gateway API |
| Provisioning | Manual and static assignment of IP addresses in the spec | Dynamic allocation from managed pools using LoadBalancer controllers |
Action Checklist
- Identify all Service resources using the .spec.externalIPs field Search across all namespaces to assess the scope of the migration
- Deploy an admission controller to restrict further use of externalIPs Use OPA Gatekeeper or the built-in ExternalIPs controller as a stopgap
- Migrate on-premises workloads to MetalLB or specialized BGP solutions These provide similar functionality with better security and IP management
- Transition public-facing services to Ingress or Gateway API This follows current best practices for traffic management in modern clusters
- Verify firewall and network policy rules Ensure underlying infrastructure permits traffic to the new IP sources
Source: Kubernetes Blog
This page summarizes the original source. Check the source for full details.
