mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
Update FIPS wording
This commit is contained in:
Alex Dellapenta
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
7a7eeb17a7
commit
348d5ca288
@@ -180,7 +180,7 @@ Topics:
|
||||
File: installing-restricted-networks-vsphere
|
||||
- Name: Gathering installation logs
|
||||
File: installing-gather-logs
|
||||
- Name: FIPS compliant clusters
|
||||
- Name: Support for FIPS cryptography
|
||||
File: installing-fips
|
||||
- Name: Installation configuration
|
||||
Dir: install_config
|
||||
|
||||
@@ -1,22 +1,22 @@
|
||||
[id="installing-fips"]
|
||||
= FIPS compliant {product-title} clusters
|
||||
= Support for FIPS cryptography
|
||||
include::modules/common-attributes.adoc[]
|
||||
:context: installing-fips
|
||||
|
||||
toc::[]
|
||||
|
||||
Starting with version 4.3, you can install an {product-title} cluster that use FIPS validated cryptographic libraries.
|
||||
Starting with version 4.3, you can install an {product-title} cluster that use FIPS validated / Implementation Under Test cryptographic libraries.
|
||||
|
||||
For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the `install-config.yaml` file, which governs the cluster options that a user can change during cluster deployment. With Red Hat Enterprise Linux machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines. These configuration methods ensure that your cluster meet the requirements of a FIPS compliance audit: only FIPS validated cryptography packages are enabled before the initial system boot.
|
||||
For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the `install-config.yaml` file, which governs the cluster options that a user can change during cluster deployment. With Red Hat Enterprise Linux machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines. These configuration methods ensure that your cluster meet the requirements of a FIPS compliance audit: only FIPS validated / Implementation Under Test cryptography packages are enabled before the initial system boot.
|
||||
|
||||
Because FIPS must be enabled before the operating system that your cluster uses boots for the first time, you cannot enable FIPS after you deploy a cluster.
|
||||
|
||||
[id="installation-about-fips-validation_{context}"]
|
||||
== FIPS validation in {product-title}
|
||||
|
||||
{product-title} uses certain FIPS validated modules within Red Hat Enterprise Linux (RHEL) and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3359851[RHEL7 core crypto components]. For example, when users SSH into {product-title} clusters and containers, those connections are properly encrypted.
|
||||
{product-title} uses certain FIPS validated / Implementation Under Test modules within Red Hat Enterprise Linux (RHEL) and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3359851[RHEL7 core crypto components]. For example, when users SSH into {product-title} clusters and containers, those connections are properly encrypted.
|
||||
|
||||
{product-title} components are written in Go and built with Red Hat’s golang compiler. When you enable FIPS mode for your cluster, Red Hat’s golang compiler calls RHEL and {op-system} cryptographic libraries for all {product-title} components that require cryptographic signing. At the initial release of {product-title} version 4.3, only the `ose-sdn` package uses the native golang cryptography, which is not FIPS validated. Red Hat verifies that all other packages use the FIPS validated OpenSSL module.
|
||||
{product-title} components are written in Go and built with Red Hat’s golang compiler. When you enable FIPS mode for your cluster, Red Hat’s golang compiler calls RHEL and {op-system} cryptographic libraries for all {product-title} components that require cryptographic signing. At the initial release of {product-title} version 4.3, only the `ose-sdn` package uses the native golang cryptography, which is not FIPS validated / Implementation Under Test. Red Hat verifies that all other packages use the FIPS validated / Implementation Under Test OpenSSL module.
|
||||
|
||||
.FIPS mode attributes and limitations in {product-title} {product-version}
|
||||
[cols="8a,8a",options="header"]
|
||||
@@ -25,39 +25,39 @@ Because FIPS must be enabled before the operating system that your cluster uses
|
||||
|Attributes
|
||||
|Limitations
|
||||
|
||||
|FIPS compliant operating systems: RHEL 7 and {op-system}.
|
||||
|FIPS support in RHEL 7 operating systems.
