Microk8s 1.21 and FIPS

On RHEL, using microk8s version 1.21.1 on a FIPS enabled offline system, we are seeing the following error when enabling add-ons (this did not occur with 1.19).

For example, when enabling dns:

fips.c(145): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
/snap/microk8s/2210/actions/common/utils.sh: line 70: 26240 Aborted sudo -E LD_LIBRARY_PATH=”$GLOBAL_LD_LIBRARY_PATH” “$@”

We believe it might have to do with the version of python being in microk8s does not have FIPS support for OpenSSL. It appears python was updated sometime from 3.5 in 1.19 to 3.6 in 1.21. Did microk8s package a FIPS enabled python 3.5 in 1.19? Does you have any suggested workarounds? Am I going down the wrong path?

Thanks for any help.

We are experiencing the same issue in a FIPS environment with 1.21. It seems the issue occurs anytime the utils.sh run_with_sudo() is hit with python3.6 calls.

e.g.
utils.sh → run_with_sudo()
/snap/microk8s/2210/usr/bin/python3 /snap/microk8s/2210/scripts/cluster/distributed_op.py update_argument kubelet --authentication-token-webhook true

Throws:
fips.c(145): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

This worked fine in 1.19 and the only solution we have had is to revert back to the older version.

Can microk8s dev team patch python 3.6? ( how to: Add support for FIPS_mode() and FIPS_mode_set() in Python 3.6.0 - Hussain Ali Akbar ) . I have a feeling 3.5 was patched, since FIPS works with it. This is a showstopper for using 1.21