Skip to main content
Skip table of contents

Validate FIPS in Cluster

You can use the FIPS validation tool to verify that specific components and services are FIPS-compliant. The tool checks the components by comparing their file signatures against ones stored in a signed signature file, and by checking that services are using the certified algorithms.

Run FIPS validation

To verify the cluster is FIPS compliant, run dkp check cluster fips. This command reads from the signature files embedded in the dkp executable in order to validate that specific components and services are FIPS-compliant. Run the command:

CODE
dkp check cluster fips

Upon successful completion, the command’s output displays details about the deployment in JSON format. If validation fails, the output will say which components fail and a list of the nodes that failed validation will return.

The full command usage and flags include:

CODE
dkp check cluster fips [flags]

Flags:

CODE
  -h, --help                         Help for fips
      --kubeconfig string            Path to the kubeconfig file for the fips cluster. If unspecified, default discovery rules apply.
  -n, --namespace string             If present, the namespace scope for this CLI request. (default "default")
      --output-configmap string      ConfigMap to store result of the fips check. (default "check-cluster-fips-output") (DEPRECATED: This flag will be removed in a future release.)
      --signature-configmap string   ConfigMap with fips signature data to verify.
      --signature-file string        File containing fips signature data.
      --timeout duration             The length of time to wait before giving up. Zero means wait forever (e.g. 1s, 2m, 3h). (default 10m0s)

Run FIPS validation with custom signature file

To validate FIPS-mode operation with the a custom signature file, you can use the signature-file flag, as in the following command. You also need to use the signature-configmap flag to set the name of the ConfigMap used to store your custom signature file.

CODE
dkp check cluster fips \
 --signature-file custom.json.asc \
 --signature-configmap custom-signature-file

Run FIPS validation with existing ConfigMap

If you already have a signature file stored in a ConfigMap, you can omit the signature-file flag, as in the following command:

CODE
dkp check cluster fips \
 --signature-configmap prod-rhel8-fips-signatures

Signature Files

The following signature files are already embedded in the dkp executable. They are provided for reference. You do not need to download them to run the FIPS check.

DKP Version 2.6.0

Operating System version

Kubernetes version

containerd version

Signature File URL

CentOS 7.9

v1.26.14

1.6.28

CentOS 7.9

Oracle 7.9

v1.26.14

1.6.28

Oracle 7.9

RHEL 7.9

v1.26.14

1.6.28

RHEL 7.9

RHEL 8.4

v1.26.14

1.6.28

RHEL 8.4

RHEL 8.6

v1.26.14

1.6.28

RHEL 8.6

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.