Review virtual service access for Loki

Problem

The Loki chart renders an inbound VirtualService for loki.dev.bigbang.mil by default. Unless an AuthorizationPolicy is explicitly enabled, this exposes the Loki gateway through the Istio ingress gateway without additional authz at the mesh layer. That means any client that can reach the gateway and resolve the hostname can hit the Loki API. This is risky because Loki’s HTTP API can leak sensitive log data or allow log writes from untrusted sources.

Proposed solution

We should educate users on proper Istio AuthorizationPolicy generation or provide some defaults here. We could:

• restrict ingress to specific ns/workloads through netpols or gateway authz
• if public access isn't required, set routes.inbound.loki.enabled: false and keep Loki internal only
• Limit methods or paths (e.g. allow only /loki/api/v1/push from log forwarders, block query endpoints)