Kubernetes v1.36 deprecates Service.spec.externalIPs and starts the removal path, finally closing CVE-2020-8554, the trust-everyone hole the field has carried since the early days.
The project has recommended disabling it via the DenyServiceExternalIPs admission controller since v1.21, but SIG Network held off blocking it by default because the break was considered too large. If you still rely on externalIPs for cloud-load-balancer-style behavior on bare metal, migrate to a real load balancer implementation (MetalLB, kube-vip, or a Gateway API equivalent) before upgrading.
