About Gloo Mesh Istio

Install Gloo Mesh Istio, a hardened Istio enterprise image, in your workload clusters.

About Gloo Mesh Istio

Gloo Mesh Istio is a hardened Istio enterprise image to maintain n-4 support for CVEs and other security fixes longer than the community Istio, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.

Solo provides two main distributions for Gloo Mesh Istio as follows.

• Standard: An enterprise distribution of the community Istio project with additional security patches.
• Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh Enterprise features. You must use the solo image to use these features, such as Gloo Mesh Gateway.

Both the standard and solo distributions of Gloo Mesh Istio come in the following optional varieties.

• FIPS: An image that is tagged with fips complies with NIST FIPS, for use cases that require federal information processing capabilities.
• Distroless: An image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Additionally, the standard distribution of Gloo Mesh Istio comes in the following optional variety.

• ARM: In Istio version 1.11.5 and later, an image that is tagged with arm is compatible with ARM64 architectures. Note that for AMD and ARM architectures, you do not need to use the -arm tag because the standard Gloo Mesh Istio images are multi-architecture Docker images.

Besides FIPS and extended support, you also must use the Gloo Mesh Istio image for the following features.

• Gloo Mesh Gateway: You can use a gateway that is based off the Istio image, or the Solo-provided Istio image. However, to unlock advanced Gloo Mesh Gateway features based on custom Envoy extensions, such as XSLT tranformations, you must use the Solo Istio image.

Version support

Review the following tables to determine Gloo Mesh Enterprise version compatibility with Gloo Mesh Istio and Kubernetes.

Additionally, the following Gloo Mesh Enterprise features require specific versions.

* Gloo Mesh Enterprise offers n-4 security patching support only with Gloo Mesh Istio versions, not community Istio versions. Gloo Mesh Istio versions support the same patch versions as community Istio. You can review community Istio patch versions in the Istio release documentation. You must run the latest Gloo Mesh Enterprise patch version to get the backported Istio support. For more considerations when installing Gloo Mesh Istio, see Download a specific image.

† Istio and Kubernetes: Supported Kubernetes versions are dependent on Gloo Mesh API version compatibility and on the version of Istio that is installed. For example, you cannot use Gloo Mesh Enterprise with Istio 1.9 on a Kubernetes 1.22 cluster, because Istio 1.9 does not support Kubernetes 1.22. To review Istio support of Kubernetes versions, see the Istio documentation. OpenShift and Kubernetes: The Istio and Kubernetes versions also determines which version of OpenShift you can run. For example, if you have Istio 1.11 you can run OpenShift 4.8, which uses Kubernetes 1.21. To review OpenShift Kubernetes support, see the OpenShift changelog documentation for the version you want to use.

Istio versions 1.13.0, 1.13.1, 1.13.2, and 1.13.3 have a known issue about service entry hostname expansion. The issue is resolved in Istio 1.13.4. Istio versions 1.8.0, 1.8.1, and 1.8.2 have a known issue where sidecar proxies might not start under specific circumstances. This bug might surface in sidecars configured by Failover Services. This issue is resolved in Istio 1.8.3.

About Gloo Mesh Istio FIPS

For use cases that require federal information processing capabilities, install a Gloo Mesh Istio images that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS).

For example, you might provide a cloud service that runs in a Federal Risk and Authorization Management Program (FedRAMP) regulated environment. In such cases, Gloo Mesh offers FIPS builds of community Istio without the need for any additional tooling or CLIs. You can use the upstream-native Istio tooling, such istioctl or IstioOperator, to install Solo's FIPS builds of Istio.

Standard and Solo FIPS builds

Solo provides two main distributions for Gloo Mesh Istio, which both offer FIPS-compliant builds:

• Standard: An enterprise distribution of the community Istio project with additional security patches.
• Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh Enterprise features. You must use the solo image to use these features, such as Gloo Mesh Gateway.

Depending on the distribution, the image tag for installation might look like 1.13.4-solo-fips.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds; for example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.13.4-solo-fips-distroless.

More information

See Get the Gloo Mesh Istio version that you want to use.

Installing a FIPS build

After you choose your FIPS build, you can follow the steps in Install Gloo Mesh Istio to install Istio on each workload cluster. In the IstioOperator resource, be sure to specify the FIPS-tagged image that you want to use. For example, your IstioOperator might look like the following:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: gloo-mesh-istio
  namespace: istio-system
spec:
  # This value is required for Gloo Mesh Istio. You get the repo key from your Solo Account Representative. Or, for Istio 1.11 or earlier, use 'gcr.io/istio-enterprise'.
  hub: $REPO
  # This value can be any Gloo Mesh Istio tag
  tag: 1.13.4-solo-fips
...

Verifying FIPS compliance

For most auditors, both the Istio control plane and the service mesh data plane in each workload cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking Envoy and istiod on each cluster.

1. To verify the Istio data plane in each workload cluster, check the Envoy proxy version.

   kubectl exec -it -n istio-system deploy/istio-ingressgateway -- /usr/local/bin/envoy --version
   

   Example output of FIPS compliance:

   /usr/local/bin/envoy  version: fa9fd362c488508a661d2ffa66e66976bb9104c3/1.15.1/Clean/RELEASE/BoringSSL-FIPS
   

2. To verify the Istio control plane components in each workload cluster, copy the pilot-discovery binary out of the istiod container, and run goversion against the binary.

   1. Install goversion to your local machine.

      go get github.com/rsc/goversion
      

   2. Copy the binary out to the local disk.

      kubectl cp istio-system/<pod-name>:/usr/local/bin/pilot-discovery /tmp/pilot-discovery && chmod +x /tmp/pilot-discovery
      

   3. Run goversion against the binary.

      goversion -crypto /tmp/pilot-discovery
      

      Example output of FIPS compliance: Note that the type is indicated as boring and the version number includes a b.

      /tmp/pilot-discovery go1.14.12b4 (boring crypto)
      

      Example output of FIPS non-compliance: Note that the type is indicated as standard, which means that the image in not a FIPS build of Istio.

      /tmp/pilot-discovery go1.14.14 (standard crypto)