Use istio fault to block gitlab metrics through virtualservice
Gitlab metrics are enabled and being scraped by prometheus. However, if you don't use a default whitelist, then the metrics are available to 0.0.0.0/0, aka globally:
https://docs.gitlab.com/ee/administration/monitoring/ip_allowlist.html
Additionally, since we use istio as our ingress, even if we did choose to set up an IP whitelist, all customer traffic that comes through the ingress appears as internal traffic to Gitlab webservice pods. Therefore, we would like for Big Bang to implement istio http fault on the virtualservice to route anyone that goes to https://<GitlabURL>/-/metrics to be routed into a black hole. Big Bang already does this in Anchore. Here is an example of what one might look like once it is templated. Since prometheus goes straight to the gitlab service/pods, it should be unaffected by this, and only external consumers will then rightfully be unable to scrape instance metrics. Note that in our testing, it had to go above any other rule so that it was hit first:
spec:
gateways:
- istio-system/main
hosts:
- gitlab.dso.mil
http:
- fault:
abort:
httpStatus: 400
percentage:
value: 100
match:
- uri:
prefix: /-/metrics
route:
- destination:
host: doesnt-really-matter
port:
number: 1111Acceptance criteria
- Anyone that goes to
https://<GitlabURL>/-/metricsreceives an error instead of receiving a full readout of the Gitlab instance metrics - Prometheus Gitlab metrics continue to function