istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/fips.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/fips.yaml (about)

     1  apiVersion: release-notes/v2
     2  kind: bug-fix
     3  area: security
     4  issue:
     5  - 49081
     6  
     7  releaseNotes:
     8  - |
     9    **Added** an environment variable `COMPLIANCE_POLICY` to Istio components for
    10    enforcing TLS restriction for compliance with FIPS. When set to `fips-140-2`
    11    on the Istiod container, the Istio Proxy container, and all other Istio
    12    components, TLS version is restricted to v1.2, the cipher suites to a subset
    13    of `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES128-GCM-SHA256`,
    14    `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, and ECDH
    15    curves to `P-256`. These restrictions apply on the following data paths:
    16  
    17    * mTLS communication between Envoy proxies;
    18    * regular TLS on the downstream and the upstream of Envoy proxies (e.g. gateway);
    19    * Google gRPC side requests from Envoy proxies (e.g. Stackdriver extensions);
    20    * Istiod xDS server;
    21    * Istiod injection and validation webhook servers.
    22  
    23    The restrictions are not applied on the following data paths:
    24    * Istiod to Kubernetes API server;
    25    * JWK fetch from Istiod;
    26    * Wasm image and URL fetch from Istio Proxy containers;
    27    * ztunnel.
    28  
    29    Note that Istio injector will propagate the value of COMPLIANCE_POLICY to the
    30    injected proxy container, when set.