HowTo enable FIPS mode operation

General Discussions microk8s
1

MicroK8s can be compiled so its main its main components can operate in a FIPS compliant way. Here we show how to enable FIPS mode on them.

Prerequisites

  • A host with FIPS. The host should include both a FIPS kernel as well as FIPS certified libraries. Please see the FIPS enablement instruction on how this is achieved on Ubuntu.
  • MicroK8s version build from the fips branch.

Service configuration

The MicroK8s services need to be configured to point to the FIPS certified libraries and their mode set to FIPS. This is achieved through a few environment variables under /var/snap/microk8s/current/args/fips-env that need to be properly set.

In a FIPS certified environment the proper openssl (along with its libraries) needs to be called. To point MicroK8s to the right openssl:

  • edit the file: /var/snap/microk8s/current/args/fips-env
    • Set OPENSSL_EXECUTABLE to the openssl binary along with its full path
    • Set OPENSSL_CONF to point to the desired openssl configuration

To enable FIPS operation in binaries compiled with go:

  • edit the file: /var/snap/microk8s/current/args/fips-env
    • Set GOFIPS to 1
    • Set LD_LIBRARY_PATH to point to a directory with the libcrypto FIPS certified libraries. Typically these libraries are under /usr/lib/x86_64-linux-gnu/.
    • Comment in IN_SNAP_LD_LIBRARY_PATH

After editing you need to restart the services with:

microk8s stop
microk8s start

If, instead of editing the fips-env file, you prefer to have FIPS enabled through launch configurations you can use the following on Ubuntu:

---
version: 0.2.0
extraFIPSEnv:
  GOFIPS: 1
  LD_LIBRARY_PATH: /usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
  OPENSSL_EXECUTABLE: /usr/bin/openssl
  OPENSSL_CONF: /etc/ssl/openssl.cnf

Note that the paths above may vary depending on the distribution you are on.

Verify FIPS is configured correctly

To check that the kernel is FIPS enabled with:

cat /proc/sys/crypto/fips_enabled

The result should be 1.

We can indirectly check if the kubernetes services are using FIPS libraries from the host by editing /var/snap/microk8s/current/args/fips-env, comment out the LD_LIBRARY_PATH and restart MicroK8s with:

microk8s stop
microk8s start

MicroK8s should fail and you should see errors reported in the kubelite logs:

journalctl -fu snap.microk8s.daemon-kubelite

Links