Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS1701 - Compliance Policy Is Missing, Invalid, or Not Set to Enforce FIPS 140-2 Requirements

The COMPLIANCE_POLICY environment variable is missing, invalid, or not configured to enforce FIPS 140-2 requirements. When COMPLIANCE_POLICY=fips-140-2 is correctly set (e.g., on the istiod deployment), Istio restricts TLS to version 1.2 and limits the cipher suites to FIPS-approved algorithms, ensuring strict FIPS mode.

Recommendation: Set COMPLIANCE_POLICY=fips-140-2

By setting the COMPLIANCE_POLICY environment variable to fips-140-2, Istio ensures TLS 1.2 is used exclusively, with FIPS-approved ciphers. This enforces strict FIPS compliance across both inbound and outbound traffic. For more information, refer to the Configure TID in Strict FIPS Mode.

Examples

  1. istiod Deployment Missing COMPLIANCE_POLICY

    # Excerpt from Helm values or deployment manifest
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: istiod
      namespace: istio-system
    spec:
      template:
        spec:
          containers:
          - name: discovery
            env:
            # Missing COMPLIANCE_POLICY environment variable
            # ...

    Explanation: Without COMPLIANCE_POLICY=fips-140-2, TLS could be negotiated up to TLS 1.3 or down to versions that are not FIPS-approved, failing to meet FIPS 140-2 compliance requirements.

  2. COMPLIANCE_POLICY Set Incorrectly

    helm upgrade --install istiod tetratelabs/istiod -n istio-system \
        --set global.tag=${TAG} \
        --set "pilot.env.COMPLIANCE_POLICY=some-other-value" \
        --version ${VERSION} \
        --wait

    Explanation: Here, pilot.env.COMPLIANCE_POLICY is set to something other than fips-140-2. The strict FIPS mode is not enabled, so the cluster may still allow TLS versions or ciphers that are non-FIPS-compliant.

Recommendation

  1. Set the COMPLIANCE_POLICY Environment Variable to fips-140-2

    Ensure the istiod deployment (pilot) is properly configured:

    helm upgrade --install istiod tetratelabs/istiod -n istio-system \
        --set global.tag=${TAG} \
        --set "pilot.env.COMPLIANCE_POLICY=fips-140-2" \
        --version ${VERSION} \
        --wait

    This restricts TLS to version 1.2 and enforces only FIPS-approved cipher suites within Istio.