FIPS images
Install FIPS-compliant images for Gloo.
Solo.io provides enterprise versions of Gloo images that are compliant to the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS).
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
About
FIPS security requirements for cryptographic modules help protect sensitive data. Many internal and external security requirements require FIPS-compliant images, which can be an important step in achieving Federal Risk and Authorization Management Program (FedRAMP) compliance.
Third-party software, such as open source Kubernetes, Istio, or Envoy, do not inherit the cloud provider’s FIPS or FedRAMP compliance. Instead, you can use an enterprise version of the software that the vendor certifies to comply with FIPS.
Gloo images
Solo.io provides -fips distributions of the following Gloo Gateway images:
ext-authext-auth-pluginsgateway-proxygloodiscoveryrate-limitsds
For more information about these components, review the Architecture page.
Install FIPS-compliant images
Solo.io offers FIPS builds of select images to help you meet FIPS compliance without any additional tooling or CLIs. You must configure the FIPS distribution of the images when you install Gloo Gateway, such as via Helm charts. These distributions include -fips suffixes in the image names.
You can download a particular image for Gloo Gateway, such as for the following use cases.
- To download and transfer these images if your environment does not have public network access or cannot pull public images, such as for an air-gapped installation.
- To use a custom build that aligns with compliance standards, including FIPS.
Steps to install FIPS-compliant images:
Get the version tag that you want to use in the changelog, such as 1.20.0-beta1.
export GLOO_VERSION=1.20.0-beta1Add and update the Gloo Gateway Helm repository.
helm repo add glooe https://storage.googleapis.com/gloo-ee-helm helm repo updatePrepare your Helm chart values file for your new or existing Gloo installation.
Tip: You can use the
all-values.yamlfile to create your own Helm values file or review the available components and their sections.helm show values glooe/gloo-ee --version $GLOO_VERSION > all-values.yaml open all-values.yaml
For FIPS-compliant images, open the Helm values file, search for or create the section for the component, and append
-fipsto the imagetagfield, such as in the following example. You can use theall-values.yamlfile to review the available components and their sections.... gloo: discovery: deployment: image: pullPolicy: IfNotPresent repository: discovery-ee tag: 1.20.0-beta1-fips gloo: deployment: image: pullPolicy: IfNotPresent repository: gloo-ee tag: 1.20.0-beta1-fips ... global: extAuth: deployment: image: pullPolicy: IfNotPresent repository: extauth-ee tag: 1.20.0-beta1-fips rateLimit: deployment: image: pullPolicy: IfNotPresent repository: rate-limit-ee tag: 1.20.0-beta1-fips ...Optional: If you need to pull the images locally, such as for an air-gapped installation, you can use the information you retrieved from the
digestfield for the image in theall-values.yamlfile to pull the image. For example, you might use the followingdocker pullcommand for aglooFIPS image. Repeat this step for each image that you want to build locally and push to a private repository.docker pull quay.io/solo-io/gloo-ee:1.20.0-beta1-fips@sha256:2fef07a3ff5aa956d1995dd811e6963bd61ab027a86ff4702ae1b099c939fdcdInstall or upgrade Gloo Gateway.
For example, you might use the following
helm upgradecommand.helm upgrade -n gloo-system gloo glooe/gloo-ee \ -f gloo-gateway.yaml \ --version $GLOO_VERSION
Verify FIPS compliance
For most auditors, both the control plane and the data plane in each cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking the image tag of each Gloo component.
Example command to check the gloo image tag:
kubectl get pods -n gloo-system -l gloo=gloo -o jsonpath="{.items[*].spec.containers[?(@.name=='gloo')].image}"
Example output: Notice the -fips suffix in the image tag.
quay.io/solo-io/gloo-ee:1.20.0-beta1-fips@sha256:2fef07a3ff5aa956d1995dd811e6963bd61ab027a86ff4702ae1b099c939fdcd