You can deploy a FIPS-enabled versions of Tanzu Kubernetes Grid v2.1.0 and v2.1.1 to your vSphere, AWS, or Azure environment. The Bill of Materials (BoM) for FIPS only lists components that are compiled with and use FIPS-enabled cryptography modules.
For vSphere, the FIPS-enabled OVAs are listed on the Tanzu Kubernetes Grid downloads page (login required). The FIPS-enabled AMI and Azure images are available in AWS and Azure respectively.
Follow the steps in Download and Unpack the Tanzu CLI to install a FIPS-compatible version of the Tanzu CLI for TKG v2.1.
On the VMware Customer Connect Download Product page with Select Version set to a TKG v2.1 version, choose the Tanzu CLI download listed as FIPS Compatible that matches your bootstrap machine’s operating system:
These versions of the Tanzu CLI support FIPS-enabled TKG v2.1 installations in both online and internet-restricted environments.
(vSphere only) Import a FIPS-enabled Kubernetes OVA into vSphere, as described in Import the Base Image Template into vSphere in Deploying and Managing Tanzu Kubernetes Grid 2.1 Standalone Management Clusters.
The FIPS-enabled OVAs for Tanzu Kubernetes Grid v2.1.1 are listed on the Tanzu Kubernetes Grid downloads page in the section FIPS enabled Kubernetes OVAs for VMware Tanzu Kubernetes Grid 2.1.1.
The FIPS-enabled OVAs for Tanzu Kubernetes Grid v2.1.0 are listed on the Tanzu Kubernetes Grid downloads page in the section FIPS enabled Kubernetes OVAs for VMware Tanzu Kubernetes Grid 2.1.0.
On your bootstrap machine, set the following environment variable:
export TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH=fips/tkg-compatibility
If you have a ~/.config/tanzu/tkg
directory from installing the Tanzu CLI previously, remove or rename its bom
and compatibility
directories:
mv bom bom.old
mv compatibility compatibility.old
Set tls-cipher-suites
flags to FIPS-enabled ciphers for api-server
, kube-scheduler
, kube-controller-manager
, etcd
, and kubelet
. Depending on your cloud infrastructure, you may also need to define additional ciphers.
ytt overlay
. See Legacy Cluster Configuration with ytt.(Azure only) When you accept the base image license, use a value such as k8s-1dot24dot9-fips-ubuntu-2004
based on the Kubernetes version number. For information about how to accept the base image license see Accept Base Image License in Deploying and Managing Tanzu Kubernetes Grid 2.1 Standalone Management Clusters.
When you deploy a management cluster with the TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH
setting with fips/tkg-compatibility
, the CLI downloads and deploys FIPS-enabled core components that use cryptographic primitives provided by a FIPS-enabled library based on the BoringCrypto / Boring SSL module. The FIPS-enabled core components include components of Kubernetes, Containerd and CRI, CNI plugins, CoreDNS, and etcd.
The CLI confirms the FIPS-enabled BoM downloads with output that for Tanzu Kubernetes Grid v2.1.1 resembles:
Downloading TKG compatibility file from 'projects.registry.vmware.com/tkg/fips/tkg-compatibility'
Downloading the TKG Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkg-bom:v2.1.1-fips.1'
Downloading the TKr Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkr-bom:v1.24.10_vmware.1-fips.1-tkg.1'
The CLI confirms the FIPS-enabled BoM downloads with output that for Tanzu Kubernetes Grid v2.1.0 resembles:
Downloading TKG compatibility file from 'projects.registry.vmware.com/tkg/fips/tkg-compatibility'
Downloading the TKG Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkg-bom:v2.1.0-fips.1'
Downloading the TKr Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkr-bom:v1.24.9_vmware.1-fips.1-tkg.1'