Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS1703 - The Image Is Not FIPS Compliant

The Istio or Envoy proxy image in use is not FIPS 140-2 validated, meaning it does not meet the cryptographic requirements for organizations or environments that require strict FIPS compliance.

Recommendation: Use a FIPS-Validated Image

Obtain and deploy Tetrate’s FIPS-validated Istio builds from the Tetrate FIPS registry. By doing so, you ensure that your image is backed by a FIPS 140-2 validated cryptographic module and meets the compliance needs of regulated environments.

Examples

  1. Non-FIPS Docker Hub Image

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: non-fips-deployment
      namespace: default
    spec:
      template:
        spec:
          containers:
          - name: app-container
            # Example: Using the standard Docker Hub image, not Tetrate’s FIPS registry
            image: docker.io/istio/proxyv2:1.20.0

    Explanation: This container is pulled from a non-FIPS repository (docker.io/istio). It is not validated for FIPS 140-2 compliance, potentially failing security audits or regulations that mandate FIPS usage.

  2. FIPS-Validated Image Reference Missing

    helm install istiod tetratelabs/istiod -n istio-system \
        --set global.tag=1.20.0-tetrate0 \
        --set global.hub="docker.io/istio" \
        # The docker.io/istio hub does not contain FIPS images

    Explanation: Even if you specify a tag resembling a Tetrate version, pointing global.hub to docker.io/istio means the pulled images will not be from Tetrate’s FIPS repository.

Recommendation

  1. Use Tetrate FIPS Images

    Tetrate provides FIPS-validated Istio builds hosted in Tetrate's dedicated FIPS registry (fips-containers.istio.tetratelabs.com). These images are cryptographically validated under FIPS 140-2.

  2. Obtain Credentials from Tetrate

    Access to Tetrate’s FIPS registry requires credentials. Set them as environment variables:

    export TIS_USER="<tis-username>"
    export TIS_PASS="<tis-password>"

  3. Install FIPS-Validated Istio

    Refer to Install FIPS-Validated Istio for detailed instructions using Helm or istioctl. For example, with Helm:

    helm install istiod tetratelabs/istiod -n istio-system \
        --set global.tag=1.20.0-tetratefips0 \
        --set global.hub="fips-containers.istio.tetratelabs.com" \
        --set "global.imagePullSecrets[0]=tetrate-fips-creds" \
        --version 1.20.0+tetrate0