Verify FIPS Image

Tetrate Istio Subscription (TIS) includes FIPS-validated Tetrate Istio distribution builds. This guide explains how to verify the FIPS compliance of the installed artifacts.

Pilot Agent

Once you have installed a FIPS package, you can do a quick check if the installed artifacts were compiled as FIPS-compliant binaries.

For pilot-agent, you have to see if GolangVersion:"go1.21.8 X:boringcrypto" is there in the version command output.

kubectl exec -it -n istio-ingress deployment/istio-ingressgateway -- /usr/local/bin/pilot-agent  version

Output:

version.BuildInfo{Version:"1.20.3-tetratefips5", GitRevision:"649ec053d888f210cf9175010c300b8b7d0ace8c", GolangVersion:"go1.21.8 X:boringcrypto", BuildStatus:"Clean", GitTag:"1.20.3-tetratefips5"}

Envoy Proxy

For the envoy binary, the correctness of the FIPS build can be verified by checking the presence of BoringSSL-FIPS in the --version output.

kubectl exec -it -n istio-ingress deployment/istio-ingressgateway -- /usr/local/bin/envoy --version

Output:

/usr/local/bin/envoy  version: 30e213147c5e54158b6176417c39c46eca60c580/1.28.1-dev/Distribution/istio/proxy/RELEASE/BoringSSL-FIPS

Istiod Control Plane

For the istiod control plane, you can verify the FIPS compliance by checking the presence of GolangVersion:"go1.21.8 X:boringcrypto" in the version command output.

kubectl exec -it -n istio-system deployment/istiod -- /usr/local/bin/pilot-discovery  version

Output:

version.BuildInfo{Version:"1.20.3-tetratefips4", GitRevision:"649ec053d888f210cf9175010c300b8b7d0ace8c", GolangVersion:"go1.21.8 X:boringcrypto", BuildStatus:"Clean", GitTag:"1.20.3-tetratefips4"}