About Gloo Istio
Install Gloo Istio, a hardened Istio enterprise image, in your workload clusters.
About Gloo Istio
Gloo Istio is a hardened Istio enterprise image to maintain n-4 support for CVEs and other security fixes longer than the community Istio, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.
Solo provides two main distributions for Gloo Istio as follows.
- Standard: An enterprise distribution of the community Istio project with additional security patches. Example:
1.16.0 - Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Gateway features. You must use the
soloimage to use these features. Example:1.16.0-solo
Both the standard and solo distributions of Gloo Istio come in the following optional varieties.
- FIPS: An image that is tagged with
fipscomplies with NIST FIPS, for use cases that require federal information processing capabilities. Examples:1.16.0-fips,1.16.0-solo-fips - Distroless: An image that is tagged with
distrolessis a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such aspip,apt,ls,grep, orbash, you must find another way to install these dependencies. Examples:1.16.0-distroless,1.16.0-solo-distroless - ARM: An image that is tagged with
armis compatible with ARM64 architectures. Support for ARM images varies with your Istio version and distribution.- 1.16.0 and later: Both the standard and Solo distributions of Istio are now multi-architecture Docker images, which work for both AMD and ARM atchitectures. The
-armtag is no longer supported. For example,1.16.0-solo,1.16.0-fips, and1.16.0-solo-fipswork for both AMD and ARM. - 1.15.3 and later 1.15 versions: ARM images (tagged with
-arm) are supported for the standard distibution with FIPS and the Solo distribution without FIPS. For example,1.15.3-fips-armand1.15.3-solo-armare supported, but1.15.3-solo-fips-armand1.15.3-armare not supported. - 1.15.0 - 1.15.2: ARM images are not supported for either distibution of these versions.
- 1.14 and earlier: ARM images (tagged with
-arm) are supported only for the standard distribution without FIPS. Example:1.14.5-arm
- 1.16.0 and later: Both the standard and Solo distributions of Istio are now multi-architecture Docker images, which work for both AMD and ARM atchitectures. The
Starting with Istio version 1.12, you must use a Gloo Istio repo key that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article.
Version support
Solo supports n-3 versions for Gloo Platform. Within each Gloo Platform version, different open source project versions are supported, including Gloo Istio n-4 version support.
Gloo Platform
The following versions of Gloo Platform are supported with the compatible open source project versions of Istio and Kubernetes. Later versions of the open source projects that are released after Gloo Platform might also work, but are not tested as part of the Gloo Platform release.
| Gloo Platform | Release date | Gloo Istio* |
Kubernetes† |
|---|---|---|---|
| 2.3 | TBD | 1.12 - 1.16 | 1.19 - 1.24 |
| 2.2 | 20 Jan 2023 | 1.12 - 1.16 | 1.19 - 1.24 |
| 2.1 | 21 Oct 2022 | 1.11 - 1.15 | 1.18 - 1.23 |
| 2.0 | 13 May 2022 | 1.9 - 1.13 | 1.17 - 1.23 |
| 1.2 | 04 Nov 2021 | 1.9 - 1.12 | 1.17 - 1.23 |
Gloo Istio
Keep in mind that Gloo Platform offers n-4 security patching support only with Gloo Istio versions, not community Istio versions. Gloo Istio versions support the same patch versions as community Istio. You can review community Istio patch versions in the Istio release documentation. You must run the latest Gloo Platform patch version to get the backported Istio support.
Supported Istio versions by Kubernetes or OpenShift version
The supported version of Istio, and Kubernetes or OpenShift are dependent on each other. For example, if you plan to use Gloo Platform with Istio 1.15, you must make sure that you use a Kubernetes or OpenShift version that is compatible with Istio 1.15. The same is true if you decided on a specific Kubernetes or OpenShift version, and you must find an Istio version that is compatible.
To find a list of supported Kubernetes versions in Istio, see the Istio docs. For supported OpenShift, go to the OpenShift knowledgebase (requires login).
