FIPS 140-2 Compliance
Understand FIPS-140 Operating Mode and Requirements
Developed by a working group of government, industry operators, and vendors, the Federal Information Processing Standard (FIPS), FIPS-140 defines security requirements for cryptographic modules. FIPS defines what cryptographic cyphers can be used. Kubernetes uses encryption by default between various components and FIPS support ensures that the ciphers used for those communications meet those standards. The standard provides for a wide spectrum of data sensitivity, transaction values, and a diversity of application environment security situations. The standard specifies four security levels for each of eleven requirement areas. Each successive level offers increased security.
NIST introduced FIPS 140-2 validation, by accredited third party laboratories, as a formal, rigorous process to protect sensitive digitally-stored information not under Federal security classifications.
FIPS Support in DKP
DKP supports provisioning a FIPS-enabled Kubernetes control plane. Core Kubernetes components are compiled using a version of Go, called goboring, which uses a FIPS-certified cryptographic module for all cryptographic functions.
Before provisioning DKP, you will need to follow your OS vendor’s instructions to ensure that your OS, or OS images, are prepared for operating in FIPS mode. An example for RHEL is found here called Enabling FIPS mode.
Helpful topics:
You cannot apply FIPS-mode to an existing cluster. You must create a new cluster with FIPS enabled. Similarly, a FIPS-mode cluster must remain a FIPS-mode cluster; you cannot change the cluster's FIPS status after you create it.
Infrastructure Requirements for FIPS-140-2 Mode
To ensure proper operations in FIPS mode, be sure that your environment meets these requirements:
FIPS 140 Mode Performance Impact
Supported Operating Systems
Supported Operating Systems for FIPS mode are Red Hat Enterprise Linux and CentOS. See the Supported Operating Systems for details on the tested and supported versions.
Deploying a Cluster in FIPS mode
In order to create a cluster in FIPS mode, we must inform the bootstrap controllers of the appropriate image repository and version tags of the official D2iQ FIPS builds of Kubernetes.
Supported FIPS Builds
Component | Repository | Version |
---|---|---|
Kubernetes | v1.27.11+fips.0 | |
etcd | 3.5.10+fips.0 |
When creating a cluster, use the following command line options:
--ami <fips enabled AMI>
(AWS only)--kubernetes-version <version>+fips.<build>
--etcd-version <version>+fips.<build>
--kubernetes-image-repository docker.io/mesosphere
--etcd-image-repository docker.io/mesosphere
For example:
dkp create cluster aws --cluster-name myFipsCluster \
--ami=ami-03dcaa75d45aca36f \
--kubernetes-version=v1.27.11+fips.0 \
--kubernetes-image-repository=docker.io/mesosphere \
--etcd-image-repository=docker.io/mesosphere \
--etcd-version=3.5.10+fips.0
vSphere Example:
dkp create cluster vsphere \
--cluster-name ${CLUSTER_NAME} \
--network <NETWORK_NAME> \
--control-plane-endpoint-host <xxx.yyy.zzz.000> \
--data-center <DATACENTER_NAME> \
--data-store <DATASTORE_NAME> \
--folder <FOLDER_NAME> \
--server <VCENTER_API_SERVER_URL> \
--ssh-public-key-file <SSH_PUBLIC_KEY_FILE> \
--resource-pool <RESOURE_POOL_NAME> \
--vm-template <TEMPLATE_NAME> \
--self-managed \
--kubernetes-version=v1.27.11+fips.0 \
--kubernetes-image-repository=docker.io/mesosphere \
--etcd-image-repository=docker.io/mesosphere --etcd-version=3.5.10+fips.0