Create FIPS 140 Images: Air-gapped Environment

KIB can produce images containing FIPS-140 compliant binaries. Use the fips.yaml override file provided with the image bundles.

You can also find these override files in the Konvoy Image Builder repo.

Examples:

The below snippets will create images with FIPS-compliant Kubernetes components. If you need the underlying OS to be FIPS-compliant, then you will need to provide the specific FIPS-compliant OS image, using the --source-ami flag for AWS.

• An air-gapped environment example of override file use is the command below which produces an AWS FIPS-compliant image on RHEL 8.4:

konvoy-image build --overrides offline-fips.yaml --overrides overrides/fips.yaml images/ami/rhel-84.yaml

• vSphere FIPS-compliant air-gapped environment example:

konvoy-image build --overrides offline-fips.yaml --overrides overrides/fips.yaml images/ova/<image.yaml>

Pre-provisioned FIPS Infrastructure

If you are targeting a Pre-provisioned Installs, you can create a FIPS-compliant cluster by doing the following:

1. Create a Pre-provisioned: Bootstrap Cluster

2. Create a secret on the bootstrap cluster with the contents from fips.yamloverride file and any other user overrides you wish to provide

kubectl create secret generic $CLUSTER_NAME-fips-overrides --from-file=overrides.yaml=overrides.yaml
kubectl label secret $CLUSTER_NAME-fips-overrides clusterctl.cluster.x-k8s.io/move=

Here is a list of FIPS Override Files.