Skip to main content
Version: main 🚧

FIPS 140-2 Enablement


Pro Feature

This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Pro and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster Pro is written in Go, and the FIPS-compliant builds are compiled using the GOEXPERIMENT=boringcrypto environment variable.

This directs the Go compiler to replace the standard Go crypto libraries with the FIPS-validated BoringCrypto module by Google. See GoBoring's readme for more details. NIST validates Google's BoringCrypto modules on a wide range of systems.

FIPS support in vCluster components​

Most of the components used in vCluster are statically compiled with the boringcrypto Go compiler. vCluster, from a components perspective, contains multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:


caution

vCluster Pro currently does not provide FIPS-compliant builds of CoreDNS or Helm. One must use the integrated CoreDNS feature of vCluster Pro.

FIPS vCluster Pro Images​

The vCluster Pro FIPS-compliant images can be found in our GitHub Container Registry.

Running vCluster FIPS-compliant​

To run vCluster in a FIPS environment, one has to reconfigure the repositories used to reference the FIPS images and enable CoreDNS.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster Pro instance.

controlPlane:
  advanced:
    defaultImageRegistry: ghcr.io
    # uncomment to use virtual scheduler within vCluster
    # virtualScheduler:
    #   enabled: true
  statefulSet:
    image:
      repository: loft-sh/vcluster-pro-fips
  distro:
    k8s:
      apiServer:
        image:
          repository: loft-sh/kubernetes-fips
      controllerManager:
        image:
          repository: loft-sh/kubernetes-fips
      # uncomment to use FIPS compliant virtual scheduler within vCluster
      # scheduler:
      #   image:
      #     repository: loft-sh/kubernetes-fips
  coredns:
    embedded: true
  backingStore:
    etcd:
      embedded:
        enabled: true # The use of embedded etcd is recommended, yet optional
# uncomment to use virtual scheduler within vCluster
# sync:
#   fromHost:
#     nodes:
#       enabled: true

And run:

vcluster create my-fips-vcluster -f vcluster.yaml
info

If you wish to configure a different Kubernetes version in your virtual cluster than the current host cluster version, you can do so by setting the controlPlane.distro.k8s.version.

controlPlane:
  distro:
    k8s:
      version: v1.31.1 # or v1.28.14