Navigation :

Gloo Istio

Learn about deploying your gateways with Gloo Istio, a hardened Istio enterprise image to maintain n-4 support.

About Gloo Istio

Gloo Istio is a hardened Istio enterprise image to maintain n-4 support for CVEs and other security fixes longer than the community Istio, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Gloo's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.

The following image provides an overview of how Solo engineers harden the base Istio image release.

Solo image hardening overview

Solo provides two main distributions for Gloo Istio as follows.

Standard: An enterprise distribution of the community Istio project with additional security patches. Example: 1.16.0
Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Gateway features. You must use the solo image to use these features. Example: 1.16.0-solo

Both the standard and solo distributions of Gloo Istio come in the following optional varieties.

FIPS: An image that is tagged with fips complies with NIST FIPS, for use cases that require federal information processing capabilities. Examples: 1.16.0-fips, 1.16.0-solo-fips
Distroless: An image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies. Examples: 1.16.0-distroless, 1.16.0-solo-distroless
ARM: An image that is tagged with arm is compatible with ARM64 architectures. Support for ARM images varies with your Istio version and distribution.
- 1.16.0 and later: Both the standard and Solo distributions of Istio are now multi-architecture Docker images, which work for both AMD and ARM atchitectures. The -arm tag is no longer supported. For example, 1.16.0-solo, 1.16.0-fips, and 1.16.0-solo-fips work for both AMD and ARM.
- 1.15.3 and later 1.15 versions: ARM images (tagged with -arm) are supported for the standard distibution with FIPS and the Solo distribution without FIPS. For example, 1.15.3-fips-arm and 1.15.3-solo-arm are supported, but 1.15.3-solo-fips-arm and 1.15.3-arm are not supported.
- 1.15.0 - 1.15.2: ARM images are not supported for either distibution of these versions.
- 1.14 and earlier: ARM images (tagged with -arm) are supported only for the standard distribution without FIPS. Example: 1.14.5-arm

An image might be tagged to meet multiple use cases, such as 1.17.2-solo-fips-distroless.

To use a version of Istio that is no longer supported by the community with Gloo Platform, you must install the Gloo Istio version. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Gloo Istio version. To review supported community versions, see the Istio documentation.

Starting with Istio version 1.12, you must use a Gloo Istio repo key that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article.

About Gloo Istio FIPS

For use cases that require federal information processing capabilities, install Gloo Istio images that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS).

For example, you might provide a cloud service that runs in a Federal Risk and Authorization Management Program (FedRAMP) regulated environment. In such cases, Gloo Gateway offers FIPS builds of community Istio without the need for any additional tooling or CLIs. You can use the upstream-native Istio tooling, such istioctl or Istio Helm charts, to install Solo's FIPS builds of Istio.

Standard and Solo FIPS builds

Solo provides two main distributions for Gloo Istio, which both offer FIPS-compliant builds:

Standard: An enterprise distribution of the community Istio project with additional security patches.
Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Gateway features.

Depending on the distribution, the image tag for installation might look like 1.17.2-solo-fips.

To ensure FIPS compliance, you must use the latest -patch1 versions of Gloo Istio FIPS-compliant builds. For example, use 1.17.2-patch1-solo-fips for Gloo Istio version 1.17, 1.16.4-patch1-solo-fips for Gloo Istio version 1.16, and so on. These patch versions fix a FIPS-related issue introduced in the upstream Envoy code.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds; for example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.17.2-solo-fips-distroless.

More information

See Get the Gloo Istio version that you want to use.

Installing a FIPS build

When you install Gloo Gateway, you can specify the FIPS-tagged image that you want to use for the ingress gateway proxies as an installation Helm chart value. For more information, see the getting started or setup guides.

Verifying FIPS compliance

For most auditors, both the Istio control plane and the cluster workloads must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking Envoy and istiod on each cluster.

To verify the Istio data plane in each workload cluster, check the Envoy proxy version.

kubectl exec -it -n istio-system deploy/istio-ingressgateway -- /usr/local/bin/envoy --version

Example output of FIPS compliance:

/usr/local/bin/envoy  version: fa9fd362c488508a661d2ffa66e66976bb9104c3/1.15.1/Clean/RELEASE/BoringSSL-FIPS

To verify the Istio control plane components in each workload cluster, copy the pilot-discovery binary out of the istiod container, and run goversion against the binary.
1. Install goversion to your local machine.
```
go get github.com/rsc/goversion
```
2. Copy the binary out to the local disk.
```
kubectl cp istio-system/<pod-name>:/usr/local/bin/pilot-discovery /tmp/pilot-discovery && chmod +x /tmp/pilot-discovery
```
3. Run goversion against the binary.
```
goversion -crypto /tmp/pilot-discovery
```
  Example output of FIPS compliance: Note that the type is indicated as boring and the version number includes a b.
```
/tmp/pilot-discovery go1.14.12b4 (boring crypto)
```
  Example output of FIPS non-compliance: Note that the type is indicated as standard, which means that the image in not a FIPS build of Istio.
```
/tmp/pilot-discovery go1.14.14 (standard crypto)
```