FIPS 140-2 encryption using Istio #11723
Comments
|
cc @johnma14 |
|
@gyliu513 I haven't gotten a chance so far to look at this in detail since I have been trying to complete some PR's for the 1.1 release. I hope to start work on this next week onwards if that is ok. |
|
Target this for post 1.2 given it is not in 1.2 roadmap and requires a need and socialize with security WG. |
|
@linsun Thanks for the heads up ... I know that dates are irrelevant in what we do, but I'm curious when you think FIPS 140-2 will make it into an RC? |
|
Guidance about how to enable FIPS support for power - envoyproxy/envoy#7221 |
|
chatted with @PiotrSikora offline and he has done some investigation on this, looking forward to seeing those. Also, added this topic to the security WG agenda tmr for folks who are interested in it. |
|
Any movement on this being added to the Istio roadmap? |
|
A quick update on this topic: A couple of us have discussed this topic at an Istio security WG mtg few weeks back:
(An alternative being discussed: Redhat has an open source github repository that is a fork of envoy proxy and replaced boringSSL with openSSL for FIPS 140-2 compliance. And in this mode, no sidecar config is needed thus no pilot code change is needed.)
|
|
Thank you so much for the update, @linsun! |
|
This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
istio-policy-bot
added
the
lifecycle/stale
linsun
added
lifecycle/staleproof
|
Marking as staleproof as this issue still exists. |
|
@linsun - I would love to help drive this forward, as FIPS 140-2 compliance is becoming increasingly more important for industry-wide adoption. Is the Security WG owning this? |
This isn't a true dependency. For audit purposes if you care about istio using a FIPS 140-2 crypto module you probably also care about apiserver/kubelet/etc. using a FIPS module, but istio itself doesn't need to be concerned with whether the endpoint it connects to is itself FIPS. Which is convenient because there's not really a way to ensure that an endpoint a FIPS module client connects to is using a FIPS module server. |
|
Azure Kubernetes Service is now FedRAMP moderate and high authorized. I agree with @jeffb4 that FIPS 140-2 certification of the k8s API server should not be a concern for Istio. |
|
Is there more progress and update on Istio support for FIPS 140-2? What are the steps to build and enable it via Istio? |
|
I'll be making rounds and communicating with all of the Security WG and Networking WG leaders to help provide an update on this. |
|
Any news to share ? |
|
I would also be very interested in hearing updates on the status of this! |
|
I second @jennbergs. FIPS compliance is becoming important as we move critical and sensitive workloads to our applications running on K8S. I am wondering if K8S itself is FIPS compliant, meaning is K8S using only BoringCrypto algorithms for key/token/secret management and API authentication ? |
|
Any update on this ? |
@linsun would be very grateful for a link to that github repo. Couldn't find it myself. |
|
Banzai Cloud have FIPS 140-2 working in the latest version of Istio.. https://banzaicloud.com/blog/istio-fips/ Unfortunately it doesn't seem like they will be offering this open source.. |
|
I see that this was prioritized as a P1, any idea, on relative timeframe when this would be supported? |
|
Circling back to this one once again. We need to get this item prioritized for an upcoming release. |
|
Ensuring the proper fips library is in the container built properly is another challenge. |
|
Any tentative plan to incorporate this in upcoming release? |
@antweiss while this might not be a RedHat repo, I think this is what you might be looking for: https://github.com/envoyproxy/envoy-openssl I haven't really checked if the referenced OpenSSL is FIPS 140-2 compliant but that should be relatively easy to do. Also, if you don't care about QUIC, Envoy can now be build with a FIPS 140-2 compliant BoringSSL version as described here: https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ssl.html?highlight=fips#fips-140-2 |
|
Hi, instead of recompiling Istio linking against a FIPS mode version of BoringSSL, would it not be possible to simply, restrict the crypto used by Istio to FIPs primitives.. i.e. (AES, ECDSA, RSA, SHA2), for example by changing ciphersuites... or indeed, is Istio using non-compliant crypto elsewhere that is non-configurable? |
No. It is not sufficient to limit algorithms and cipher suites. You must use a library that has been certified by NIST's Cryptographic Module Validation Program. See below link. Note that there are both BoringSSL and OpenSSL modules which have been validated. https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search |
|
Thanks @ntap-joshuap . |
UP. Same question, anybody knows when boringssl will be provided as an option in upstream? |
|
Tetrate offers open source FIPS compliant istio and supported much longer. For details please take a look at - https://getistio.io/getistio-cli |
|
They also have distroless fips enabled version if someone is looking for distroless. Just need to use tag 1.9.0-tetratefips-v1-distroless |
|
Is there any update on official istio FIPS images as of yet? I see there are 3rd-party offerings and such |
|
If you are looking to build one from source: #37118 (comment) |
and others
Describe the feature request
Some discussion here https://groups.google.com/forum/#!topic/istio-users/Zk82Wxu4Zrc
Describe alternatives you've considered
Envoy already support FIPS with x86, we should enable Istio use the latest envoy to support FIPS encryption. Checkout here https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/ssl#fips-140-2 for detail.
FYI @morvencao @clyang82 @linsun
The text was updated successfully, but these errors were encountered: