diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/AC-K8-NS-SE-M-0188.json b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/AC-K8-NS-SE-M-0188.json
new file mode 100644
index 000000000..70157bc7e
--- /dev/null
+++ b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/AC-K8-NS-SE-M-0188.json
@@ -0,0 +1,15 @@
+{
+    "name": "ensurePrivateIP",
+    "file": "ensurePrivateIP.rego",
+    "template_args": {
+        "name": "ensurePrivateIP",
+        "prefix": "",
+        "resource_type": "kubernetes_service",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Vulnerable to CVE-2020-8554",
+    "reference_id": "AC-K8-NS-SE-M-0188",
+    "category": "Network Security",
+    "version": 1
+}
\ No newline at end of file
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego
new file mode 100644
index 000000000..e195b2885
--- /dev/null
+++ b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego
@@ -0,0 +1,15 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[service.id] {
+    service := input.{{.resource_type}}[_]
+    type_check(service.config.spec)
+    object.get(service.config.spec, "externalIPs", "undefined") != "undefined"
+}
+
+type_check(spec) {
+    spec.type == "ClusterIP"
+}
+
+type_check(spec) {
+    object.get(spec, "type", "undefined") == "undefined"
+}
\ No newline at end of file