kubernetes/website

document how to use ValidatingAdmissionPolicy to replace kubernetes-sigs/externalip-webhook

Open

#51689 opened on Jul 22, 2025

View on GitHub
 (13 comments) (0 reactions) (2 assignees)HTML (4,127 stars) (13,918 forks)batch import
help wantedkind/documentationlifecycle/frozenpriority/backlogsig/docssig/networksig/securitytriage/accepted

Description

ExternalIPs are insecure for two reasons:

  • Any user who can create a Service with ExternalIPs can intercept other users' outbound traffic to arbitrary IPs.
  • Any user who can create a Service with ExternalIPs can (non-deterministically) steal other users' inbound traffic to their own ExternalIPs.

And thus we recommend disabling them via the DenyServiceExternalIPs admission controller.

https://github.com/kubernetes-sigs/externalip-webhook allows you to instead configure a validating webhook that allows configuring

  • allowed-external-ip-cidrs: to only allow ExternalIPs within certain IP ranges
  • allowed-usernames and allowed-groups: to only allow ExternalIPs to be used by trusted users.

@aojea pointed out in https://github.com/kubernetes/org/issues/5549 that both of these could be done with ValidatingAdmissionPolicy these days, but we don't have any documentation explaining how you'd do that. (The ServiceCIDR documentation gives an example of a VAP that includes a list of allowed CIDRs and then validates that the CIDRs specified in the ServiceCIDR object are within the "allowed" list, so that could be used as a starting point for a Service ExternalIPs VAP. I'm not sure where there's a good example of a VAP that checks user/serviceAccount.)

/sig network /sig docs /sig security /kind documentation /help

Contributor guide

Tech stack
htmlcssgo
Domain
documentationsecurityinfrastructure
Issue type
documentation
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Kubernetes basicsValidatingAdmissionPolicykubectlYAML
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Start by reviewing the existing ServiceCIDR VAP example in the Kubernetes documentation (likely in the concepts/security section). Then adapt it to validate Service ExternalIPs with allowed CIDR ranges. For user/group checks, look for examples of CEL expressions checking userInfo, possibly in the ValidatingAdmissionPolicy documentation or issues. Consider consulting the externalip webhook repo for its logic. Ensure the new documentation covers both IP range validation and user/group authorization.