Skip to main content
Version: main 🚧

FIPS 140-2 Enablement


Pro Feature

This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Pro and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster Pro is written in Go, and the FIPS-compliant builds are compiled using the GOEXPERIMENT=boringcrypto environment variable.

This directs the Go compiler to replace the standard Go crypto libraries with the FIPS-validated BoringCrypto module by Google. See GoBoring's readme for more details. NIST validates Google's BoringCrypto modules on a wide range of systems.

FIPS Support in vCluster Components​

Most of the components used in vCluster are statically compiled with the boringcrypto Go compiler. vCluster, from a components perspective, contains multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:


caution

vCluster Pro currently does not provide FIPS-compliant builds of CoreDNS or Helm. One will have to use the integrated CoreDNS feature of vCluster Pro.

FIPS vCluster Pro Images​

The vCluster Pro FIPS-compliant images can be found in our GitHub Container Registry.

Running vCluster FIPS-compliant​

To run vCluster in a FIPS environment, one will have to reconfigure the repositories used to reference the FIPS images and enable CoreDNS.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster Pro instance.

controlPlane:
  statefulSet:
    image:
      repo: vcluster-pro-fips
  distro:
    k8s:
      apiServer:
        image:
          repository: loft-sh/kubernetes-fips
      controllerManager:
        image:
          repository: loft-sh/kubernetes-fips
      scheduler:
        image:
          repository: loft-sh/kubernetes-fips
  coredns:
    embedded: true
  backingStore:
    etcd:
      embedded:
        enabled: true # The use of embedded etcd is recommended, yet optional

And run:

vcluster create my-fips-vcluster -f vcluster.yaml