Skip to content

document how to use ValidatingAdmissionPolicy to replace kubernetes-sigs/externalip-webhook #51689

New issue
New issue
Open
#52631
Open
document how to use ValidatingAdmissionPolicy to replace kubernetes-sigs/externalip-webhook#51689
#52631
Assignees
adrianmoisey
Labels
help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/documentationCategorizes issue or PR as related to documentation.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/backlogHigher priority than priority/awaiting-more-evidence.sig/docsCategorizes an issue or PR as relevant to SIG Docs.sig/networkCategorizes an issue or PR as relevant to SIG Network.sig/securityCategorizes an issue or PR as relevant to SIG Security.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@danwinship

Description

@danwinship
danwinship
opened on Jul 22, 2025

ExternalIPs are insecure for two reasons:

  • Any user who can create a Service with ExternalIPs can intercept other users' outbound traffic to arbitrary IPs.
  • Any user who can create a Service with ExternalIPs can (non-deterministically) steal other users' inbound traffic to their own ExternalIPs.

And thus we recommend disabling them via the DenyServiceExternalIPs admission controller.

https://github.com/kubernetes-sigs/externalip-webhook allows you to instead configure a validating webhook that allows configuring

  • allowed-external-ip-cidrs: to only allow ExternalIPs within certain IP ranges
  • allowed-usernames and allowed-groups: to only allow ExternalIPs to be used by trusted users.

@aojea pointed out in kubernetes/org#5549 that both of these could be done with ValidatingAdmissionPolicy these days, but we don't have any documentation explaining how you'd do that. (The ServiceCIDR documentation gives an example of a VAP that includes a list of allowed CIDRs and then validates that the CIDRs specified in the ServiceCIDR object are within the "allowed" list, so that could be used as a starting point for a Service ExternalIPs VAP. I'm not sure where there's a good example of a VAP that checks user/serviceAccount.)

/sig network
/sig docs
/sig security
/kind documentation
/help

Metadata

Metadata

Assignees

Labels

help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/documentationCategorizes issue or PR as related to documentation.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/backlogHigher priority than priority/awaiting-more-evidence.sig/docsCategorizes an issue or PR as relevant to SIG Docs.sig/networkCategorizes an issue or PR as relevant to SIG Network.sig/securityCategorizes an issue or PR as relevant to SIG Security.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions