Block Services with ExternalIPs

This document shares how to control how Services with ExternalIPs are managed within your cluster.

An ExternalIP is a powerful tool that could be used for malicious intent.

Any user who can create a Service with ExternalIPs could:

  • intercept other users' outbound traffic to arbitrary IPs.
  • could (non-deterministically) steal other users' inbound traffic to their own ExternalIPs.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Your Kubernetes server must be at or later than version v1.30.

To check the version, enter kubectl version.

Kubernetes Service ExternalIP Policies

Cluster administrators can implement policies to control the creation and modification of Services with ExternalIPs within the cluster. This allows for centralized management of the allowed ExternalIPs used for Services and helps prevent unintended or conflicting configurations. Kubernetes provides mechanisms like Validating Admission Policies to enforce these rules.

Allowing only specific ExternalIPs within a certain IP range to be created

The following example allows an administrator to restrict the allowed IP address range(s) of any new or updated Service:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "allow-specific-externalips"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["services"]
  variables:
  - name: allowed
    expression: "['192.0.2.0/24', '2001:db8::/64']"
  validations:
  - expression: |
      !has(object.spec.externalIPs) ||
      object.spec.externalIPs.all(ip, variables.allowed.exists(cidr, cidr(cidr).containsIP(ip)))      
    message: "All externalIPs must be within the allowed CIDR ranges."
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "allow-specific-externalips-binding"
spec:
  policyName: "allow-specific-externalips"
  validationActions: [Deny, Audit]

Restricting which users/groups may create/update Services with ExternalIPs

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "allow-specific-users-to-manage-externalips"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["services"]
  validations:
  - expression: |
      !has(object.spec.externalIPs) ||
      request.userInfo.username == "myuser" ||
      request.userInfo.groups.exists(g, g in ["system:masters", "net-admins"])      
    message: "Only user 'myuser' or members of groups 'system:masters' and 'net-admins' can assign externalIPs."
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "allow-specific-users-binding"
spec:
  policyName: "allow-specific-users-to-manage-externalips"
  validationActions: [Deny, Audit]
Last modified October 05, 2025 at 7:22 PM PST: Add page Block Services with ExternalIPs (118bb0a7dc)