HowTo enable FIPS mode operation

This guide describes how to build and run a MicroK8s node in FIPS mode.

NOTE: FIPS support in MicroK8s is currently in tech preview, and requires building the distribution from source.

Prerequisites

  • A server running Ubuntu with FIPS-enabled kernel and libraries. Please refer to the Ubuntu 20.04 FIPS enablement instructions for more details.
  • A development machine running Ubuntu 20.04, to build the FIPS-enabled MicroK8s snap.

Overview

The process to run a FIPS-ready MicroK8s on a FIPS-enabled host is as follows:

  1. We will build a custom MicroK8s snap for our the target Kubernetes version so that all Go binaries can use the FIPS-certified crypto libraries from the host.
  2. We will create a launch configuration file so that MicroK8s enables FIPS mode for all Go binaries, as well use the FIPS-certified libraries from the host.
  3. We will install MicroK8s from our custom snap and verify that it is using the FIPS libraries.

Build FIPS-ready MicroK8s snap

  1. Install snapcraft:

    sudo snap install snapcraft --classic
    
  2. Clone the MicroK8s repository and checkout the fips branch:

    git clone https://github.com/canonical/microk8s -b fips
    cd microk8s
    
  3. (Optional) Specify the Kubernetes version to use. If you skip this step, the latest stable release is used. To build a specific Kubernetes version, e.g. v1.28.3, use the following command:

    sed -i 's/^KUBE_VERSION=.*/KUBE_VERSION=v1.28.3/' ./build-scripts/components/kubernetes/version.sh
    
  4. (Optional) Bake FIPS-related configuration in the snap. If you skip this step, you will need to create a launch configuration file before installing MicroK8s (shown in the Installation section below):

    echo '
    # For FIPS-enabled hosts, i.e. when /proc/sys/crypto/fips_enabled is 1,
    # the following configuration is required to use the fips enabled crypto
    # libraries from the host.
    #
    # The paths below are for FIPS enabled Ubuntu 20.04, make sure to adjust
    # accordingly for other distributions.
    
    # Uncomment and specify the binary path and config file for openssl.
    OPENSSL_EXECUTABLE="/usr/bin/openssl"
    OPENSSL_CONF="/etc/ssl/openssl.cnf"
    
    # Uncomment and prepend the FIPS libcrypto location to the LD_LIBRARY_PATH
    LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH"
    
    # Set GOFIPS=1 so that Go binaries use the FIPS-enabled libcrypto
    GOFIPS=1
    ' > microk8s-resources/default-args/fips-env
    
  5. Build microk8s-fips.snap:

    sudo apt update
    sudo SNAPCRAFT_BUILD_ENVIRONMENT=host snapcraft
    sudo mv microk8s_*.snap microk8s-fips.snap
    

    You can now use the built microk8s-fips.snap to run MicroK8s in FIPS mode.

Install on a FIPS-enabled host

  1. Verify the host is running in FIPS mode:

    if cat /proc/sys/crypto/fips_enabled | grep -q 1; then
      echo "FIPS is enabled!"
    else
      echo "FIPS is not enabled!"
    fi
    
  2. Transfer the previously built microk8s-fips.snap on the server via scp or any other way you prefer.

  3. Create a launch configuration to specify the location of the openssl binary, libraries and set GOFIPS=1, so that all Go binaries run in FIPS mode. You can skip this step if you already configured fips-env before building the snap.

    echo '
    ---
    version: 0.2.0
    addons:
      - name: dns
    extraFIPSEnv:
      GOFIPS: 1
      LD_LIBRARY_PATH: /usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
      OPENSSL_EXECUTABLE: /usr/bin/openssl
      OPENSSL_CONF: /etc/ssl/openssl.cnf
    ' | sudo tee /etc/microk8s.yaml
    
  4. Install MicroK8s using the microk8s-fips.snap we built earlier:

    sudo snap install microk8s --classic --dangerous ./microk8s-fips.snap
    

    Note that if you have set GOFIPS=1 and the FIPS library locations are invalid, the installation step will fail. This is an easy way to verify that the MicroK8s components are running in FIPS mode.

Links

Is there an update for the Ubuntu 22.04 release? Specifically, I’m running into this error during the build process. /root/go/pkg/mod/go.opentelemetry.io/otel@v1.28.0/attribute/set.go:7:2: package cmp is not in GOROOT (/snap/go/current/src/cmp)
note: imported by a module that requires go 1.21
/root/go/pkg/mod/go.opentelemetry.io/otel@v1.28.0/attribute/set.go:10:2: package slices is not in GOROOT (/snap/go/current/src/slices)
note: imported by a module that requires go 1.21
make: *** [Makefile:43: bin/dynamic/k8s-dqlite] Error 1

Thanks in advance.

Hi @kjackal,

Is this still relevant? The branch seems outdated, having the last update for over a year.
I tried merging this branch with the latest code but started getting a segmentation error when I tried to deploy.

Thanks,
Sudeep

HI @Sudeep_Dhonde , sorry I missed this message. We updated the fips branch a month ago. Have a look.