About Solo distributions of Istio

The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. The image support timeline is longer than the community Istio support timeline, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh (Gloo Platform APIs)’s n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no forked capabilities from community Istio.

The following image provides an overview of how Solo engineers harden the base Istio image release.

Solo image hardening overview
Figure: Solo image hardening overview
Solo image hardening overview
Figure: Solo image hardening overview

To use a version of Istio that is no longer supported by the community with Gloo Mesh (Gloo Platform APIs), you must install the Solo distribution of Istio. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Solo distribution of Istio. To review supported Solo distributions of Istio, see the versions table. To review supported community versions, see the Istio documentation.

Distributions

Solo provides two main distributions of Istio as follows.

  • Standard: A copy of the community Istio distribution. This distribution does not contain Solo.io’s enterprise features or extended Istio support. Example: 1.29.1
  • Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh (Gloo Platform APIs) features. You must use the solo image to use these features. Example: 1.29.1-solo

Both Solo’s standard and solo distributions of Istio come in the following optional varieties.

  • FIPS: An image that is tagged with fips complies with NIST FIPS, for use cases that require federal information processing capabilities. For more information, see About Solo FIPS distribution of Istio. Examples: 1.29.1-fips, 1.29.1-solo-fips
  • Distroless: An image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies. Examples: 1.29.1-distroless, 1.29.1-solo-distroless

An image might be tagged to meet multiple use cases, such as 1.29.1-solo-fips-distroless.

About Solo FIPS distribution of Istio

For use cases that require federal information processing capabilities, install Solo distributions of Istio that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS). Keep in mind that a Solo license key is required to use the Solo FIPS distribution of Istio.

If you also want to install the Solo Enterprise for Istio management plane, FIPS images are available for all management plane components as well. Refer to the Install FIPS-compliant images guide.

Standard and Solo FIPS builds

Solo provides two main distributions of Istio, which both offer FIPS-compliant builds:

  • Standard: An enterprise distribution of the community Istio project with additional security patches.
  • Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh (Gloo Platform APIs) features.

Depending on the distribution, the image tag for installation might look like 1.29.1-solo-fips.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds. For example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.29.1-solo-fips-distroless.

Installing and verifying FIPS-compliant Istio images

Install Istio with FIPS-compliant images. If you also want to install the Solo Enterprise for Istio management plane, FIPS images are available for all management plane components as well. Refer to the Install FIPS-compliant images guide.

  1. To find the FIPS build that you want, see Download a specific image.

  2. Use the -fips image when you install Istio, such as 1.29.1-solo-fips. You can choose from the following installation methods:

    • To use the Gloo Operator to deploy and manage the lifecycle of your Istio service meshes, see Install Gloo-managed service meshes.
    • To manually install Istio, you can use Helm. For example, you can follow the steps in Install Istio with Helm. In the example files that you download in this guide, make sure to replace any images with a Solo FIPS distribution of Istio-tagged image.

  3. Verify that the Istio control plane components are FIPS compliant.

      kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l app=istiod -o jsonpath="{.items[0].metadata.name}") -- /usr/local/bin/pilot-discovery version

    Example output: Note the -fips suffix in the Version and GitTag fields, and the X:boringcrypto in the GolangVersion field. The GolangVersion field indicates that the Go binary was compiled with BoringCrypto, a FIPS-compliant cryptographic module.

      client version: version.BuildInfo{
  Version:"1.29.1-solo-fips",
  GitRevision:"e5ace34007bff13f4ed049521d9411a51639b029",
  GolangVersion:"go1.22.7 X:boringcrypto",
  BuildStatus:"Clean",
  GitTag:"1.29.1-solo-fips"
  }

  4. Get the hexdump of the pilot-discovery binary file. Hexdump is a command-line utility that displays the contents of a binary file in a hexadecimal format. As such, you can verify that the binary file includes FIPS-related cryptographic components. For distroless images, copy the binary from the pod to your local machine first.

      kubectl cp -n istio-system $(kubectl get pod -n istio-system -l app=istiod -o jsonpath="{.items[0].metadata.name}"):/usr/local/bin/pilot-discovery ./pilot-discovery
hexdump -C pilot-discovery | grep -i fips

    Example output: Verify that the output of the last column, which is theASCII representation of the hexidecimal binary columns, includes information related to FIPS crypto modules.

      016f0b50  00 00 00 48 8b 0d 96 f2  c0 03 48 ba 66 69 70 73  |...H......H.fips|
0242f6f0  2f 66 69 70 73 6d 6f 64  75 6c 65 2f 62 6e 2f 61  |/fipsmodule/bn/a|
0242f720  63 00 2e 2e 2f 63 72 79  70 74 6f 2f 66 69 70 73  |c.../crypto/fips|
0242f740  2e 2e 2f 63 72 79 70 74  6f 2f 66 69 70 73 6d 6f  |../crypto/fipsmo|
...