FIPS 140-2 Compliance

Provision a Cluster in FIPS-140 Operating Mode

Developed by a working group of government, industry operators, and vendors, the Federal Information Processing Standard (FIPS), FIPS-140 defines security requirements for cryptographic modules. The standard provides for a wide spectrum of data sensitivity, transaction values, and a diversity of application environment security situations. The standard specifies four security levels for each eleven requirement areas. Each successive level offers increased security.

NIST introduced FIPS 140-2 validation, by accredited third party laboratories, as a formal, rigorous process to protect sensitive digitally-stored information not under Federal security classifications.

FIPS support in Konvoy

Konvoy supports provisioning a FIPS-enabled Kubernetes control plane. Core Kubernetes components are compiled using a version of Go (goboring) which is modified to use a FIPS certified cryptographic module for all cryptographic functions.

Infrastructure requirements for FIPS-140-2 mode

To ensure proper operations in FIPS mode, be sure that your environment meets these requirements.

Supported operating systems

OS Version
Red Hat Enterprise Linux / CentOS 7
Red Hat Enterprise Linux / CentOS 8

Before provisioning Konvoy, ensure that your OS or OS Images are prepared for operating in FIPS mode.

Creating FIPS-140 images

Konvoy image builder can produce images containing FIPS-140 compliant binaries. To do so, use the fips.yaml override file provided with the konvoy-image bundle. For example:

konvoy-image build --overrides overrides/fips.yaml images/ami/centos-8.yaml

Pre-provisioned infrastructure

If you are targeting pre-provisioned infrastructure, use konvoy-image builder to install the FIPS binaries for you. For example:

konvoy-image provision --overrides overrides/fips.yaml images/generic/centos-8.yaml

Validating infrastructure

After deployment use the the dkp-fips-tool to validated your nodes are running D2IQs FIPS-140 compliant builds. To do so, download the following fips tool and appropriate signed manifest file to the nodes you wish to verify:

dkp-fips-tool

The SHA-256 of the file can be found here:

dkp-fips-tool.sha256

Manifests

EL version Kubernetes version Manifest URL
7 v1.21.3 EL 7 Manifest
8 v1.21.3 EL 8 Manifest

Running the FIPS tool

Once downloaded, run the tool with the following arguments

./dkp-fips-tool --json /path/to/manifest.asc

The command outputs details about the deployment in JSON format. If validation fails, the command returns a non-zero status.

Performance impacts of running in FIPS-140 mode

Goboring relies on CGO’s foreign function interface in order to call C language functions exposed by the cryptographic module. Each call into the C library starts with a base overhead of 200ns. One benchmark finds that the time to encrypt a single AES-128 block increased from 13ns to 209ns over the internal golang implementation. The preferred mode of our FIPS module is (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384). The aggregate impact on stable control plane seems to be an increase of around ~10% CPU utilization over default operation. Workloads that do not directly interact with the control plane are not affected.