loki update to 6.46.0-bb.2
Package Merge Request
Package Changes
https://repo1.dso.mil/big-bang/product/packages/loki/-/blob/6.46.0-bb.2/CHANGELOG.md
Package MR
big-bang/product/packages/loki!346 (merged)
For Issue
Closes (big-bang/product/packages/loki#257 (closed))
Upgrade Notices
Loki is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration. During this process a previously unknown bug was found where the network policy allowing traffic from Grafana to Loki's gateway was actually allowing all traffic into that gateway. The network policy has been updated as part of this work so that it functions as intended.
This update for Loki also uses a new reusable rule that has been created in the umbrella template for storage-subnets that allows users to configure access to external storage CIDRs via the values.yaml file. By default, this network policy is wide open to all CIDR's over TCP port 443 as there is no way to know the CIDRs in advance, however, if you are using AWS you can retrieve this data by executing the following command:
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="S3") | select(.region=="us-gov-east-1") | .ip_prefix'Note
Make sure to update the region in the above command to match the region you are using in AWS.
Once the CIDR's are retrieved you can update the values.yaml accordingly as shown in the below example to restrict access further:
networkPolicies:
enabled: true
egress:
definitions:
storage-subnets:
to:
- ipBlock:
cidr: "108.175.52.0/22"
- ipBlock:
cidr: "108.175.60.0/22"
- ipBlock:
cidr: "18.252.145.192/28"
- ipBlock:
cidr: "18.252.145.208/28"
ports:
- port: 443
protocol: TCP
- port: 80
protocol: TCPYou can also add any additional TCP ports if needed as shown in the example above.