Skip to main content
Skip table of contents

FIPS 140-2 Compliance

Understand FIPS-140 Operating Mode and Requirements

Developed by a working group of government, industry operators, and vendors, the Federal Information Processing Standard (FIPS), FIPS-140 defines security requirements for cryptographic modules. FIPS defines what cryptographic cyphers can be used.   Kubernetes uses encryption by default between various components and FIPS support ensures that the ciphers used for those communications meet those standards. The standard provides for a wide spectrum of data sensitivity, transaction values, and a diversity of application environment security situations. The standard specifies four security levels for each of eleven requirement areas. Each successive level offers increased security.

NIST introduced FIPS 140-2 validation, by accredited third party laboratories, as a formal, rigorous process to protect sensitive digitally-stored information not under Federal security classifications.

FIPS Support in DKP

DKP supports provisioning a FIPS-enabled Kubernetes control plane. Core Kubernetes components are compiled using a version of Go, called goboring, which uses a FIPS-certified cryptographic module for all cryptographic functions.

Before provisioning DKP, you will need to follow your OS vendor’s instructions to ensure that your OS, or OS images, are prepared for operating in FIPS mode.

You cannot apply FIPS-mode to an existing cluster, you must create a new cluster with FIPS enabled. Similarly, a FIPS-mode cluster must remain a FIPS-mode cluster; you cannot change the cluster's FIPS status after you create it.

Infrastructure Requirements for FIPS-140-2 Mode

To ensure proper operations in FIPS mode, be sure that your environment meets these requirements:

FIPS 140 Mode Performance Impact

Supported Operating Systems

Supported Operating Systems for FIPS mode are Red Hat Enterprise Linux and CentOS. See the Supported Operating Systems for details on the tested and supported versions.

Deploying a Cluster in FIPS mode

In order to create a cluster in FIPS mode, we must inform the bootstrap controllers of the appropriate image repository and version tags of the official D2iQ FIPS builds of Kubernetes.

Supported FIPS Builds

Component

Repository

Version

Kubernetes

docker.io/mesosphere

v1.26.14+fips.0

etcd

docker.io/mesosphere

3.5.10+fips.0

AWS Example:

When creating a cluster, use the following command line options:

  • --ami <fips enabled AMI created in the previous step> (AWS only)

  • --kubernetes-version <version>+fips.<build>

  • --etcd-version <version>+fips.<build>

  • --kubernetes-image-repository docker.io/mesosphere

  • --etcd-image-repository docker.io/mesosphere

For example:

CODE
dkp create cluster aws --cluster-name myFipsCluster \
--ami=ami-03dcaa75d45aca36f \
--kubernetes-version=v1.26.6+fips.0 \
--kubernetes-image-repository=docker.io/mesosphere \
--etcd-image-repository=docker.io/mesosphere \
--etcd-version=3.5.6+fips.0

vSphere Example:

CODE
dkp create cluster vsphere \
  --cluster-name ${CLUSTER_NAME} \
  --network <NETWORK_NAME> \
  --control-plane-endpoint-host <xxx.yyy.zzz.000> \
  --data-center <DATACENTER_NAME> \
  --data-store <DATASTORE_NAME> \
  --folder <FOLDER_NAME> \
  --server <VCENTER_API_SERVER_URL> \
  --ssh-public-key-file <SSH_PUBLIC_KEY_FILE> \
  --resource-pool <RESOURE_POOL_NAME> \
  --vm-template <TEMPLATE_NAME> \
  --self-managed \
  --kubernetes-version=v1.26.6+fips.0 \
  --kubernetes-image-repository=docker.io/mesosphere \
  --etcd-image-repository=docker.io/mesosphere --etcd-version=3.5.6+fips.0
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.