Known Istio issues
- Istio versions 1.14.0 - 1.14.3 have a known issue about unused endpoints failing to be deleted. Additionally, version 1.14.4 has a known issue about short hostnames causing Kubernetes service and ServiceEntry conflicts. Both issues are resolved in Istio 1.14.5.
- Istio versions 1.13.0 - 1.13.3 have a known issue about service entry hostname expansion. The issue is resolved in Istio 1.13.4.
Gloo features
Additionally, the following Gloo Platform features require specific versions.
| Gloo Platform feature | Required versions |
|---|---|
| XSLT filter | Istio 1.11 or later |
| Gloo-managed Istio installations | Gloo Platform 2.1.0 or later |
| GraphQL add-on | Gloo Platform version 2.1.0 or later, and Istio version 1.14.5 or later |
AWS Lambda unwrapAsApiGateway setting |
Istio version 1.15.0 or later |
About Gloo Istio FIPS
For use cases that require federal information processing capabilities, install Gloo Istio images that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS).
For example, you might provide a cloud service that runs in a Federal Risk and Authorization Management Program (FedRAMP) regulated environment. In such cases, Gloo Mesh offers FIPS builds of community Istio without the need for any additional tooling or CLIs. You can use the upstream-native Istio tooling, such istioctl or IstioOperator, to install Solo's FIPS builds of Istio.
Standard and Solo FIPS builds
Solo provides two main distributions for Gloo Istio, which both offer FIPS-compliant builds:
- Standard: An enterprise distribution of the community Istio project with additional security patches.
- Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh Enterprise features.
Depending on the distribution, the image tag for installation might look like 1.16.2-solo-fips.
Optional: Distroless FIPS builds
In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds; for example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.
Depending on the distribution, the image tag for a distroless installation might look like 1.16.2-solo-fips-distroless.
More information
See Get the Gloo Istio version that you want to use.
Installing a FIPS build
After you choose your FIPS build, you can follow the steps in Install Istio to install Istio on each workload cluster. In the IstioOperator resource, be sure to specify the FIPS-tagged image that you want to use. For example, your IstioOperator might look like the following:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: gloo-mesh-istio
namespace: istio-system
spec:
# This value is required for Gloo Istio. You get the repo key from your Solo Account Representative. Or, for Istio 1.11 or earlier, use 'gcr.io/istio-enterprise'.
hub: $REPO
# This value can be any Gloo Istio tag
tag: 1.16.2-solo-fips
...Verifying FIPS compliance
For most auditors, both the Istio control plane and the service mesh data plane in each workload cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking Envoy and istiod on each cluster.
-
To verify the Istio data plane in each workload cluster, check the Envoy proxy version.
kubectl exec -it -n istio-system deploy/istio-ingressgateway -- /usr/local/bin/envoy --versionExample output of FIPS compliance:
/usr/local/bin/envoy version: fa9fd362c488508a661d2ffa66e66976bb9104c3/1.15.1/Clean/RELEASE/BoringSSL-FIPS -
To verify the Istio control plane components in each workload cluster, copy the
pilot-discoverybinary out of the istiod container, and rungoversionagainst the binary.-
Install
goversionto your local machine.go get github.com/rsc/goversion -
Copy the binary out to the local disk.
kubectl cp istio-system/<pod-name>:/usr/local/bin/pilot-discovery /tmp/pilot-discovery && chmod +x /tmp/pilot-discovery -
Run
goversionagainst the binary.goversion -crypto /tmp/pilot-discoveryExample output of FIPS compliance: Note that the type is indicated as boring and the version number includes a b.
/tmp/pilot-discovery go1.14.12b4 (boring crypto)Example output of FIPS non-compliance: Note that the type is indicated as standard, which means that the image in not a FIPS build of Istio.
/tmp/pilot-discovery go1.14.14 (standard crypto)
-