Skip to main content
Version: main 🚧

FIPS 140-2 enablement

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Standalone and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain​

vCluster is written in Go, and the FIPS-compliant builds are compiled using the GOFIPS140=v1.0.0 environment variable. The FIPS 140-3 validated Go Cryptographic Module now underlies Go’s built-in crypto libraries, starting with the Go Cryptographic Module v1.0.0 that is included in Go 1.24.

FIPS support in vCluster components​

Most components used in vCluster are statically compiled with the GOFIPS140=v1.0.0 enabled Go compiler. From a component perspective, vCluster includes multiple sub-components it depends on.

Kubernetes components sourced from Kubernetes image with -full-fips tag suffix:

  • containerd and containerd-shim
  • cni network plugins
  • kubeadm
  • kubectl
  • kubelet
  • kube-apiserver
  • kube-controller-manager
  • kube-scheduler
  • runc

Other components:


Run a FIPS-compliant vCluster with private nodes enabled​

To run vCluster in a FIPS environment, you must reconfigure the repositories used to reference the FIPS images.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster instance:

controlPlane:
  statefulSet:
    image:
      repository: loft-sh/vcluster-pro-fips
  distro:
    k8s:
      image:
        registry: ghcr.io
        repository: loft-sh/kubernetes
        tag: v1.33.5-fips # specify Kubernetes version here with -fips suffix
  backingStore:
    etcd:
      embedded: # The use of embedded etcd is recommended, yet optional
        enabled: true
privateNodes:
  enabled: true

To create the FIPS-compliant vCluster instance, run:

vcluster create my-fips-vcluster -f vcluster.yaml

Connect private node​

Connecting private nodes for FIPS-compliant vCluster is exactly the same process, as for non FIPS-compliant. vCluster will automatically recognize it is running in FIPS-compliant mode and use the FIPS-compliant bundle and images for Kubernetes components.

Follow these steps to connect a private node.