1
// Copyright Istio Authors
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
7
// http://www.apache.org/licenses/LICENSE-2.0
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
18
"istio.io/istio/pkg/env"
22
// FIPS_140_2 compliance policy.
23
// nolint: revive, stylecheck
24
FIPS_140_2 = "fips-140-2"
27
// Define common security feature flags shared among the Istio components.
29
CompliancePolicy = env.Register("COMPLIANCE_POLICY", "",
30
`If set, applies policy-specific restrictions over all existing TLS
31
settings, including in-mesh mTLS and external TLS. Valid values are:
33
* '' or unset places no additional restrictions.
34
* 'fips-140-2' which enforces a version of the TLS protocol and a subset
35
of cipher suites overriding any user preferences or defaults for all runtime
36
components, including Envoy, gRPC Go SDK, and gRPC C++ SDK.
38
WARNING: Setting compliance policy in the control plane is a necessary but
39
not a sufficient requirement to achieve compliance. There are additional
40
steps necessary to claim compliance, including using the validated
41
cryptograhic modules (please consult
42
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2).`).Get()