Skip to main content
Version: v0.25 Stable

FIPS 140-2 enablement

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster is written in Go, and the FIPS-compliant builds are compiled using the GOEXPERIMENT=boringcrypto environment variable.

This directs the Go compiler to replace the standard Go crypto libraries with the FIPS-validated BoringCrypto module by Google. For more details, see the GoBoring README. NIST validates Google's BoringCrypto modules on a wide range of systems.

FIPS support in vCluster components​

Most components used in vCluster are statically compiled with the BoringCrypto-enabled Go compiler.
From a component perspective, vCluster includes multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:


caution

vCluster currently does not provide FIPS-compliant builds of CoreDNS or Helm. One must use the integrated CoreDNS feature of vCluster.

FIPS vCluster Images​

The vCluster FIPS-compliant images can be found in the vCluster GitHub Container Registry.

Run a FIPS-compliant vCluster​

To run vCluster in a FIPS environment, you must reconfigure the repositories used to reference the FIPS images and enable CoreDNS.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster instance:

controlPlane:
  advanced:
    defaultImageRegistry: ghcr.io
    # Uncomment to use virtual scheduler within vCluster
    # virtualScheduler:
    #   enabled: true
  statefulSet:
    image:
      repository: loft-sh/vcluster-pro-fips
  distro:
    k8s:
      apiServer:
        image:
          repository: loft-sh/kubernetes-fips
      controllerManager:
        image:
          repository: loft-sh/kubernetes-fips
      # Uncomment to use FIPS compliant virtual scheduler within vCluster
      # scheduler:
      #   image:
      #     repository: loft-sh/kubernetes-fips
  coredns:
    embedded: true
  backingStore:
    etcd:
      embedded:
        enabled: true # The use of embedded etcd is recommended, yet optional
# Uncomment to use virtual scheduler within vCluster
# sync:
#   fromHost:
#     nodes:
#       enabled: true

To create the FIPS-compliant vCluster instance, run:

vcluster create my-fips-vcluster -f vcluster.yaml
info

To use a different Kubernetes version in your virtual cluster than the host cluster, set the controlPlane.distro.k8s.version field in your configuration:

controlPlane:
  distro:
    k8s:
      image:
        tag: v1.31.1 # or v1.28.14