FIPS-Enabled Versions

You can deploy a FIPS-enabled versions of Tanzu Kubernetes Grid v2.3.1 to your vSphere, AWS, or Azure environment. The Bill of Materials (BoM) for FIPS only lists components that are compiled with and use FIPS-enabled cryptography modules.

For vSphere, the FIPS-enabled OVAs are listed on the Tanzu Kubernetes Grid downloads page (login required). The FIPS-enabled AMI and Azure images are available in AWS and Azure respectively.

1. (vSphere only) Import a FIPS-enabled Kubernetes OVA into vSphere, as described in Import the Base Image Template into vSphere in Deploying and Managing Tanzu Kubernetes Grid 2.3 Standalone Management Clusters.

   The FIPS-enabled OVAs for Tanzu Kubernetes Grid v2.3.1 are listed on the Tanzu Kubernetes Grid downloads page in the section FIPS enabled Kubernetes OVAs for VMware Tanzu Kubernetes Grid 2.3.1.

   • Photon v3 Kubernetes v1.26.8 FIPS OVA
   • Photon v3 Kubernetes v1.25.13 FIPS OVA
   • Photon v3 Kubernetes v1.24.17 FIPS OVA
   • Ubuntu 2004 Kubernetes v1.26.8 FIPS OVA
   • Ubuntu 2004 Kubernetes v1.25.13 FIPS OVA
   • Ubuntu 2004 Kubernetes v1.24.17 FIPS OVA

2. On your bootstrap machine, set the following environment variable:

   export TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH=fips/tkg-compatibility
   

3. If you have a ~/.config/tanzu/tkg directory from installing the Tanzu CLI previously, remove or rename its bom and compatibility directories:

   mv bom bom.old
   mv compatibility compatibility.old
   

4. Set tls-cipher-suites flags to FIPS-enabled ciphers for api-server, kube-scheduler, kube-controller-manager, etcd, and kubelet. Depending on your cloud infrastructure, you may also need to define additional ciphers.

   • You can also harden the image by using ytt overlay. See Legacy Cluster Configuration with ytt.
   • For STIG compliance, see STIG and NSA/CISA Hardening.

5. (Azure only) When you accept the base image license, use a value such as k8s-1dot25dot7-fips-ubuntu-2004 based on the Kubernetes version number. For information about how to accept the base image license see Accept Base Image License in Deploying and Managing Tanzu Kubernetes Grid 2.3 Standalone Management Clusters.

When you deploy a management cluster with the TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH setting with fips/tkg-compatibility, the CLI downloads and deploys FIPS-enabled core components that use cryptographic primitives provided by a FIPS-enabled library based on the BoringCrypto / Boring SSL module. The FIPS-enabled core components include components of Kubernetes, Containerd and CRI, CNI plugins, CoreDNS, and etcd.

The CLI confirms the FIPS-enabled BoM downloads with output that for Tanzu Kubernetes Grid v2.3.1 resembles:

Downloading TKG compatibility file from 'projects.registry.vmware.com/tkg/fips/tkg-compatibility'
Downloading the TKG Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkg-bom:v2.3.1-fips.1'
Downloading the TKr Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkr-bom:v1.26.8_vmware.1-fips.1-tkg.1'