FIPS images
Install FIPS-compliant images for Gloo and Istio.
Solo provides enterprise versions of Gloo and Istio images that are compliant to the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS).
About
FIPS security requirements for cryptographic modules help protect sensitive data. Many internal and external security requirements require FIPS-compliant images, which can be an important step in achieving Federal Risk and Authorization Management Program (FedRAMP) compliance.
Third-party software, such as open source Kubernetes, Istio, or Envoy, do not inherit the cloud provider’s FIPS or FedRAMP compliance. Instead, you can use an enterprise version of the software that the vendor certifies to comply with FIPS.
Gloo images
Solo provides -fips distributions of the following Gloo Mesh Enterprise images:
ext-auth-servicegloo-mesh-agentgloo-mesh-apiservergloo-mesh-envoygloo-mesh-mgmt-servergloo-mesh-spire-controllerotel-collectorgloo-mesh-portal-serverrate-limiterrbac-webhook
Note that the gloo-mesh-ui component’s traffic is routed through a FIPS-compliant Envoy proxy, so the image does not have a standalone -fips build.
For more information about these components, review the Architecture page.
Istio images
Solo provides -fips distributions of the following Istio images:
- Standard Istio images: An enterprise distribution of the community Istio project with additional security patches.
- Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh Enterprise features.
- Distroless standard or Solo FIPS images: A slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security.
For more information, see Solo distributions of Istio.
Install FIPS-compliant images
Solo offers FIPS builds of select images to help you meet FIPS compliance without any additional tooling or CLIs. You must configure the FIPS distribution of the images when you install Gloo Mesh Enterprise or Istio, such as via Helm charts. These distributions include -fips suffixes in the image names.
Install Gloo FIPS images
You can download a particular image for Gloo Mesh Enterprise, such as for the following use cases.
- To download and transfer these images if your environment does not have public network access or cannot pull public images, for an air-gapped installation.
- To use a custom build that aligns with compliance standards, including FIPS.
Steps to install FIPS-compliant images:
Get the version tag that you want to use in the changelog, such as 2.7.0.
export GLOO_VERSION=2.7.0Add and update the
gloo-platformHelm repository.helm repo add gloo-platform https://storage.googleapis.com/gloo-platform/helm-charts helm repo updateDownload all the Helm chart values to use when preparing your Helm chart values file for installation.
helm show values gloo-platform/gloo-platform --version $GLOO_VERSION > all-values.yamlPrepare your Helm chart values file for your new or existing Gloo installation.
For FIPS-compliant images, open the Helm values file, search for or create the section for the component, and append
-fipsto theimagetag, such as in the following example. You can use theall-values.yamlfile to review the available components and their sections.... glooMgmtServer: image: pullPolicy: IfNotPresent registry: gcr.io/gloo-mesh repository: gloo-mesh-mgmt-server tag: 2.7.0-fips ... glooAgent: image: pullPolicy: IfNotPresent registry: gcr.io/gloo-mesh repository: gloo-mesh-agent tag: 2.7.0-fipsOptional: If you need to pull the images locally, such as for an air-gapped installation, you can use the information you retrieved from the
imagessection in thevalues.yamlfile to pull the image. For example, you might use the followingdocker pullcommand for a FIPS image. Repeat this step for each image that you want to build locally and push to a private repository.docker pull gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.7.0-fipsUse these packages when you install or upgrade Gloo Mesh Enterprise.
For example, you might use the following
helm upgradecommands.
Install Istio FIPS images
Install Istio with FIPS-compliant images.
To find the FIPS build that you want, see Download a specific Solo distribution of Istio.
Use the
-fipsimage when you install Istio, such as1.24.2-solo-fips. You can choose from the following installation methods:- To use the Gloo Operator to deploy and manage the lifecycle of your Istio service meshes, see Install Gloo-managed service meshes. In the environment variables that you set for the Istio image in this guide, make sure to use an image tagged for the Solo FIPS distribution of Istio.
- To manually install Istio, you can use an installation method such as using Helm. For example, you can follow the steps in Install Istio with Helm. In the example files that you download in this guide, make sure to replace any images with a Solo FIPS distribution of Istio-tagged image.
Verify FIPS compliance
For most auditors, both the control plane and the data plane in each cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking your Gloo and Istio components on each cluster.
Verify Gloo components
To verify the Gloo components, check the image tag of each deployment.
Example command to check the gloo-mesh-agent image tag:
kubectl get pods -n gloo-mesh -l app=gloo-mesh-agent -o jsonpath="{.items[*].spec.containers[?(@.name=='gloo-mesh-agent')].image}"
Example output: Notice the -fips suffix in the image tag.
gcr.io/gloo-mesh/gloo-mesh-agent:2.7.0-fips
Verify Istio components
Verify that the Istio control plane components are FIPS compliant.
kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l app=istiod -o jsonpath="{.items[0].metadata.name}") -- /usr/local/bin/pilot-discovery versionExample output: Note the
-fipssuffix in the Version and GitTag fields, and theX:boringcryptoin the GolangVersion field. The GolangVersion field indicates that the Go binary was compiled with BoringCrypto, a FIPS-compliant cryptographic module.client version: version.BuildInfo{ Version:"1.24.2-solo-fips", GitRevision:"e5ace34007bff13f4ed049521d9411a51639b029", GolangVersion:"go1.22.7 X:boringcrypto", BuildStatus:"Clean", GitTag:"1.24.2-solo-fips" }Get the hexdump of the
pilot-discoverybinary file. Hexdump is a command-line utility that displays the contents of a binary file in a hexadecimal format. As such, you can verify that the binary file includes FIPS-related cryptographic components.kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l app=istiod -o jsonpath="{.items[0].metadata.name}") -- sh -c "hexdump -C /usr/local/bin/pilot-discovery | grep -i fips"Example output: Verify that the output of the last column, which is theASCII representation of the hexidecimal binary columns, includes information related to FIPS crypto modules.
016f0b50 00 00 00 48 8b 0d 96 f2 c0 03 48 ba 66 69 70 73 |...H......H.fips| 0242f6f0 2f 66 69 70 73 6d 6f 64 75 6c 65 2f 62 6e 2f 61 |/fipsmodule/bn/a| 0242f720 63 00 2e 2e 2f 63 72 79 70 74 6f 2f 66 69 70 73 |c.../crypto/fips| 0242f740 2e 2e 2f 63 72 79 70 74 6f 2f 66 69 70 73 6d 6f |../crypto/fipsmo| ...