FIPS images
Install FIPS-compliant images for Gloo and Istio.
Solo provides enterprise versions of Gloo and Istio images that are compliant to the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS).
About
FIPS security requirements for cryptographic modules help protect sensitive data. Many internal and external security requirements require FIPS-compliant images, which can be an important step in achieving Federal Risk and Authorization Management Program (FedRAMP) compliance.
Third-party software, such as open source Kubernetes, Istio, or Envoy, do not inherit the cloud provider’s FIPS or FedRAMP compliance. Instead, you can use an enterprise version of the software that the vendor certifies to comply with FIPS.
Gloo images
Solo provides -fips distributions of the following Gloo Mesh Enterprise images:
ext-auth-servicegloo-mesh-agentgloo-mesh-apiservergloo-mesh-envoygloo-mesh-mgmt-servergloo-mesh-spire-controllerrate-limiter
Note that the gloo-mesh-ui component’s traffic is routed through a FIPS-compliant Envoy proxy, so the image does not have a standalone -fips build.
For more information about these components, review the Architecture page.
Istio images
Solo provides -fips distributions of the following Istio images:
- Standard Istio images: An enterprise distribution of the community Istio project with additional security patches.
- Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh Enterprise features.
- Distroless standard or Solo FIPS images: A slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security.
For more information, see Solo distributions of Istio.
Install FIPS-compliant images
Solo offers FIPS builds of select images to help you meet FIPS compliance without any additional tooling or CLIs. You must configure the FIPS distribution of the images when you install Gloo Mesh Enterprise or Istio, such as via Helm charts. These distributions include -fips suffixes in the image names.
Install Gloo FIPS images
You can download a particular image for Gloo Mesh Enterprise, such as for the following use cases.
- To download and transfer these images if your environment does not have public network access or cannot pull public images, for an air-gapped installation.
- To use a custom build that aligns with compliance standards, including FIPS.
Steps to install FIPS-compliant images:
Get the version tag that you want to use in the changelog, such as 2.4.16.
Add and update the
gloo-platformHelm repository.Download all the Helm chart values to use when preparing your Helm chart values file for installation.
Prepare your Helm chart values file for your new or existing Gloo installation.
For FIPS-compliant images, open the Helm values file, search for or create the section for the component, and append
-fipsto theimagetag, such as in the following example. You can use theall-values.yamlfile to review the available components and their sections.Optional: If you need to pull the images locally, such as for an air-gapped installation, you can use the information you retrieved from the
imagessection in thevalues.yamlfile to pull the image. For example, you might use the followingdocker pullcommand for a FIPS image. Repeat this step for each image that you want to build locally and push to a private repository.Use these packages when you install or upgrade Gloo Mesh Enterprise.
For example, you might use the following
helm upgradecommands.
Install Istio FIPS images
Install Istio with FIPS-compliant images.
To find the FIPS build that you want, see Download a specific Solo distribution of Istio.
Use the
-fipsimage when you install Istio, such as1.18.7-patch3-solo-fips. You can choose from the following installation methods:- To use Gloo Mesh Enterprise to deploy and manage the lifecycle of your Istio service meshes across clusters, see Deploy Gloo-managed service meshes. In the example files that you download in this guide, make sure to replace any images with a Solo FIPS distribution of Istio-tagged image.
- To manually install Istio, you can use an installation method such as using Helm. For example, you can follow the steps in Install Istio with Helm. In the example files that you download in this guide, make sure to replace any images with a Solo FIPS distribution of Istio-tagged image.
Verify FIPS compliance
For most auditors, both the control plane and the data plane in each cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking your Gloo and Istio components on each cluster.
Verify Gloo components
To verify the Gloo components, check the image tag of each deployment.
Example command to check the gloo-mesh-agent image tag:
Example output: Notice the -fips suffix in the image tag.
Verify Istio components
Verify that the Istio control plane components are FIPS compliant.
Example output: Note the
-fipssuffix in the Version and GitTag fields, and theX:boringcryptoin the GolangVersion field. The GolangVersion field indicates that the Go binary was compiled with BoringCrypto, a FIPS-compliant cryptographic module.Get the hexdump of the
pilot-discoverybinary file. Hexdump is a command-line utility that displays the contents of a binary file in a hexadecimal format. As such, you can verify that the binary file includes FIPS-related cryptographic components.Example output: Verify that the output of the last column, which is theASCII representation of the hexidecimal binary columns, includes information related to FIPS crypto modules.