istio-proxy-fips

What is istio-proxy-fips?

The istio-proxy-fips image is a variant of the standard Istio proxy (based on Envoy) compiled with FIPS 140-2 validated cryptographic libraries. It is used as a drop-in replacement for the default istio/proxyv2 image in environments where federal, financial, healthcare, or other compliance frameworks require the use of FIPS-validated cryptography for data in transit.

It is injected as a sidecar container into application pods by Istio's mutating admission webhook, intercepting all inbound and outbound traffic to enforce mTLS, traffic policy, observability, and routing rules. The FIPS variant is configured at the Istio control plane level, typically by pointing the global.proxy.image Helm value to the FIPS image.

How to use this image

Configure Istio to use the FIPS proxy image via Helm:

helm install istio-base istio/base -n istio-system

helm install istiod istio/istiod -n istio-system \
  --set global.proxy.image=gcr.io/istio-release/proxyv2-fips \
  --set global.proxy_init.image=gcr.io/istio-release/proxyv2-fips

Verify the FIPS image is in use on an injected pod:

kubectl get pod <pod-name> -o jsonpath=\
  '{.spec.containers[?(@.name=="istio-proxy")].image}'

Override the proxy image for a single namespace:

kubectl annotate namespace my-namespace \
  istio.io/rev=default \
  sidecar.istio.io/proxyImage=gcr.io/istio-release/proxyv2-fips

Check proxy FIPS mode in the Envoy admin interface:

kubectl exec <pod-name> -c istio-proxy -- \
  pilot-agent request GET server_info | grep fips

Image variants

gcr.io/istio-release/proxyv2-fips:<version>

Versioned FIPS proxy images tied to a specific Istio release (e.g. 1.20.0). The proxy image version must match the Istiod control plane version exactly. There is no latest tag; always pin to a specific Istio release version.