About Solo distributions of Istio

The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. The image support timeline is longer than the community Istio support timeline, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh’s n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no forked capabilities from community Istio.

The following image provides an overview of how Solo engineers harden the base Istio image release.

Solo image hardening overview
Figure: Solo image hardening overview
Solo image hardening overview
Figure: Solo image hardening overview

To use a version of Istio that is no longer supported by the community with Gloo Mesh, you must install the Solo distribution of Istio. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Solo distribution of Istio. To review supported Solo distributions of Istio, see the versions table. To review supported community versions, see the Istio documentation.

Distributions

Solo provides two main distributions of Istio as follows.

  • Standard: A copy of the community Istio distribution. This distribution does not contain Solo.io’s enterprise features or extended Istio support. Example: 1.25.2
  • Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh features, such as support for deploying Istio service meshes in ambient mode. You must use the solo image to use these features. Example: 1.25.2-solo

Both Solo’s standard and solo distributions of Istio come in the following optional varieties.

  • FIPS: An image that is tagged with fips complies with NIST FIPS, for use cases that require federal information processing capabilities. For more information, see About Solo FIPS distribution of Istio. Examples: 1.25.2-fips, 1.25.2-solo-fips
  • Distroless: An image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies. Examples: 1.25.2-distroless, 1.25.2-solo-distroless

An image might be tagged to meet multiple use cases, such as 1.25.2-solo-fips-distroless.

About Solo FIPS distribution of Istio

For use cases that require federal information processing capabilities, install Solo distributions of Istio that are tagged with fips, which comply with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS). For more information, see the FIPS setup guide.

Standard and Solo FIPS builds

Solo provides two main distributions of Istio, which both offer FIPS-compliant builds:

  • Standard: An enterprise distribution of the community Istio project with additional security patches.
  • Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh features.

Depending on the distribution, the image tag for installation might look like 1.25.2-solo-fips.

Optional: Distroless FIPS builds

In addition, you can also choose a FIPS build that is distroless. A FIPS image that is tagged with distroless is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Keep in mind that there are some challenges around distroless builds. For example, if your app relies on package management, shell, or other operating system tools such as pip, apt, ls, grep, or bash, you must find another way to install these dependencies.

Depending on the distribution, the image tag for a distroless installation might look like 1.25.2-solo-fips-distroless.

Installing and verifying FIPS-compliant Istio images

Refer to the Install FIPS-compliant images guide.

Features by license level

The Solo distribution of Istio includes standard built-in features by default, and numerous other features that you can unlock with two levels of Solo licenses. When you provide your license in your Istio installation values, your Istio installation is automatically enabled with the features provided by your license.

  • Standard features are included by default in the Solo distribution of Istio version 1.25 and later. If you provide a -solo tagged Istio version in your Istio installation values, your Istio installation is enabled with these standard features.
  • Premium features are unlocked with a Premium license (sometimes called a Gloo Mesh license). In addition to all Standard features, a Premium license unlocks better environment visibility and analysis with the Gloo Mesh management plane, and increased Solo support.
  • Enterprise features are unlocked with an Enterprise license (sometimes called a Gloo Mesh Enterprise license). In addition to all Standard and Premium features, a Premium license unlocks the most comprehensive enterprise-level features to help you build out your ideal, customized mesh setup.

If you do not already have a Premium or Enterprise license for Gloo Mesh, you can contact an account representative to obtain one. Note that if you also install the Gloo Mesh management plane for better visibility and insights into your environment, you specify your same license in your Gloo Mesh installation too.

Review the following features and the levels that each feature is supported in. Note that these lists provide a general overview of major features, and are not exhaustive.

✅ Supported
🟡 Limited support
❌ Unsupported
* Additional fees apply
† Multicluster mesh support requires an Enteprise level license for both Gloo Gateway and Gloo Mesh.

Providing repo key, image tag, and license installation values

When you install Istio, you can provide your Solo distribution of Istio details by following one of the Istio installation guides in this documentation set. These guides include steps for how to provide your repo key, image tag, and license installation values, depending on the method of installation.

Ambient mesh

Sidecar mesh

Gloo Mesh management plane

Note that if you also install the Gloo Mesh management plane for better visibility and insights into your environment, you specify your same license in your Gloo Mesh installation too. Check out one of the following guides to get started.