1.2.3 Ensure that the DenyServiceExternalIPs admission controller is enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


This admission controller rejects all net-new usage of the Service field externalIPs.


Most users do not need the ability to set the externalIPs field for a Service at all, and cluster admins should consider disabling this functionality by enabling the DenyServiceExternalIPs admission controller. Clusters that do need to allow this functionality should consider using some custom policy to manage its usage.


When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects.


Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and add the DenyServiceExternalIPs' to the --enable-admission-plugins' parameter.

Default Value:

By default, the DenyServiceExternalIPs admission controller is not enabled.

See Also