Skip to main content

FIPS 140-2 Enablement


Pro Feature

This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Pro and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster Pro is written in Go, and the FIPS-compliant builds are compiled using the GOEXPERIMENT=boringcrypto environment variable.

This directs the Go compiler to replace the standard Go crypto libraries with the FIPS-validated BoringCrypto module by Google. See GoBoring's readme for more details. NIST validates Google's BoringCrypto modules on a wide range of systems.

FIPS support in vCluster components​

Most of the components used in vCluster are statically compiled with the boringcrypto Go compiler. vCluster, from a components perspective, contains multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:


caution

vCluster Pro currently does not provide FIPS-compliant builds of CoreDNS or Helm. One must use the integrated CoreDNS feature of vCluster Pro.

FIPS vCluster Pro Images​

The vCluster Pro FIPS-compliant images can be found in our GitHub Container Registry.

Running vCluster FIPS-compliant​

To run vCluster in a FIPS environment, one has to reconfigure the repositories used to reference the FIPS images and enable CoreDNS.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster Pro instance.

controlPlane:
advanced:
defaultImageRegistry: ghcr.io
# uncomment to use virtual scheduler within vCluster
# virtualScheduler:
# enabled: true
statefulSet:
image:
repository: loft-sh/vcluster-pro-fips
distro:
k8s:
apiServer:
image:
repository: loft-sh/kubernetes-fips
controllerManager:
image:
repository: loft-sh/kubernetes-fips
# uncomment to use FIPS compliant virtual scheduler within vCluster
# scheduler:
# image:
# repository: loft-sh/kubernetes-fips
coredns:
embedded: true
backingStore:
etcd:
embedded:
enabled: true # The use of embedded etcd is recommended, yet optional
# uncomment to use virtual scheduler within vCluster
# sync:
# fromHost:
# nodes:
# enabled: true

And run:

vcluster create my-fips-vcluster -f vcluster.yaml
info

If you wish to configure a different Kubernetes version in your virtual cluster than the current host cluster version, you can do so by setting the controlPlane.distro.k8s.version.

controlPlane:
distro:
k8s:
version: v1.31.1 # or v1.28.14