CVE-2020-8554 describes Kubernetes Service ExternalIPs traffic-interception risk when a user who can create or patch Services can choose external IPs. Kubernetes has recommended disabling or tightly controlling this feature, and has announced deprecation of Service ExternalIPs in Kubernetes 1.36.
When this matters
A manifest with spec.externalIPs is not proof of compromise. It is source/config evidence that the cluster owner should confirm the route is intentional and that only trusted administrators or tightly scoped automation can set ExternalIPs.
Covered by FixVibe
FixVibe can flag Kubernetes Service manifests in GitHub repo scans when spec.externalIPs is explicitly set to a non-empty list. This is a static repository check. It does not inspect live clusters, enumerate deployed Services, review RBAC, evaluate admission policy, send traffic, or prove traffic interception.
Remediation
Remove ExternalIPs unless they are required. Prefer a provider LoadBalancer, Ingress, Gateway API, MetalLB with approved address pools, or another cluster-approved routing path. If ExternalIPs must remain, restrict Service create/update permissions, enforce a deny-by-default or allowlist admission policy, audit live Services, and monitor future Service changes.
