Kubernetes v1.36 Deprecates Service ExternalIPs: What It Means for Cluster Security and Load Balancing

Why this matters

Kubernetes has long been a foundational platform for container orchestration, but some of its early features carried security trade-offs. The .spec.externalIPs field in Services, originally designed to give clusters cloud-load-balancer-like capabilities in non-cloud environments, has been officially deprecated in Kubernetes 1.36. This change reflects a broader shift toward securing Kubernetes clusters by default and closing attack vectors that arise from overly permissive networking settings.

For SMBs, particularly those in regulated industries like healthcare and professional services, maintaining a secure cluster environment while exposing services externally is a balancing act. The externalIPs feature assumed all cluster users were fully trusted, which is rarely the case. Its continued use poses risks such as IP address spoofing and unauthorized access, which could expose sensitive data or disrupt critical services.

This deprecation signals Kubernetes’ intent to phase out insecure defaults and encourage safer, more controlled networking patterns. It also highlights the importance of governance and administrative oversight when assigning external IP addresses to services. Understanding the new landscape helps technical leaders avoid pitfalls that can lead to costly security incidents or operational outages.

What usually goes wrong

The core issue with externalIPs stems from its design: any user who can create or modify Services can specify arbitrary IP addresses. This breaks down trust boundaries because Kubernetes does not impose restrictions on which IPs a user can claim, leading to potential conflicts and security vulnerabilities. The infamous CVE-2020-8554 demonstrated how this could be exploited for man-in-the-middle attacks or service impersonation.

In practical terms, organizations have faced scenarios where one team inadvertently or maliciously hijacks IPs assigned to another service. This results in traffic misrouting and breaches that are difficult to detect until significant damage has occurred. Moreover, debugging these issues consumes valuable engineering time, distracting teams from delivering business value.

Another common challenge is that externalIPs support varies in conformance across Kubernetes implementations, making it an unreliable and inconsistent mechanism. It also conflicts with Role-Based Access Control (RBAC) policies since it effectively allows users to bypass explicit IP assignment governance. These shortcomings have made it difficult for security teams to enforce policies and for platform teams to maintain predictable networking configurations.

Additionally, the lack of native administrative controls on externalIPs leads to operational complexity. Ensuring that IP addresses do not overlap requires manual tracking and coordination, which is error-prone and scales poorly as clusters grow. This has driven many teams to seek alternatives that better fit enterprise security and compliance requirements.

A better Cloudain-style approach

Cloudain recommends moving away from externalIPs toward mechanisms that enforce administrative control and leverage Kubernetes-native abstractions. There are three main alternatives that address the security and operational challenges while providing the needed external access.

First, manual assignment of LoadBalancer-type Services combined with RBAC restrictions offers a safer approach. Unlike externalIPs, the load balancer IP address is stored in the service’s status, which cannot be arbitrarily edited by users without explicit permissions. This model respects trust boundaries and reduces the risk of IP spoofing. However, it requires cluster administrators to oversee IP assignments actively.

Second, non-cloud load balancer controllers such as MetalLB provide a more scalable and secure option for on-premises or bare-metal Kubernetes clusters. MetalLB allows administrators to define pools of IP addresses and enforces that no two services share the same IP. This centralizes IP management and integrates with Kubernetes RBAC, aligning with compliance needs. It also supports the deprecated loadBalancerIP field, facilitating smoother migration from externalIPs.

Third, the emerging Gateway API offers a sophisticated, administratively governed framework for load balancing and routing. It separates gateway configuration from individual services, enabling cluster administrators to assign IP addresses to gateways with fine-grained RBAC controls. This reduces risk by limiting who can control external-facing IPs and establishes a clear separation of concerns. The Gateway API is actively developed to address limitations in earlier ingress and service routing models, making it a forward-looking option.

Together, these approaches reinforce secure defaults and align better with the operational realities of SMBs. They allow teams to maintain external connectivity without exposing their clusters to avoidable risks. Embracing these patterns also prepares organizations for future Kubernetes versions, where externalIPs support will be fully removed.

A simple next step

For teams currently using externalIPs, the immediate priority is to audit existing services and identify where this field is in use. Enabling the DenyServiceExternalIPs admission controller can help enforce a policy that blocks creation or modification of Services with externalIPs, providing early warning and preventing new misconfigurations.

Next, evaluate the feasibility of migrating workloads to one of the safer alternatives. If the environment is on a cloud provider, consider switching to LoadBalancer services with appropriate RBAC controls. For on-premises clusters, explore installing MetalLB or a similar solution to handle IP address assignment in a controlled manner.

If adopting the Gateway API, begin by defining gateway resources managed by trusted administrators and update routing rules accordingly. This might require collaboration between platform teams and application owners to align on resource ownership and access policies.

Documentation and communication are key during this transition. Clearly articulate the rationale for the change to technical teams and stakeholders, emphasizing improved security and compliance. Maintaining operational visibility through monitoring and logging during the migration will help detect issues early and ensure service continuity.

Finally, plan for the deprecation timeline: Kubernetes will fully disable externalIPs support around versions 1.40 to 1.43. Taking action well before then reduces pressure and allows for a more measured, controlled transition.

How Cloudain can help

Cloudain specializes in guiding SMBs through complex Kubernetes platform transitions with an eye toward security, compliance, and operational resilience. Assistance can include auditing current use of externalIPs, designing migration plans to LoadBalancer services or MetalLB, and implementing Gateway API configurations that align with governance policies.

With deep experience in healthcare and professional services sectors, Cloudain understands the nuances of regulatory requirements and can tailor Kubernetes networking strategies accordingly. This ensures external access is provided securely without sacrificing agility or developer productivity.

By partnering with Cloudain, organizations can confidently adapt to Kubernetes 1.36’s changes while improving their cluster security posture and operational practices. This helps avoid future disruptions and positions teams to manage cloud-native infrastructure with clarity and control.