You can deploy a FIPS-enabled versions of Tanzu Kubernetes Grid v2.3.1 to your vSphere, AWS, or Azure environment. The Bill of Materials (BoM) for FIPS only lists components that are compiled with and use FIPS-enabled cryptography modules.
For vSphere, the FIPS-enabled OVAs are listed on the Tanzu Kubernetes Grid downloads page (login required). The FIPS-enabled AMI and Azure images are available in AWS and Azure respectively.
(vSphere only) Import a FIPS-enabled Kubernetes OVA into vSphere, as described in Import the Base Image Template into vSphere in Deploying and Managing Tanzu Kubernetes Grid 2.3 Standalone Management Clusters.
The FIPS-enabled OVAs for Tanzu Kubernetes Grid v2.3.1 are listed on the Tanzu Kubernetes Grid downloads page in the section FIPS enabled Kubernetes OVAs for VMware Tanzu Kubernetes Grid 2.3.1.
On your bootstrap machine, set the following environment variable:
export TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH=fips/tkg-compatibility
If you have a ~/.config/tanzu/tkg
directory from installing the Tanzu CLI previously, remove or rename its bom
and compatibility
directories:
mv bom bom.old
mv compatibility compatibility.old
Set tls-cipher-suites
flags to FIPS-enabled ciphers for api-server
, kube-scheduler
, kube-controller-manager
, etcd
, and kubelet
. Depending on your cloud infrastructure, you may also need to define additional ciphers.
ytt overlay
. See Legacy Cluster Configuration with ytt.(Azure only) When you accept the base image license, use a value such as k8s-1dot25dot7-fips-ubuntu-2004
based on the Kubernetes version number. For information about how to accept the base image license see Accept Base Image License in Deploying and Managing Tanzu Kubernetes Grid 2.3 Standalone Management Clusters.
When you deploy a management cluster with the TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH
setting with fips/tkg-compatibility
, the CLI downloads and deploys FIPS-enabled core components that use cryptographic primitives provided by a FIPS-enabled library based on the BoringCrypto / Boring SSL module. The FIPS-enabled core components include components of Kubernetes, Containerd and CRI, CNI plugins, CoreDNS, and etcd.
The CLI confirms the FIPS-enabled BoM downloads with output that for Tanzu Kubernetes Grid v2.3.1 resembles:
Downloading TKG compatibility file from 'projects.registry.vmware.com/tkg/fips/tkg-compatibility'
Downloading the TKG Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkg-bom:v2.3.1-fips.1'
Downloading the TKr Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkr-bom:v1.26.8_vmware.1-fips.1-tkg.1'