FIPS mode
Big picture
Run Calico in FIPS 140-2 compliant mode.
Value
When running in FIPS compliant mode, Calico uses FIPS-approved cryptographic algorithms and NIST-validated cryptographic modules.
Concepts
The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology for use in computer systems by government agencies and government contractors. Calico FIPS mode is enabled during installation by:
- Switching the cryptographic modules for the golang-based applications to use the FIPS-140-2 validated Tigera Cryptographic Module
- Configuring TLS servers and other cryptographic functions to use FIPS 140-2 approved cryptographic algorithms
Before you begin
Required
- A Kubernetes distribution and cluster that run in FIPS mode
- The hosts must run Linux x86_64 distributions
- Calico contains programs that run directly on the host that use dynamic linking of c libraries. For this reason, it is a requirement for host systems to contain the following libraries:
- ld-linux-x86-64.so.2
- libpthread.so.0
- libc.so.6
Unsupported
- The following features are disabled and are not allowed to be used:
- Application Layer API
- BGP password
- WireGuard
- Switching FIPS mode off and then on again is not supported because this can break hashes and other cryptographic settings.
How To
To install Calico in FIPS mode follow these steps.
Follow the installation steps for your platform.
In the step for installing custom resources, edit
custom-resources.yaml
and enable FIPS mode in the installation spec.apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
fipsMode: Enabled
For more information on configuration options available in this manifest, see the installation reference.
After you apply the YAML, FIPS mode is fully operational.