FIPS mode

Big picture

Run Calico in FIPS 140-2 compliant mode.

Value

When running in FIPS compliant mode, Calico uses FIPS-approved cryptographic algorithms and NIST-validated cryptographic modules.

Concepts

The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology for use in computer systems by government agencies and government contractors. Calico FIPS mode is enabled during installation by:

  • Switching the cryptographic modules for the golang-based applications to use the FIPS-140-2 validated Tigera Cryptographic Module
  • Configuring TLS servers and other cryptographic functions to use FIPS 140-2 approved cryptographic algorithms

Before you begin

Required

  • A Kubernetes distribution and cluster that run in FIPS mode
  • The hosts must run Linux x86_64 distributions
  • Calico contains programs that run directly on the host that use dynamic linking of c libraries. For this reason, it is a requirement for host systems to contain the following libraries:
    • ld-linux-x86-64.so.2
    • libpthread.so.0
    • libc.so.6

Unsupported

  • The following features are disabled and are not allowed to be used:
    • Application Layer API
    • BGP password
    • WireGuard
  • Switching FIPS mode off and then on again is not supported because this can break hashes and other cryptographic settings.

How To

To install Calico in FIPS mode follow these steps.

Follow the installation steps for your platform.

  • In the step for installing custom resources, edit custom-resources.yaml and enable FIPS mode in the installation spec.

    1. apiVersion: operator.tigera.io/v1
    2. kind: Installation
    3. metadata:
    4. name: default
    5. spec:
    6. fipsMode: Enabled
  • For more information on configuration options available in this manifest, see the installation reference.

After you apply the YAML, FIPS mode is fully operational.