Disable service type loadbalancer


#1

Hello
We are running kubernetes on AWS and we would like to disable servicetype loadbalancer for certain groups of users (a role). is this actually possible? or is there a way to achieve this?
Thanks


#2

You can set Quotas with “services.loadbalancers” set to 0.


#3

Hello @thockin
Thanks this partially solves the issue, but as I see it would disable loadbalancers for everybody in the namespace. The dream would be to have role “admins” to be able to create the loadbalancers and role “developers” not being able to create loadbalancers inside a given namespace
I wanted to try this week role like this

  resources: ["services.loadbalancers"]
  verbs: ["get", "list", "watch"]

#4

I believe you could do this with something like Open Policy Agent. It has more policy driven language and capabilities for handling this sort of thing.

Here is a quick example policy (note: not tested etc.)

package kubernetes.admission

deny["User not permitted to create LoadBalancer service."] {
    input.request.kind.kind = "Service"
    input.request.operation = "CREATE"
    input.request.object.spec.type = "LoadBalancer"
    not lb_admins
}

lb_admins {
  group := input.request.userInfo.groups[_]
 lb_admin_groups[group]
}

lb_admin_groups = { "cluster-admins", "net-admins" }


Kubernetes Office Hours for 20 February