Solo Istio

Learn about using Solo Istio, a hardened Istio enterprise image, in your workload clusters.

About Solo Istio

Solo Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. The image support timeline is longer than the community Istio support timeline, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.

The following image provides an overview of how Solo engineers harden the base Istio image release.

Solo image hardening overview

To use a version of Istio that is no longer supported by the community with Gloo Platform, you must install the Solo Istio version. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Solo Istio version. To review supported community versions, see the Istio documentation.

Distributions

Solo provides two main distributions for Solo Istio as follows.

Both the standard and solo distributions of Solo Istio come in the following optional varieties.

An image might be tagged to meet multiple use cases, such as 1.19.3-solo-fips-distroless.

To use Solo Istio images, you must use a Solo Istio repo key that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article.

Version support

Solo supports n-3 versions for Gloo Platform. Within each Gloo Platform version, different open source project versions are supported, including Solo Istio n-4 version support.

Gloo Platform

The following versions of Gloo Platform are supported with the compatible open source project versions of Istio and Kubernetes. Later versions of the open source projects that are released after Gloo Platform might also work, but are not tested as part of the Gloo Platform release.

Gloo Platform Release date Supported Solo Istio versions and related Kubernetes versions tested by Solo
2.5 TBD
  • Istio 1.20 on Kubernetes 1.25 - 1.28
  • Istio 1.19 on Kubernetes 1.25 - 1.28
  • Istio 1.18 on Kubernetes 1.24 - 1.27
  • Istio 1.17 on Kubernetes 1.23 - 1.26
  • Istio 1.16 on Kubernetes 1.22 - 1.25
2.4 28 Aug 2023
  • Istio 1.18 on Kubernetes 1.24 - 1.27
  • Istio 1.17 on Kubernetes 1.23 - 1.26
  • Istio 1.16 on Kubernetes 1.22 - 1.25
  • Istio 1.15 on Kubernetes 1.22 - 1.25
  • Istio 1.14 on Kubernetes 1.21 - 1.24
2.3 17 Apr 2023
  • Istio 1.18 on Kubernetes 1.24 - 1.25
  • Istio 1.17 on Kubernetes 1.23 - 1.25
  • Istio 1.16 on Kubernetes 1.22 - 1.25
  • Istio 1.15 on Kubernetes 1.22 - 1.25
  • Istio 1.14 on Kubernetes 1.21 - 1.24
2.2 20 Jan 2023
  • Istio 1.18 on Kubernetes 1.24
  • Istio 1.17 on Kubernetes 1.23 - 1.24
  • Istio 1.16 on Kubernetes 1.22 - 1.24
  • Istio 1.15 on Kubernetes 1.22 - 1.24
  • Istio 1.14 on Kubernetes 1.21 - 1.24

Solo Istio

Keep in mind that Gloo Platform offers n-4 security patching support only with Solo Istio versions, not community Istio versions. Solo Istio versions support the same patch versions as community Istio. You can review community Istio patch versions in the Istio release documentation. You must run the latest Gloo Platform patch version to get the backported Istio support.

Supported Istio versions by Kubernetes or OpenShift version

The supported version of Istio, and Kubernetes or OpenShift are dependent on each other. For example, if you plan to use Gloo Platform with Istio 1.18, you must make sure that you use a Kubernetes or OpenShift version that is compatible with Istio 1.18. The same is true if you decided on a specific Kubernetes or OpenShift version, and you must find an Istio version that is compatible.

To find a list of supported Kubernetes versions in Istio, see the Istio docs. For supported OpenShift, go to the OpenShift knowledgebase (requires login).

Known Istio issues

Feature gates

To review the required Gloo Mesh versions for specific features that you can optionally enable, see Feature gates.

About Solo Istio FIPS

For use cases that require federal information processing capabilities, install Solo Istio images that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS).

For example, you might provide a cloud service that runs in a Federal Risk and Authorization Management Program (FedRAMP) regulated environment. In such cases, Gloo Mesh offers FIPS builds of community Istio without the need for any additional tooling or CLIs. You can use the upstream-native Istio tooling, such istioctl or Istio Helm charts, to install Solo's FIPS builds of Istio.

Standard and Solo FIPS builds

Solo provides two main distributions for Solo Istio, which both offer FIPS-compliant builds:

Depending on the distribution, the image tag for installation might look like 1.19.3-solo-fips.

For FIPS-compliant builds of Istio 1.17.2 and 1.16.4, you must use the -patch1 versions of the latest Istio builds published by Solo, such as 1.17.2-patch1-solo-fips for Solo Istio version 1.17. These patch versions fix a FIPS-related issue introduced in the upstream Envoy code. In 1.17.3 and later, FIPS compliance is available in the -fips tags of regular Solo Istio builds, such as 1.17.3-solo-fips.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds; for example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.19.3-solo-fips-distroless.

More information

See Get the Solo Istio version that you want to use.

Installing a FIPS build

When you install Gloo Mesh, you can specify the FIPS-tagged image that you want to use for Istio as an installation Helm chart value. For more information, see the getting started or setup guides.

Verifying FIPS compliance

For most auditors, both the Istio control plane and the service mesh data plane in each workload cluster must be FIPS compliant. You can verify that your images are a FIPS-compliant version by checking Envoy and istiod on each cluster.

  1. To verify the Istio data plane in each workload cluster, check the Envoy proxy version.

    kubectl exec -it -n istio-system deploy/istio-ingressgateway -- /usr/local/bin/envoy --version
    

    Example output of FIPS compliance:

    /usr/local/bin/envoy  version: fa9fd362c488508a661d2ffa66e66976bb9104c3/1.15.1/Clean/RELEASE/BoringSSL-FIPS
    
  2. To verify the Istio control plane components in each workload cluster, copy the pilot-discovery binary out of the istiod container, and run goversion against the binary.

    1. Install goversion to your local machine.

      go get github.com/rsc/goversion
      
    2. Copy the binary out to the local disk.

      kubectl cp istio-system/<pod-name>:/usr/local/bin/pilot-discovery /tmp/pilot-discovery && chmod +x /tmp/pilot-discovery
      
    3. Run goversion against the binary.

      goversion -crypto /tmp/pilot-discovery
      

      Example output of FIPS compliance: Note that the type is indicated as boring and the version number includes a b.

      /tmp/pilot-discovery go1.14.12b4 (boring crypto)
      

      Example output of FIPS non-compliance: Note that the type is indicated as standard, which means that the image in not a FIPS build of Istio.

      /tmp/pilot-discovery go1.14.14 (standard crypto)