You can use the FIPS validation tool to verify that specific components and services are FIPS-compliant by checking the signatures of the files against a signed signature file, and by checking that services are using the certified algorithms.

Download Signature Files

You need to download an appropriate, signed signature file before you run validation. Verify which version of DKP you are running to ensure you are downloading the manifest that is compliant with the DKP release number on your system. Use the links in the tables that follows to obtain a valid file:

DKP version 2.3

Operating System version

Kubernetes version

containerd version

Manifest URL

CentOS 7.9

v1.23.7

1.14.13

v1.23.7 CentOS 7.9 Manifest

Oracle 7.9

v1.23.7

1.14.13

v1.23.7 OL 7.9 Manifest

RHEL 7.9

v1.23.7

1.14.13

v1.23.7 EL 7.9 Manifest

RHEL 8.2

v1.23.7

1.14.13

v1.23.7 EL 8.2 Manifest

RHEL 8.4

v1.23.7

1.14.13

v1.23.7 EL 8.4 Manifest

Run FIPS validation

To verify the cluster is FIPS compliant, run the dkp check cluster fips. This command reads from the local manifest that was downloaded from the tables above in order to validate that specific components and services are FIPS-compliant. Run the command:

dkp check cluster fips --signature-file=manifest.asc --signature-configmap=signatures --output-configmap=output
CODE

The full command usage and flags include:

dkp check cluster fips [flags]
CODE

Flags:

-h, --help                     help for fips
  -n, --namespace string         If present, the namespace scope for this CLI request. (default "default")
  --output-configmap string      ConfigMap with fips signature data to verify. [required]
  --signature-configmap string   ConfigMap with fips signature data to verify. [required]
  --signature-file string        File containing fips signature data.
CODE

Validation command example

Upon successful completion, the command’s output displays details about the deployment in JSON format. If validation fails, the command returns a non-zero status.

For example, to validate FIPS-mode operation with the signature file, manifest-rhel8.json.asc, you would run the following command:

dkp check cluster fips \
 --signature-file manifest-rhel8.json.asc \
 --signature-configmap prod-rhel8-fips-signatures \
 --output-configmap prod-rhel8-fips-validation
CODE

Run FIPS validation with existing ConfigMap

If you already have a signature ConfigMap, you can omit the signature-file flag, as in the following sample command:

dkp check cluster fips \
 --signature-configmap prod-rhel8-fips-signatures \
 --output-configmap prod-rhel8-fips-validation
CODE

In this case, the validation tool checks the cluster using the existing signature data and returns deployment details in JSON format.