Skip to main content
Version: v0.24 Stable

FIPS 140-2 Enablement

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Pro and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster Pro is written in Go, and the FIPS-compliant builds are compiled using the GOEXPERIMENT=boringcrypto environment variable.

This directs the Go compiler to replace the standard Go crypto libraries with the FIPS-validated BoringCrypto module by Google. See GoBoring's readme for more details. NIST validates Google's BoringCrypto modules on a wide range of systems.

FIPS support in vCluster components​

Most of the components used in vCluster are statically compiled with the boringcrypto Go compiler. vCluster, from a components perspective, contains multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:


caution

vCluster Pro currently does not provide FIPS-compliant builds of CoreDNS or Helm. One must use the integrated CoreDNS feature of vCluster Pro.

FIPS vCluster Pro Images​

The vCluster Pro FIPS-compliant images can be found in our GitHub Container Registry.

Running vCluster FIPS-compliant​

To run vCluster in a FIPS environment, one has to reconfigure the repositories used to reference the FIPS images and enable CoreDNS.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster Pro instance.

controlPlane:
  advanced:
    defaultImageRegistry: ghcr.io
    # uncomment to use virtual scheduler within vCluster
    # virtualScheduler:
    #   enabled: true
  statefulSet:
    image:
      repository: loft-sh/vcluster-pro-fips
  distro:
    k8s:
      apiServer:
        image:
          repository: loft-sh/kubernetes-fips
      controllerManager:
        image:
          repository: loft-sh/kubernetes-fips
      # uncomment to use FIPS compliant virtual scheduler within vCluster
      # scheduler:
      #   image:
      #     repository: loft-sh/kubernetes-fips
  coredns:
    embedded: true
  backingStore:
    etcd:
      embedded:
        enabled: true # The use of embedded etcd is recommended, yet optional
# uncomment to use virtual scheduler within vCluster
# sync:
#   fromHost:
#     nodes:
#       enabled: true

And run:

vcluster create my-fips-vcluster -f vcluster.yaml
info

If you wish to configure a different Kubernetes version in your virtual cluster than the current host cluster version, you can do so by setting the controlPlane.distro.k8s.version.

controlPlane:
  distro:
    k8s:
      version: v1.31.1 # or v1.28.14