fix(chart): block admin metrics exposition (#3061)

huggingface · Sep 18, 2024 · 4859100 · 4859100
1 parent ecfcada
commit 4859100
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/chart/env/prod.yaml b/chart/env/prod.yaml
@@ -296,6 +296,7 @@ admin:
     annotations:
       alb.ingress.kubernetes.io/group.order: "1"
       alb.ingress.kubernetes.io/target-node-labels: role-datasets-server=true
+      alb.ingress.kubernetes.io/actions.metrics-unauthorized: '{"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"401","messageBody":"401 Unauthorized"}}'
   resources:
     requests:
       cpu: 1

diff --git a/chart/templates/services/admin/ingress.yaml b/chart/templates/services/admin/ingress.yaml
@@ -13,12 +13,20 @@ spec:
       http:
         paths:
           - path: /admin
+            pathType: Prefix
             backend:
               service:
                 name: "{{ include "name" . }}-admin"
                 port:
                   name: http
-
-            pathType: Prefix
+          {{- if hasKey $annotations "alb.ingress.kubernetes.io/actions.metrics-unauthorized" }}
+          - path: /admin/metrics
+            pathType: Exact
+            backend:
+              service:
+                name: metrics-unauthorized
+                port:
+                  name: use-annotation
+          {{- end -}}
 {{- include "ingress.tls" (merge (dict "annotations" $annotations) $ ) | indent 2}}
 {{- end }}