Install Gloo Mesh Istio FIPS

For use cases that require federal information processing capabilities, install a Gloo Mesh Istio images that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS).

For example, you might provide a cloud service that runs in a Federal Risk and Authorization Management Program (FedRAMP) regulated environment. In such cases, Gloo Mesh offers FIPS builds of community Istio without the need for any additional tooling or CLIs. You can use the upstream-native Istio tooling, such istioctl or IstioOperator, to install Solo's FIPS builds of Istio.

Choosing a FIPS build

Gloo Mesh Istio is a hardened Istio enterprise image to maintain n-4 support for CVEs and other security fixes longer than the community Istio, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1.

Standard and Solo FIPS builds

Solo provides two main distributions for Gloo Mesh Istio, which both offer FIPS-compliant builds:

Depending on the distribution, the image tag for installation might look like 1.10.4-solo-fips.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds; for example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.10.4-solo-fips-distroless.

More information

For more information:

Installing a FIPS build

After you choose your FIPS build, you can follow the steps in Install Gloo Mesh Istio to install Istio on each remote cluster. In the IstioOperator resource, be sure to specify the FIPS-tagged image that you want to use. For example, your IstioOperator might look like the following:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: gloo-mesh-istio
  namespace: istio-system
spec:
  # This value is required for Gloo Mesh Istio
  hub: gcr.io/istio-enterprise
  # This value can be any Gloo Mesh Istio tag
  tag: 1.10.4-solo-fips
... 

Verifying FIPS compliance

For most auditors, both the Istio control plane and the service mesh data plane in each remote cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking Envoy and istiod on each cluster.

  1. To verify the Istio data plane in each remote cluster, check the Envoy proxy version.

    kubectl exec -it -n istio-system deploy/istio-ingressgateway -- /usr/local/bin/envoy --version
    

    Example output of FIPS compliance:

    /usr/local/bin/envoy  version: fa9fd362c488508a661d2ffa66e66976bb9104c3/1.15.1/Clean/RELEASE/BoringSSL-FIPS
    
  2. To verify the Istio control plane components in each remote cluster, copy the pilot-discovery binary out of the istiod container, and run goversion against the binary.

    1. Install goversion to your local machine.

      go get github.com/rsc/goversion
      
    2. Copy the binary out to the local disk.

      kubectl cp istio-system/<pod-name>:/usr/local/bin/pilot-discovery /tmp/pilot-discovery && chmod +x /tmp/pilot-discovery
      
    3. Run goversion against the binary.

      goversion -crypto /tmp/pilot-discovery
      

      Example output of FIPS compliance: Note that the type is indicated as boring and the version number includes a b.

      /tmp/pilot-discovery go1.14.12b4 (boring crypto)
      

      Example output of FIPS non-compliance: Note that the type is indicated as standard, which means that the image in not a FIPS build of Istio.

      /tmp/pilot-discovery go1.14.14 (standard crypto)
      

RSA 4096 key sizes

With Gloo Mesh Istio's FIPS builds, you can run the control plane in strict adherence to the original 140-2 standard that did not allow RSA 4096 key sizes, or in a mode that supports 4096 key sizes. For strict mode, append -fipsonly to the build tag.

If you run in strict mode (-fipsonly), your output for verifying the Istio control plane looks like the following. This mode does not allow keys up to 4096.

/tmp/pilot-discovery go1.14.12b4 (boring crypto) +crypto/tls/fipsonly

If your output looks like the following, the mode does allow keys up to 4096.

/tmp/pilot-discovery go1.14.12b4 (boring crypto)

Next steps

Now that Istio service meshes are installed, you can install the Gloo Mesh Enterprise management plane components into a cluster.