We need a doc update to note a potential security concern where control plane nodes may be added to a loadbalancer pool. See below for full context. We should call out the juju config k-c-p labels suggestion as a mitigation for this concern. Perhaps in our LB overview page or specifically near the other security concern for o7k octavia LBs here(ish):
I have 3x control nodes and 3x worker nodes. When an LB is created, the openstack loadbalancer pool gets 6x members registered. I can confirm control nodes also get registered...My recommendation is to enable:
The control plane charm has a space-separated labels config that may serve your needs without changing the default behavior. You could add the exclusion label like this:
We need a doc update to note a potential security concern where control plane nodes may be added to a loadbalancer pool. See below for full context. We should call out the
juju config k-c-p labelssuggestion as a mitigation for this concern. Perhaps in our LB overview page or specifically near the other security concern for o7k octavia LBs here(ish):https://ubuntu.com/kubernetes/docs/openstack-integration#using-octavia-load-balancers
Field reports:
https://kubernetes.io/docs/reference/labels-annotations-taints/#node-kubernetes-io-exclude-from-external-load-balancers
Reponse: