Kubernetes v1.36: Changes to Service ExternalIPs for Enhanced Functionality

Kubernetes continues to evolve in response to security concerns, particularly with its handling of network functionalities. One significant change is the deprecation of the `.spec.externalIPs` field within the Service API, a move that reflects a growing awareness of security vulnerabilities that can arise in scenarios where trust is not absolute. Originally intended to offer cloud-like load balancing to on-premise clusters, this feature unwittingly opens doors to exploits when cluster users are not fully trusted, a fact painfully illustrated by the CVE-2020-8554 vulnerability. With the release of Kubernetes 1.36, the developers have officially deprecated the use of `.spec.externalIPs`. This field, which once allowed users to specify external IP addresses for Services, will soon see its support removed from kube-proxy functionality. Kubernetes has recommended disabling `.spec.externalIPs` since version 1.21, suggesting that administrators use the `DenyServiceExternalIPs` admission controller as a precautionary measure to prevent further usage. **The Problematic Legacy of `.spec.externalIPs`** The scrutiny over `.spec.externalIPs` is more than just a reaction to cybersecurity incidents; it's part of a broader conversation about the project’s default security stance. The Kubernetes community expressed discontent with features that remain "insecure by default." With several new alternatives available for achieving load balancer-like capabilities in non-cloud environments, this deprecation feels timely. Take a moment to reflect on how you’ve used `.spec.externalIPs`. If you haven’t been relying on this feature, you won’t be directly affected. However, it's still prudent to proactively implement `DenyServiceExternalIPs` to prevent any recurrences of its use in the future. **Exploring Alternatives to `.spec.externalIPs`** If you have been using `.spec.externalIPs`, rest assured there are several robust alternatives now at your disposal. Switching to a LoadBalancer service type might be tempting, but that move isn't as straightforward as many might think. Creating a LoadBalancer service and manually assigning IPs into its status has its drawbacks, as it doesn't fundamentally address the security risks that plagued `.spec.externalIPs`. For a more secure and robust approach, consider employing third-party load balancer controllers such as MetalLB, which enhances Kubernetes' capabilities for non-cloud environments. By managing a pre-defined pool of IP addresses, MetalLB mitigates the risks associated with `.spec.externalIPs`, ensuring that the same IP isn’t assigned to multiple services, and putting the control squarely back in the hands of administrators. Alternatively, newer strategies like the Gateway API offer another layer of security and flexibility. With Gateway resources managed by cluster administrators, you can set access controls through RBAC to prevent unauthorized usage. In sum, as Kubernetes moves forward, the lessons drawn from the discontinuation of `.spec.externalIPs` underline the critical need for a secure-by-default ethos. Users who adapt to these changes will find themselves better positioned to leverage Kubernetes's full capabilities while minimizing their security risks.

What's Next for the Gateway API?

The Gateway API project represents a significant pivot in how Kubernetes handles traffic management and service routing. By directly addressing the limitations of existing Ingress and Service resources, it streams ahead as a more effective and versatile option for developers and operators alike. While still evolving, its active development signals the community's push for a more seamless networking experience. Here's the reality: the move to deprecate externalIPs is a critical turning point in this environment, and one that you need to pay attention to. As Kubernetes transitions—starting with the deprecation announced in version 1.36—the implications extend beyond users just adapting to new methods of service exposure. Essentially, users are being steered towards utilizing Gateway resources, which promise enhanced control over traffic routing but require a shift in how developers think about service management. What does this mean for you? If you're currently leveraging externalIPs, ideally, you should start planning now. Kubernetes 1.40 will remove support in kube-proxy, but there will be an option for a phased exit with an opt-in approach. However, by the time we reach version 1.43, that flexibility will disappear entirely. You'll be left with the necessity to fully embrace new paradigms without fallback. The numbers here suggest that Kubernetes is serious about these transitions—more than mere updates, these are invitations for a strategic shift in infrastructure. So, if you’re operating in this space, now’s the time to start experimenting with the Gateway API and assessing how it can meet your needs. The tight deadlines spell urgency, meaning getting ahead of the curve could yield significant long-term benefits. Don't wait until the last minute; adapt now to avoid being caught flat-footed.