You can use the FIPS validation tool to verify that specific components and services are FIPS-compliant. The tool checks the components by comparing their file signatures against ones stored in a signed signature file, and by checking that services are using the certified algorithms.
Run FIPS validation
To verify the cluster is FIPS compliant, run
dkp check cluster fips. This command reads from the signature files embedded in the
dkp executable in order to validate that specific components and services are FIPS-compliant. Run the command:
dkp check cluster fips
Upon successful completion, the command’s output displays details about the deployment in JSON format. If validation fails, the output will say which components fail and a list of the nodes that failed validation will return.
The full command usage and flags include:
dkp check cluster fips [flags]
-h, --help Help for fips --kubeconfig string Path to the kubeconfig file for the fips cluster. If unspecified, default discovery rules apply. -n, --namespace string If present, the namespace scope for this CLI request. (default "default") --output-configmap string ConfigMap to store result of the fips check. (default "check-cluster-fips-output") (DEPRECATED: This flag will be removed in a future release.) --signature-configmap string ConfigMap with fips signature data to verify. --signature-file string File containing fips signature data. --timeout duration The length of time to wait before giving up. Zero means wait forever (e.g. 1s, 2m, 3h). (default 10m0s)
Run FIPS validation with custom signature file
To validate FIPS-mode operation with the a custom signature file, you can use the
signature-file flag, as in the following command. You also need to use the
signature-configmap flag to set the name of the ConfigMap used to store your custom signature file.
dkp check cluster fips \ --signature-file custom.json.asc \ --signature-configmap custom-signature-file
Run FIPS validation with existing ConfigMap
If you already have a signature file stored in a ConfigMap, you can omit the
signature-file flag, as in the following command:
dkp check cluster fips \ --signature-configmap prod-rhel8-fips-signatures
The following signature files are already embedded in the
dkp executable. They are provided for reference. You do not need to download them to run the FIPS check.