Skip to content

Latest commit

 

History

History
115 lines (78 loc) · 8.68 KB

installing-fips.adoc

File metadata and controls

115 lines (78 loc) · 8.68 KB

Support for FIPS cryptography

You can install an {product-title} cluster in FIPS mode.

{product-title} is designed for FIPS. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of {op-system-base} cryptographic libraries that have been submitted for validation, see Compliance Activities and Government Standards.

Important

To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} 9 computer that is configured to operate in FIPS mode, and you must use a FIPS-capable version of the installation program. See the section titled Obtaining a FIPS-capable installation program using `oc adm extract`.

For more information about configuring FIPS mode on {op-system-base}, see Installing the system in FIPS mode.

For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the install-config.yaml file, which governs the cluster options that a user can change during cluster deployment. With {op-system-base-full} machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines.

Because FIPS must be enabled before the operating system that your cluster uses boots for the first time, you cannot enable FIPS after you deploy a cluster.

FIPS validation in {product-title}

{product-title} uses certain FIPS validated or Modules In Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See RHEL core crypto components. For example, when users use SSH to connect to {product-title} clusters and containers, those connections are properly encrypted.

{product-title} components are written in Go and built with Red Hat’s golang compiler. When you enable FIPS mode for your cluster, all {product-title} components that require cryptographic signing call {op-system-base} and {op-system} cryptographic libraries.

Table 1. FIPS mode attributes and limitations in {product-title} {product-version}
Attributes Limitations

FIPS support in {op-system-base} 9 and {op-system} operating systems.

The FIPS implementation does not use a function that performs hash computation and signature generation or validation in a single step. This limitation will continue to be evaluated and improved in future {product-title} releases.

FIPS support in CRI-O runtimes.

FIPS support in {product-title} services.

FIPS validated or Modules In Process cryptographic module and algorithms that are obtained from {op-system-base} 9 and {op-system} binaries and images.

Use of FIPS compatible golang compiler.

TLS FIPS support is not complete but is planned for future {product-title} releases.

FIPS support across multiple architectures.

FIPS is currently only supported on {product-title} deployments using x86_64, ppc64le, and s390x architectures.

FIPS support in components that the cluster uses

Although the {product-title} cluster itself uses FIPS validated or Modules In Process modules, ensure that the systems that support your {product-title} cluster use FIPS validated or Modules In Process modules for cryptography.

etcd

To ensure that the secrets that are stored in etcd use FIPS validated or Modules In Process encryption, boot the node in FIPS mode. After you install the cluster in FIPS mode, you can encrypt the etcd data by using the FIPS-approved aes cbc cryptographic algorithm.

Storage

For local storage, use {op-system-base}-provided disk encryption or Container Native Storage that uses {op-system-base}-provided disk encryption. By storing all data in volumes that use {op-system-base}-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS validated or Modules In Process encryption. You can configure your cluster to encrypt the root filesystem of each node, as described in Customizing nodes.

Runtimes

To ensure that containers know that they are running on a host that is using FIPS validated or Modules In Process cryptography modules, use CRI-O to manage your runtimes.

Installing a cluster in FIPS mode

To install a cluster in FIPS mode, follow the instructions to install a customized cluster on your preferred infrastructure. Ensure that you set fips: true in the install-config.yaml file before you deploy your cluster.

Important

To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Installing the system in FIPS mode.
Note

If you are using Azure File storage, you cannot enable FIPS mode.

To apply AES CBC encryption to your etcd data store, follow the Encrypting etcd data process after you install your cluster.

If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See Adding RHEL compute machines to an {product-title} cluster and Installing the system in FIPS mode.