Before you can use the Tanzu CLI or installer interface to deploy a management cluster, you must make sure that your infrastructure provider is correctly set up.
For production deployments, VMware recommends enabling external identity management on each management cluster, to control access to it and its workload clusters.
You can deploy a FIPS-capable version of Tanzu Kubernetes Grid to your vSphere, AWS, or Azure environment. The Bill of Materials (BoM) for FIPS only lists components that are compiled with and use FIPS-compliant cryptography modules. For vSphere, the FIPs-capable OVA are listed on the Tanzu Kubernetes Grid downloads page. The FIPS-capable AMI and Azure images are available in AWS and Azure respectively.
(vSphere only) Import a FIPS-enabled Kubernetes OVA into vSphere, as described in Import a Base Image Template into vSphere.
The FIPS-enabled OVAs are listed on the Tanzu Kubernetes Grid downloads page in the section FIPS enabled Kubernetes OVAs for VMware Tanzu Kubernetes Grid 1.5.x.
On your bootstrap machine, set the following environment variable:
export TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH=fips/tkg-compatibility
If you have a ~/.config/tanzu/tkg
directory from installing the Tanzu CLI previously, remove or rename its bom
and compatibility
directories:
mv bom bom.old
mv compatibility compatibility.old
Set tls-cipher-suites
flags to FIPS-compliant ciphers for api-server
, kube-scheduler
, kube-controller-manager
, etcd
, and kubelet
, by using a ytt
overlay as described in ytt
Overlays.
(Azure only) When you accept the base image license, use the value k8s-1dot22dot9-fips-ubuntu-2004
. For information about how to accept the base image license see Accept Base Image License.
When you deploy a management cluster with the TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH
setting with fips/tkg-compatibility
, the CLI downloads and deploys FIPS-compliant core components that use cryptographic primitives provided by a FIPS-compliant library based on the BoringCrypto / Boring SSL module. The FIPS-compliant core components include components of Kubernetes, Containerd and CRI, CNI plugins, CoreDNS, and etcd.
The CLI confirms the FIPS-compliant BoM downloads with output that for Tanzu Kubernetes Grid v1.5.4 resembles:
Downloading TKG compatibility file from 'projects.registry.vmware.com/tkg/fips/tkg-compatibility'
Downloading the TKG Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkg-bom:v1.5.4-fips.1'
Downloading the TKr Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkr-bom:v1.22.9_vmware.1-fips.1-tkg.1'
If you need to deploy Tanzu Kubernetes Grid in an environment with no external Internet access, see Prepare an Internet-Restricted Environment.
To deploy Tanzu Kubernetes Grid to VMware Cloud on AWS or to Azure VMware Solution, see Prepare a vSphere Management as a Service Infrastructure.