This guide describes how to build and run a MicroK8s node in FIPS mode.
NOTE: FIPS support in MicroK8s is currently in tech preview, and requires building the distribution from source.
Prerequisites
- A server running Ubuntu with FIPS-enabled kernel and libraries. Please refer to the Ubuntu 20.04 FIPS enablement instructions for more details.
- A development machine running Ubuntu 20.04, to build the FIPS-enabled MicroK8s snap.
Overview
The process to run a FIPS-ready MicroK8s on a FIPS-enabled host is as follows:
- We will build a custom MicroK8s snap for our the target Kubernetes version so that all Go binaries can use the FIPS-certified crypto libraries from the host.
- We will create a launch configuration file so that MicroK8s enables FIPS mode for all Go binaries, as well use the FIPS-certified libraries from the host.
- We will install MicroK8s from our custom snap and verify that it is using the FIPS libraries.
Build FIPS-ready MicroK8s snap
-
Install
snapcraft
:sudo snap install snapcraft --classic
-
Clone the MicroK8s repository and checkout the
fips
branch:git clone https://github.com/canonical/microk8s -b fips cd microk8s
-
(Optional) Specify the Kubernetes version to use. If you skip this step, the latest stable release is used. To build a specific Kubernetes version, e.g.
v1.28.3
, use the following command:sed -i 's/^KUBE_VERSION=.*/KUBE_VERSION=v1.28.3/' ./build-scripts/components/kubernetes/version.sh
-
(Optional) Bake FIPS-related configuration in the snap. If you skip this step, you will need to create a launch configuration file before installing MicroK8s (shown in the Installation section below):
echo ' # For FIPS-enabled hosts, i.e. when /proc/sys/crypto/fips_enabled is 1, # the following configuration is required to use the fips enabled crypto # libraries from the host. # # The paths below are for FIPS enabled Ubuntu 20.04, make sure to adjust # accordingly for other distributions. # Uncomment and specify the binary path and config file for openssl. OPENSSL_EXECUTABLE="/usr/bin/openssl" OPENSSL_CONF="/etc/ssl/openssl.cnf" # Uncomment and prepend the FIPS libcrypto location to the LD_LIBRARY_PATH LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH" # Set GOFIPS=1 so that Go binaries use the FIPS-enabled libcrypto GOFIPS=1 ' > microk8s-resources/default-args/fips-env
-
Build
microk8s-fips.snap
:sudo apt update sudo SNAPCRAFT_BUILD_ENVIRONMENT=host snapcraft sudo mv microk8s_*.snap microk8s-fips.snap
You can now use the built
microk8s-fips.snap
to run MicroK8s in FIPS mode.
Install on a FIPS-enabled host
-
Verify the host is running in FIPS mode:
if cat /proc/sys/crypto/fips_enabled | grep -q 1; then echo "FIPS is enabled!" else echo "FIPS is not enabled!" fi
-
Transfer the previously built
microk8s-fips.snap
on the server viascp
or any other way you prefer. -
Create a launch configuration to specify the location of the openssl binary, libraries and set
GOFIPS=1
, so that all Go binaries run in FIPS mode. You can skip this step if you already configuredfips-env
before building the snap.echo ' --- version: 0.2.0 addons: - name: dns extraFIPSEnv: GOFIPS: 1 LD_LIBRARY_PATH: /usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH OPENSSL_EXECUTABLE: /usr/bin/openssl OPENSSL_CONF: /etc/ssl/openssl.cnf ' | sudo tee /etc/microk8s.yaml
-
Install MicroK8s using the
microk8s-fips.snap
we built earlier:sudo snap install microk8s --classic --dangerous ./microk8s-fips.snap
Note that if you have set
GOFIPS=1
and the FIPS library locations are invalid, the installation step will fail. This is an easy way to verify that the MicroK8s components are running in FIPS mode.