Skip to main content
Version: main 🚧

FIPS 140-2 enablement

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Standalone and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster is written in Go, and the FIPS-compliant builds are compiled using the GOFIPS140=v1.0.0 environment variable. The FIPS 140-3 validated Go Cryptographic Module now underlies Go’s built-in crypto libraries, starting with the Go Cryptographic Module v1.0.0 that is included in Go 1.24.

FIPS support in vCluster components​

Most components used in vCluster are statically compiled with the GOFIPS140=v1.0.0 enabled Go compiler. From a component perspective, vCluster includes multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:


caution

vCluster currently does not provide FIPS-compliant builds of CoreDNS or Helm. One must use the integrated CoreDNS feature of vCluster.

FIPS vCluster Images​

The vCluster FIPS-compliant images can be found in the vCluster GitHub Container Registry.

Run a FIPS-compliant vCluster​

To run vCluster in a FIPS environment, you must reconfigure the repositories used to reference the FIPS images and enable CoreDNS.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster instance:

controlPlane:
  statefulSet:
    image:
      repository: loft-sh/vcluster-pro-fips
  distro:
    k8s:
      image:
        registry: ghcr.io
        repository: loft-sh/kubernetes
        tag: v1.33.5-fips # specify Kubernetes version here with -fips suffix
  coredns:
    embedded: true
  backingStore:
    etcd:
      embedded: # The use of embedded etcd is recommended, yet optional
        enabled: true

To create the FIPS-compliant vCluster instance, run:

vcluster create my-fips-vcluster -f vcluster.yaml
info

To use a different Kubernetes version in your virtual cluster than the host cluster, set the controlPlane.distro.k8s.image.tag field in your configuration:

controlPlane:
  distro:
    k8s:
      image:
        tag: v1.34.2-fips