FIPS ready operation

The Federal Information Processing Standard Publication 140, is a U.S. government computer security standard used to approve cryptographic modules. As such it is required primarily in the US public sector. Canonical provides FIPS140 certified Kernel and OpenSSL packages via Ubuntu Advantage.

FIPS ready software including Kubernetes is required to use certified OpenSSL packages that normally are installed in a certified host. MicroK8s, even though it is not fully FIPS compliant, compiles its components in a FIPS compatible way allowing for their FIPS operation through configuration flags. The go based FIPS ready components are compiled with Microsoft’s Go fork.

  • On a FIPS compliant node running a FIPS certified kernel (/proc/sys/crypto/fips_enabled is set to 1) calls to crypto libraries will be served from the OpenSSL packages on the host. This assumes that certified OpenSSL packages are installed.
  • If the environment variable GOFIPS is set to 0 the non-FIPS crypto libraries are used effectively rendering FIPS inactive.

The FIPS ready MicroK8s components are:

  • Kubernetes binaries included in the kubelite binary:
    • the API server
    • the controller manager
    • the scheduler
    • the kube-proxy
    • the kubelet
  • Cluster agent, that takes care of node orchestration, eg cluster formation
  • Dqlite datastore, use by kubernetes to store the cluster’s state
  • etcd and flannel used in non-HA setups

The process of setting up a FIPS certified cluster involves enabling FIPS on the host, installing MicroK8s and editing /var/snap/microk8s/current/args/fips-env to turn on FIPS mode. The latter requires, setting up the PATH to openssl binary on the host so that MicroK8s uses that one instead of the one it ships with, setting up the GOFIPS flag, and finally set the LD_LABRARY_PATH so that it includes the certifies libcrypto libraries. Please, follow the HowTo enable FIPS mode operation guide for more details.