About Solo distributions of Istio

The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. The image support timeline is longer than the community Istio support timeline, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Solo Enterprise for Istio’s n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no forked capabilities from community Istio.

The following image provides an overview of how Solo engineers harden the base Istio image release.

Solo image hardening overview
Figure: Solo image hardening overview
Solo image hardening overview
Figure: Solo image hardening overview

To use a version of Istio that is no longer supported by the community with Solo Enterprise for Istio, you must install the Solo distribution of Istio. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Solo distribution of Istio. To review supported Solo distributions of Istio, see the versions table. To review supported community versions, see the Istio documentation.

Distributions

Solo provides two main distributions of Istio as follows.

  • Standard: A copy of the community Istio distribution. This distribution does not contain Solo.io’s enterprise features or extended Istio support. Example: 1.26.7
  • Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Solo Enterprise for Istio features, such as support for deploying Istio service meshes in ambient mode. You must use the solo image to use these features. Example: 1.26.7-solo

Both Solo’s standard and solo distributions of Istio come in the following optional varieties.

  • FIPS: An image that is tagged with fips complies with NIST FIPS, for use cases that require federal information processing capabilities. For more information, see About Solo FIPS distribution of Istio. Examples: 1.26.7-fips, 1.26.7-solo-fips
  • Distroless: An image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies. Examples: 1.26.7-distroless, 1.26.7-solo-distroless

An image might be tagged to meet multiple use cases, such as 1.26.7-solo-fips-distroless.

About Solo FIPS distribution of Istio

For use cases that require federal information processing capabilities, install Solo distributions of Istio that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS). Keep in mind that a Solo license key is required to use the Solo FIPS distribution of Istio.

If you also want to install the Solo Enterprise for Istio management plane, FIPS images are available for all management plane components as well. Refer to the Install FIPS-compliant images guide.

Standard and Solo FIPS builds

Solo provides two main distributions of Istio, which both offer FIPS-compliant builds:

  • Standard: An enterprise distribution of the community Istio project with additional security patches.
  • Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Solo Enterprise for Istio features.

Depending on the distribution, the image tag for installation might look like 1.26.7-solo-fips.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds. For example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.26.7-solo-fips-distroless.

Installing and verifying FIPS-compliant Istio images

Install Istio with FIPS-compliant images. If you also want to install the Solo Enterprise for Istio management plane, FIPS images are available for all management plane components as well. Refer to the Install FIPS-compliant images guide.

  1. To find the FIPS build that you want, see Download a specific image.

  2. Use the -fips image when you install Istio, such as 1.26.7-solo-fips. You can choose from the following installation methods:

    • To use the Gloo Operator to deploy and manage the lifecycle of your Istio service meshes, see the Gloo Operator ambient mesh guide.
    • To manually install Istio, you can use Helm. For example, you can follow the steps in the Helm ambient mesh guide. In the example files that you download in this guide, make sure to replace any images with a Solo FIPS distribution of Istio-tagged image.

  3. Verify that the Istio control plane components are FIPS compliant.

      kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l app=istiod -o jsonpath="{.items[0].metadata.name}") -- /usr/local/bin/pilot-discovery version

    Example output: Note the -fips suffix in the Version and GitTag fields, and the X:boringcrypto in the GolangVersion field. The GolangVersion field indicates that the Go binary was compiled with BoringCrypto, a FIPS-compliant cryptographic module.

      client version: version.BuildInfo{
  Version:"1.26.7-solo-fips",
  GitRevision:"e5ace34007bff13f4ed049521d9411a51639b029",
  GolangVersion:"go1.22.7 X:boringcrypto",
  BuildStatus:"Clean",
  GitTag:"1.26.7-solo-fips"
  }

  4. Get the hexdump of the pilot-discovery binary file. Hexdump is a command-line utility that displays the contents of a binary file in a hexadecimal format. As such, you can verify that the binary file includes FIPS-related cryptographic components.

      kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l app=istiod -o jsonpath="{.items[0].metadata.name}") -- sh -c "hexdump -C /usr/local/bin/pilot-discovery | grep -i fips"

    Example output: Verify that the output of the last column, which is theASCII representation of the hexidecimal binary columns, includes information related to FIPS crypto modules.

      016f0b50  00 00 00 48 8b 0d 96 f2  c0 03 48 ba 66 69 70 73  |...H......H.fips|
0242f6f0  2f 66 69 70 73 6d 6f 64  75 6c 65 2f 62 6e 2f 61  |/fipsmodule/bn/a|
0242f720  63 00 2e 2e 2f 63 72 79  70 74 6f 2f 66 69 70 73  |c.../crypto/fips|
0242f740  2e 2e 2f 63 72 79 70 74  6f 2f 66 69 70 73 6d 6f  |../crypto/fipsmo|
...

Features by license level

The Solo distribution of Istio includes numerous features that you can unlock with three levels of Solo licenses. If you provide a -solo tagged image of Istio version 1.25 or later and your Solo license in your Istio installation values, your Istio installation is automatically enabled with the features provided by your license.

  • Basic features are unlocked with a Basic license. These standard features provide you with long-term and FIPS support for Istio on top of the open source offerings of Istio.
  • Premium features are unlocked with a Premium license (sometimes called a Solo Enterprise for Istio license). In addition to all Basic features, a Premium license unlocks better environment visibility and analysis with the Gloo management plane, and increased Solo support.
  • Enterprise features are unlocked with an Enterprise license (sometimes called a Solo Enterprise for Istio Enterprise license). In addition to all Basic and Premium features, a Premium license unlocks the most comprehensive enterprise-level features to help you build out your ideal, customized mesh setup.

If you do not already have a Basic, Premium, or Enterprise license, you can contact an account representative to obtain one. Note that if use a Premium or Enterprise license to install Istio, you can also use the same license to install the Gloo management plane for better visibility and insights into your environment.

To review the features that each license level supports, see the Istio support plans comparison on Solo.io. To learn more about select features that are enabled by an Enterprise license, see Enterprise features.

Providing repo key, image tag, and license installation values

When you install Istio, you can provide your Solo distribution of Istio details by following one of the Istio installation guides in this documentation set. These guides include steps for how to provide your repo key, image tag, and license installation values, depending on the method of installation.

Ambient mesh

Sidecar mesh

Gloo management plane

Note that if you also install the Gloo management plane for better visibility and insights into your environment, you specify your same license in your Solo Enterprise for Istio installation too. Check out one of the following guides to get started.