document how to use ValidatingAdmissionPolicy to replace kubernetes-sigs/externalip-webhook

ExternalIPs are insecure for two reasons:

• Any user who can create a Service with ExternalIPs can intercept other users' outbound traffic to arbitrary IPs.
• Any user who can create a Service with ExternalIPs can (non-deterministically) steal other users' inbound traffic to their own ExternalIPs.

And thus we recommend disabling them via the DenyServiceExternalIPs admission controller.

https://github.com/kubernetes-sigs/externalip-webhook allows you to instead configure a validating webhook that allows configuring

• allowed-external-ip-cidrs: to only allow ExternalIPs within certain IP ranges
• allowed-usernames and allowed-groups: to only allow ExternalIPs to be used by trusted users.

@aojea pointed out in https://github.com/kubernetes/org/issues/5549 that both of these could be done with ValidatingAdmissionPolicy these days, but we don't have any documentation explaining how you'd do that. (The ServiceCIDR documentation gives an example of a VAP that includes a list of allowed CIDRs and then validates that the CIDRs specified in the ServiceCIDR object are within the "allowed" list, so that could be used as a starting point for a Service ExternalIPs VAP. I'm not sure where there's a good example of a VAP that checks user/serviceAccount.)

/sig network /sig docs /sig security /kind documentation /help