document capability for excluding nodes from loadbalancer pools

[kwmonroe]

We need a doc update to note a potential security concern where control plane nodes may be added to a loadbalancer pool. See below for full context. We should call out the juju config k-c-p labels suggestion as a mitigation for this concern. Perhaps in our LB overview page or specifically near the other security concern for o7k octavia LBs here(ish):

https://ubuntu.com/kubernetes/docs/openstack-integration#using-octavia-load-balancers

---

Field reports:

I have 3x control nodes and 3x worker nodes. When an LB is created, the openstack loadbalancer pool gets 6x members registered. I can confirm control nodes also get registered...My recommendation is to enable:

https://kubernetes.io/docs/reference/labels-annotations-taints/#node-kubernetes-io-exclude-from-external-load-balancers

Reponse:

The control plane charm has a space-separated labels config that may serve your needs without changing the default behavior. You could add the exclusion label like this:

juju config kubernetes-control-plane \
  labels="node.kubernetes.io/exclude-from-external-load-balancers=true node-role.kubernetes.io/control-plane="

---