Distroless FIPS-compliant Istio

Christian Posta | February 23, 2021

At Solo.io, we work with a lot of customers or software providers that provide products to their customers that have compliance obligations around FIPS (Federal Information Processing Standards). These are typically customers in the US Government, but not exclusively. FIPS is a set of rules about how cryptographic modules are implemented and apply to any part of a system utilizing cryptographic functions. FIPS security 1 validation can be achieved by submitting a cryptographic module for review and testing to a CMVP lab.

We provide enterprise distributions of Istio through our Gloo Mesh product. This comes with enterprise SLAs, long-term support (LTS for 1 year of an Istio release), and expert guidance and architecture reviews. Some of our customers require a hardened FIPS 140-2 compliant version of Istio service mesh to run in their environments. At Solo.io , we provide FIPS 140-2 compliant builds of both Istio’s control plane and data plane (Envoy Proxy). We take security very seriously here at Solo.io and that shows in the way we build our products. While others take shortcuts and/or don’t fully understand security implications of their choices, our ethos at Solo.io is security first.

Using and verifying FIPS Istio

We use Google’s BoringCrypto module as the foundation of the security-1 FIPS compliant builds of Istio. BoringCrypto is a core module for the BoringSSL libraries that has been tested by CMVP to be FIPS validated. Both the control plane and data plane for Istio are built with these modules. For the control plane, which requires a version of Go that uses the BoringCrypto module, we leverage go-fips which assembles the correct builds of Go with BoringCrypto. Our distribution of Istio is almost identical to upstream Istio, but for these types of FIPS builds there are some modifications needed to the code.

The quickest way to get started with FIPS Istio is to use one of our supported builds. You don’t need any special tools or additional CLI wrappers to use FIPS Istio. Just run the following command:

istioctl install --set hub=gcr.io/istio-enterprise --set tag=1.7.5-fips2

Once installed, you should see the Istio components come up successfully:

NAME                                   READY   STATUS    RESTARTS   AGE
istio-ingressgateway-d487ffdd9-5vsnd   1/1     Running   0          67s
istiod-944958c47-9wvjl                 1/1     Running   0          91s

For most auditors, both the control plane AND the data plane must be in FIPS compliant mode. We can verify that by checking the versions of Envoy and istiod. To verify the data plane, run the following command which checks the Envoy Proxy version:

kubectl exec -it -n istio-system deploy/istio-ingressgateway -- /usr/local/bin/envoy --version

A response should look similar to this:

/usr/local/bin/envoy  version: fa9fd362c488508a661d2ffa66e66976bb9104c3/1.15.1/Clean/RELEASE/BoringSSL-FIPS

To verify the control plane components, we will copy the pilot-discovery binary out of the istiod container and run goversion against it.

First, copy the binary out to local disk:

kubectl cp istio-system/istiod-944958c47-h7fsk:/usr/local/bin/pilot-discovery /tmp/pilot-discovery && chmod +x /tmp/pilot-discovery

Next check the version of Go with the goversion tool passing the -crypto flag:

goversion -crypto /tmp/pilot-discovery

You SHOULD see something like the following if you have a FIPS certified build of Istio:

/tmp/pilot-discovery go1.14.12b4 (boring crypto) +crypto/tls/fipsonly

IF you see something more like this:

/tmp/pilot-discovery go1.14.14 (standard crypto)

THEN your Istio distribution is NOT in FIPS compliant mode. This will not pass an audit. We’ve worked with customers that didn’t validate this and it came back to bite them. Always do some sanity checking!

NOTE: In more recent versions of Golang, ie, 1.16, goversion will not work correctly. You can workaround with something like this.

NOTE: FIPS 140-2 will reject RSA 4096-bit keys and certificates. If you are running into some certificate issues regarding FIPS, please reach out to us.

Distroless builds

Typically a container should just contain the application and its required dependencies but in reality it contains a lot of other things (shell, package manager, build tools, OS utilities, etc). All of these additional capabilities in the container image increase your exposure to CVS/vulnerabilities. Google opensourced an approach to stripping out any additional cruft from your images except for the necessary application and immediate dependencies called distroless.

Upstream Istio builds distroless versions of its releases. Solo.io provides distroless builds of FIPS Istio through our Gloo Mesh product. For example, to install the distroless version of FIPS Istio:

istioctl install --set hub=gcr.io/istio-enterprise --set tag=1.7.5-fips2-distroless

Wrap up

FIPS Istio is a common usecase we support for our customers. When you need FIPS compliant versions of Istio supported in production with enterprise SLAs, long-term support, and expert guidance, reach out to Solo.io We provide these builds for all recent versions of Istio including older ones where applicable.

About the Author

Christian Posta

Christian Posta (@christianposta) is Global Field CTO at Solo.io supporting customers and end users in their adoption of cloud-native technologies. He is an author for Manning and O’Reilly publications, open source contributor, blogger and sought after speaker on Envoy Proxy and Kubernetes technologies. Prior to Solo.io, Chrisitan was a Chief Architect at Red Hat, FuseSource and held engineering positions at organizations like Wells Fargo, Apollo Group, Intel.