On 1.10.9, kops, AWS, I am looking for a way to stop a user from creating a service that uses type:loadbalancer unless it has
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0.
Is that possible?
A custom role for users , with rules like this:
rules:
- apiGroups: [""]
resources: ["service"]
verbs: ["get", "watch", "list"] . ( dont put create ,update,patch etc)
This will prevent the users.
Then use NodePort-Exposer to do the second part automatically without involving the users.
The NodePort-Exposer watches Services with the annotation nodeport-exposer.k8s.io/expose="true"
and exposes them via a Service of type LoadBalancer.