Is there a way to use Kubernetes RBAC to stop a user from creating an external loadbalancer on a service?

10/19/2018

On 1.10.9, kops, AWS, I am looking for a way to stop a user from creating a service that uses type:loadbalancer unless it has

annotations: 
  service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0. 

Is that possible?

-- Defenestrator6
kops
kubernetes
load-balancing

1 Answer

10/19/2018

A custom role for users , with rules like this:

rules:
- apiGroups: [""]
  resources: ["service"]
  verbs: ["get", "watch", "list"] .   ( dont put create ,update,patch etc)

This will prevent the users.

Then use NodePort-Exposer to do the second part automatically without involving the users.

The NodePort-Exposer watches Services with the annotation nodeport-exposer.k8s.io/expose="true" and exposes them via a Service of type LoadBalancer.

-- Ijaz Ahmad Khan
Source: StackOverflow