HowTo enable FIPS mode operation

This guide describes how to build and run a MicroK8s node in FIPS mode.

NOTE: FIPS support in MicroK8s is currently in tech preview, and requires building the distribution from source.

Prerequisites

  • A server running Ubuntu with FIPS-enabled kernel and libraries. Please refer to the Ubuntu 20.04 FIPS enablement instructions for more details.
  • A development machine running Ubuntu 20.04, to build the FIPS-enabled MicroK8s snap.

Overview

The process to run a FIPS-ready MicroK8s on a FIPS-enabled host is as follows:

  1. We will build a custom MicroK8s snap for our the target Kubernetes version so that all Go binaries can use the FIPS-certified crypto libraries from the host.
  2. We will create a launch configuration file so that MicroK8s enables FIPS mode for all Go binaries, as well use the FIPS-certified libraries from the host.
  3. We will install MicroK8s from our custom snap and verify that it is using the FIPS libraries.

Build FIPS-ready MicroK8s snap

  1. Install snapcraft:

    sudo snap install snapcraft --classic
    
  2. Clone the MicroK8s repository and checkout the fips branch:

    git clone https://github.com/canonical/microk8s -b fips
    cd microk8s
    
  3. (Optional) Specify the Kubernetes version to use. If you skip this step, the latest stable release is used. To build a specific Kubernetes version, e.g. v1.28.3, use the following command:

    sed -i 's/^KUBE_VERSION=.*/KUBE_VERSION=v1.28.3/' ./build-scripts/components/kubernetes/version.sh
    
  4. (Optional) Bake FIPS-related configuration in the snap. If you skip this step, you will need to create a launch configuration file before installing MicroK8s (shown in the Installation section below):

    echo '
    # For FIPS-enabled hosts, i.e. when /proc/sys/crypto/fips_enabled is 1,
    # the following configuration is required to use the fips enabled crypto
    # libraries from the host.
    #
    # The paths below are for FIPS enabled Ubuntu 20.04, make sure to adjust
    # accordingly for other distributions.
    
    # Uncomment and specify the binary path and config file for openssl.
    OPENSSL_EXECUTABLE="/usr/bin/openssl"
    OPENSSL_CONF="/etc/ssl/openssl.cnf"
    
    # Uncomment and prepend the FIPS libcrypto location to the LD_LIBRARY_PATH
    LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH"
    
    # Set GOFIPS=1 so that Go binaries use the FIPS-enabled libcrypto
    GOFIPS=1
    ' > microk8s-resources/default-args/fips-env
    
  5. Build microk8s-fips.snap:

    sudo apt update
    sudo SNAPCRAFT_BUILD_ENVIRONMENT=host snapcraft
    sudo mv microk8s_*.snap microk8s-fips.snap
    

    You can now use the built microk8s-fips.snap to run MicroK8s in FIPS mode.

Install on a FIPS-enabled host

  1. Verify the host is running in FIPS mode:

    if cat /proc/sys/crypto/fips_enabled | grep -q 1; then
      echo "FIPS is enabled!"
    else
      echo "FIPS is not enabled!"
    fi
    
  2. Transfer the previously built microk8s-fips.snap on the server via scp or any other way you prefer.

  3. Create a launch configuration to specify the location of the openssl binary, libraries and set GOFIPS=1, so that all Go binaries run in FIPS mode. You can skip this step if you already configured fips-env before building the snap.

    echo '
    ---
    version: 0.2.0
    addons:
      - name: dns
    extraFIPSEnv:
      GOFIPS: 1
      LD_LIBRARY_PATH: /usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
      OPENSSL_EXECUTABLE: /usr/bin/openssl
      OPENSSL_CONF: /etc/ssl/openssl.cnf
    ' | sudo tee /etc/microk8s.yaml
    
  4. Install MicroK8s using the microk8s-fips.snap we built earlier:

    sudo snap install microk8s --classic --dangerous ./microk8s-fips.snap
    

    Note that if you have set GOFIPS=1 and the FIPS library locations are invalid, the installation step will fail. This is an easy way to verify that the MicroK8s components are running in FIPS mode.

Links