FIPS images

Solo.io provides enterprise versions of Gloo images that are compliant to the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS).

About link

FIPS security requirements for cryptographic modules help protect sensitive data. Many internal and external security requirements require FIPS-compliant images, which can be an important step in achieving Federal Risk and Authorization Management Program (FedRAMP) compliance.

Third-party software, such as open source Kubernetes, Istio, or Envoy, do not inherit the cloud provider’s FIPS or FedRAMP compliance. Instead, you can use an enterprise version of the software that the vendor certifies to comply with FIPS.

Gloo images link

Solo.io provides -fips distributions of the following Gloo Gateway images:

• ext-auth
• ext-auth-plugins
• gateway-proxy
• gloo
• discovery
• rate-limit
• sds

For more information about these components, review the Architecture page.

Install FIPS-compliant images link

Solo.io offers FIPS builds of select images to help you meet FIPS compliance without any additional tooling or CLIs. You must configure the FIPS distribution of the images when you install Gloo Gateway, such as via Helm charts. These distributions include -fips suffixes in the image names.

You can download a particular image for Gloo Gateway, such as for the following use cases.

• To download and transfer these images if your environment does not have public network access or cannot pull public images, such as for an air-gapped installation.
• To use a custom build that aligns with compliance standards, including FIPS.

Steps to install FIPS-compliant images:

1. Get the version tag that you want to use in the changelog, such as 1.19.1.

     export GLOO_VERSION=1.19.1
     

2. Add and update the Gloo Gateway Helm repository.

     helm repo add glooe https://storage.googleapis.com/gloo-ee-helm
   helm repo update
     

3. Prepare your Helm chart values file for your new or existing Gloo installation.

     nano gloo-gateway.yaml
     

     helm get values gloo -n gloo-system -o yaml > gloo-gateway.yaml
   open gloo-gateway.yaml
     

   • Tip: You can use the all-values.yaml file to create your own Helm values file or review the available components and their sections.

       helm show values glooe/gloo-ee --version $GLOO_VERSION > all-values.yaml
     open all-values.yaml
       

4. For FIPS-compliant images, open the Helm values file, search for or create the section for the component, and append -fips to the image tag field, such as in the following example. You can use the all-values.yaml file to review the available components and their sections.

     ...
   gloo:
     discovery:
       deployment:
         image:
           pullPolicy: IfNotPresent
           repository: discovery-ee
           tag: 1.19.1-fips     
     gloo:
       deployment:
         image:
           pullPolicy: IfNotPresent
           repository: gloo-ee
           tag: 1.19.1-fips  
   ...
   global:
    extAuth:
      deployment:
        image:
          pullPolicy: IfNotPresent
          repository: extauth-ee
          tag: 1.19.1-fips
    rateLimit:
      deployment:
        image:
          pullPolicy: IfNotPresent
          repository: rate-limit-ee
          tag: 1.19.1-fips
   ...
     

5. Optional: If you need to pull the images locally, such as for an air-gapped installation, you can use the information you retrieved from the digest field for the image in the all-values.yaml file to pull the image. For example, you might use the following docker pull command for a gloo FIPS image. Repeat this step for each image that you want to build locally and push to a private repository.

     docker pull quay.io/solo-io/gloo-ee:1.19.1-fips@sha256:2fef07a3ff5aa956d1995dd811e6963bd61ab027a86ff4702ae1b099c939fdcd
     

6. Install or upgrade Gloo Gateway.

   For example, you might use the following helm upgrade command.

     helm upgrade -n gloo-system gloo glooe/gloo-ee \
    -f gloo-gateway.yaml \
    --version $GLOO_VERSION
     

Verify FIPS compliance link

For most auditors, both the control plane and the data plane in each cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking the image tag of each Gloo component.

Example command to check the gloo image tag:

  kubectl get pods -n gloo-system -l gloo=gloo -o jsonpath="{.items[*].spec.containers[?(@.name=='gloo')].image}"
  

Example output: Notice the -fips suffix in the image tag.

  quay.io/solo-io/gloo-ee:1.19.1-fips@sha256:2fef07a3ff5aa956d1995dd811e6963bd61ab027a86ff4702ae1b099c939fdcd