FIPS Compliance
Background
All the TLS Protect for Kubernetes components are standard Go binaries which use Go’s standard crypto library by default. The Go standard crypto library is not FIPS-validated.
So we also build FIPS compliant Go binaries where the standard crypto library is swapped for Google’s FIPS-validated BoringCrypto library and built using the Go SDK from the dev.boringcrypto branch of the Go source code repository. BoringCrypto is considered a ‘crypto module’ in FIPS parlance.
ℹ️ Read BoringCrypto’s FIPS certification.
The FIPS-compliant binaries enforce FIPS-compliant TLS at runtime using a 'fips only' mode provided by BoringCrypto.
Specifically:
- Only TLS 1.2 is allowed
- Only a small number of FIPS-compliant cipher suites are allowed
- Only a small number of FIPS-compliant signature algorithms are allowed
- Only allowed certificates are ones with 2048 or 3072 bit RSA keys or P-256 Or P-384 ECDSA curves
Docker Images
There are FIPS compliant binaries for all the components of TLS Protect for Kubernetes are packaged as Docker images.
⚠️ The FIPS compliant Docker images are not multi-arch images. They are only suitable for linux/amd64 platforms.
Image | Tag |
---|---|
eu.gcr.io/jetstack-secure-enterprise/approver-policy-enterprise-fips | v0.13.0 |
eu.gcr.io/jetstack-secure-enterprise/cert-discovery-venafi-fips | v0.2.0 |
eu.gcr.io/jetstack-secure-enterprise/cert-manager-acmesolver-fips | v1.13.2 |
eu.gcr.io/jetstack-secure-enterprise/cert-manager-cainjector-fips | v1.13.2 |
eu.gcr.io/jetstack-secure-enterprise/cert-manager-controller-fips | v1.13.2 |
eu.gcr.io/jetstack-secure-enterprise/cert-manager-ctl-fips | v1.13.2 |
eu.gcr.io/jetstack-secure-enterprise/cert-manager-webhook-fips | v1.13.2 |
eu.gcr.io/jetstack-secure-enterprise/csi-driver-fips | v0.6.0 |
eu.gcr.io/jetstack-secure-enterprise/csi-driver-spiffe-approver-fips | v0.4.1 |
eu.gcr.io/jetstack-secure-enterprise/csi-driver-spiffe-fips | v0.4.1 |
eu.gcr.io/jetstack-secure-enterprise/csi-node-driver-registrar-fips | v2.9.1 |
eu.gcr.io/jetstack-secure-enterprise/google-cas-issuer-fips | v0.7.1 |
eu.gcr.io/jetstack-secure-enterprise/istio-csr-fips | v0.7.1 |
eu.gcr.io/jetstack-secure-enterprise/kube-rbac-proxy-fips | v0.15.0 |
eu.gcr.io/jetstack-secure-enterprise/livenessprobe-fips | v2.11.0 |
eu.gcr.io/jetstack-secure-enterprise/trust-manager-fips | v0.7.0 |
eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips | v0.11.0 |
eu.gcr.io/jetstack-secure-enterprise/venafi-oauth-helper-fips | v0.4.0 |
The FIPS compliant image names all have the suffix -fips. You can list them using the following command:
$ gcloud container images list --repository eu.gcr.io/jetstack-secure-enterprise --filter name~-fips
The tags for the FIPS compliant images are identical to those of the standard images. For example:
$ docker pull eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips:v0.8.0v0.8.0: Pulling from jetstack-secure-enterprise/venafi-enhanced-issuer-fipsb9f88661235d: Pull completed7fbeaa2da3f: Pull complete1d364324868d: Pull completeDigest: sha256:e95b09336b06e560ca049aaf37e392624a6ff0ef59eb069239a2b63e2655bb86Status: Downloaded newer image for eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips:v0.8.0eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips:v0.8.0
And like the standard images, the FIPS images are signed using the TLS Protect for Kubernetes public key:
$ cosign verify eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips:v0.8.0 --key https://platform.jetstack.io/documentation/jetstack-secure-enterprise-pubkey-2022-06-24.pemVerification for eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips:v0.8.0 --The following checks were performed on each of these signatures:- The cosign claims were validated- The signatures were verified against the specified public key[{"critical":{"identity":{"docker-reference":"eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips"},"image":{"docker-manifest-digest":"sha256:e95b09336b06e560ca049aaf37e392624a6ff0ef59eb069239a2b63e2655bb86"},"type":"cosign container image signature"},"optional":null}]
ℹ️ If you use cosign v2 you should pass the --insecure-ignore-tlog flag to the cosign command, because the signatures are not currently uploaded to the public transaction log.
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
Use FIPS compliant Docker images
You can use the FIPS Docker compliant images by overriding the default image values either by setting values of the Helm chart or by modifying the installation manifests.
The method for doing this will depend on the component and on your preferred deployment method, so refer to the documentation and Helm chart values of each component.
For example, to install venafi-enhanced-issuer with the FIPS compliant images using Helm:
VERSION=v0.8.0helm upgrade demo oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-enhanced-issuer \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--install \--create-namespace \--namespace jetstack-secure \--set global.imagePullSecret[0].name="jss-pull-secret" \--version $VERSION \--set venafiEnhancedIssuer.manager.image.repository=eu.gcr.io/jetstack-secure-enterprise/venafi-enhanced-issuer-fips \--set venafiEnhancedIssuer.manager.image.tag=$VERSION
⚠ The Chart --version flag must match the image tag version.
To verify, you should check that the venafi-enhanced-issuer pod container image has a -fips suffix.