This article was originally posted to Medium by Gaurav Bankar and has been updated.
This article helps the technical experts configure their OpenShift Container Platform on Power and the necessary background to configure FIPS 140-2 compliance.
The National Institute of Standards and Technology (NIST) establishes requirements and standards for cryptographic modules for both hardware and sofware components. These standards are realized in the U.S. Federal Information Processing Standards (FIPS) for cryptographic modules. Certified modules for FIPS 140–2 validation certificates specify the exact module name, hardware, software, firmware, and version numbers. You can view the certified components at NIST CMVP's Validated Modules List.
To configure your OpenShift Container Platform on Power for FIPS, you can
For the Red Hat Enterprise Linux CoreOS (RHCOS) machines in your cluster, this change is applied when the machines are deployed based on the fips option in the install-config.yaml file. With Red Hat Enterprise Linux (RHEL) machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines. These configuration methods ensure that your cluster meet the requirements of a FIPS compliant system.
To enable FIPS mode in OpenShift cluster 4.12, please follow these steps for enabling FIPS with a new PowerVS hosted OpenShift cluster.
- Clone the
ocp4-upi-powervs
repository for the deployment on IBM Power Virtual Server Workspaces (PowerVS).
git clone https://github.com/ocp-power-automation/ocp4-upi-powervs
-
Add fips_compliant=true
variable to true in var.tfvar file. This variable, when set to true, enables FIPS on the OCP cluster and also on bastion nodes. At the end of install the bastion nodes will be rebooted. This value can only be set at install time.
-
Once you updated FIPS variable Please click here for the installation of OCP cluster steps.
Once the deployment is successfully done we can verify it by using some test cases: Command to check whether FIPS in enabled in cluster:
oc get cm cluster-config-v1 -n kube-system -o json | jq -r '.data' | grep -i "fips"
The result is highlighted in Bold "true"
oc get cm cluster-config-v1 -n kube-system -o json | jq -r ‘.data’ | grep -i “fips”
“install-config”: “apiVersion: v1\nbaseDomain: ocp-multiarch.xyz\ncompute:\n- architecture: ppc64le\n hyperthreading: Enabled\n name: worker\n platform: {}\n replicas: 0\ncontrolPlane:\n architecture: ppc64le\n hyperthreading: Enabled\n name: master\n platform: {}\n replicas: 3\nfips: true\nmetadata:\n creationTimestamp: null\n name: new-test-ocp-e007\nnetworking:\n clusterNetwork:\n — cidr: 10.128.0.0/14\n hostPrefix: 23\n machineNetwork:\n — cidr: 10.0.0.0/16\n networkType: OpenShiftSDN\n serviceNetwork:\n — 172.30.0.0/16\nplatform:\n none: {}\nproxy:\n httpProxy: http://new-test-ocp-e007-syd04-bastion-0:3128\n httpsProxy: http://new-test-ocp-e007-syd04-bastion-0:3128\n noProxy: .new-test-ocp-e00REDACTED.ocp-multiarch.xyz,192.168.0.0/24\npublish: External\npullSecret: \”\”\nsshKey: ‘ssh-rsa <REDACTED>‘\n”
- To confirm the master and worker nodes are configured for FIPS: Testing for master node:
# oc debug syd04-master-0.new-test-ocp-e007.ocp-multiarch.xyz
sh-4.4# chroot /host
sh-4.4# fips-mode-setup --check
FIPS mode is enabled.
sh-4.4# update-crypto-policies --show
FIPS
sh-4.4# cat /etc/system-fips
# FIPS module installation complete
sh-4.4# cat /proc/sys/crypto/fips_enabled
1
sh-4.4# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
sh-4.4#
You should see similar configuration output.
- Testing for Bastion Node:
# fips-mode-setup --check
FIPS mode is enabled.
# update-crypto-policies --show
FIPS
# cat /etc/system-fips
# FIPS module installation complete
# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
You should see similar configuration output.
Best wishes.
Reference
- FIPS 140-2 - https://en.wikipedia.org/wiki/FIPS_140-2
- https://docs.openshift.com/container-platform/4.12/installing/installing-fips.html