Open ICHx opened 3 weeks ago
Hello @ICHx , We have had internal discussion on this one. If this is standard in the community to create a public-facing LBs, we could support this by adding a command line flag to change the default behavior of the controller to create internet-facing NLBs by default. This should be simple to implement this and we welcome any community contributions. However, we may require a security review for this one. Thank you for bringing this to our attention.
Thanks you the reply, Also to attach our workaround for reference
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: aws-load-balancer-webhook-service
namespace: kube-system
path: /mutate-v1-service
failurePolicy: Fail
name: mservice.elbv2.k8s.aws
objectSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: NotIn
values:
- aws-load-balancer-controller
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- services
sideEffects: None
We commented out this webhook from the deploy manifest, then only explicitly defined LBs would become NLB, otherwise Classic
I am migrating in-tree LB controller to AWS Loadbalancer controller, and this controller requires annotation to create public-facing NLB otherwise internal is not consistent in behavior with the old Classic Loadbalancers.