|
||||
.3+|The FIPS implementation does not offer a single function that both computes hash functions and validates the keys that are based on that hash. This limitation will continue to be evaluated and improved in future {product-title} releases.
|
||||
|
||||
|FIPS compliant CRI-O runtimes.
|
||||
|FIPS compliant {product-title} services.
|
||||
|FIPS support in CRI-O runtimes.
|
||||
|FIPS support in {product-title} services.
|
||||
|
||||
|FIPS validated cryptographic module and algorithms that are obtained from RHEL 7 and {op-system} binaries and images.
|
||||
|FIPS validated / Implementation Under Test cryptographic module and algorithms that are obtained from RHEL 7 and {op-system} binaries and images.
|
||||
|
|
||||
|
||||
|Use of FIPS compatible golang compiler.
|
||||
|TLS FIPS compliance is not complete but is planned for future {product-title} releases.
|
||||
|TLS FIPS support is not complete but is planned for future {product-title} releases.
|
||||
|
||||
|===
|
||||
|
||||
[id="installation-about-fips-components_{context}"]
|
||||
== FIPS compliance in components that the cluster uses
|
||||
== FIPS support in components that the cluster uses
|
||||
|
||||
Although the {product-title} cluster itself uses FIPS validated modules, ensure that the systems that support your {product-title} cluster use FIPS validated modules for cryptography.
|
||||
Although the {product-title} cluster itself uses FIPS validated / Implementation Under Test modules, ensure that the systems that support your {product-title} cluster use FIPS validated / Implementation Under Test modules for cryptography.
|
||||
|
||||
[id="installation-about-fips-components-etcd_{context}"]
|
||||
=== etcd
|
||||
|
||||
To ensure that the secrets that are stored in etcd use FIPS validated encryption, encrypt the etcd datastore by using a FIPS-approved cryptographic algorithm. After you install the cluster, you can xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the `aes cbc` algorithm.
|
||||
To ensure that the secrets that are stored in etcd use FIPS validated / Implementation Under Test encryption, encrypt the etcd datastore by using a FIPS-approved cryptographic algorithm. After you install the cluster, you can xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the `aes cbc` algorithm.
|
||||
|
||||
[id="installation-about-fips-components-storage_{context}"]
|
||||
=== Storage
|
||||
|
||||
For local storage, use RHEL-provided disk encryption or Container Native Storage that uses RHEL-provided disk encryption. By storing all data in volumes that use RHEL-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS validated encryption.
|
||||
For local storage, use RHEL-provided disk encryption or Container Native Storage that uses RHEL-provided disk encryption. By storing all data in volumes that use RHEL-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS validated / Implementation Under Test encryption.
|
||||
|
||||
[id="installation-about-fips-components-runtimes_{context}"]
|
||||
=== Runtimes
|
||||
|
||||
To ensure that containers know that they are running on a host that has is using FIPS validated cryptography modules, use CRI-O to manage your runtimes. CRI-O supports FIPS-Mode, in that it configures the containers to know that they are running in FIPS mode.
|
||||
To ensure that containers know that they are running on a host that has is using FIPS validated / Implementation Under Test cryptography modules, use CRI-O to manage your runtimes. CRI-O supports FIPS-Mode, in that it configures the containers to know that they are running in FIPS mode.
|
||||
|
||||
[id="installing-fips-mode_{context}"]
|
||||
== Installing a cluster in FIPS mode
|
||||
|
||||
@@ -132,12 +132,12 @@ disable simultaneous multithreading.
|
||||
storage type as `io1` and set `iops` to `2000`.
|
||||
ifdef::vpc[]
|
||||
<6> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
|
||||
<7> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<7> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
<8> You can optionally provide the `sshKey` value that you use to access the
|
||||
machines in your cluster.
|
||||
endif::vpc[]
|
||||
ifndef::vpc[]
|
||||
<6> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<6> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
<7> You can optionally provide the `sshKey` value that you use to access the
|
||||
machines in your cluster.
|
||||
endif::vpc[]
|
||||
|
||||
@@ -111,11 +111,11 @@ ifdef::vnet[]
|
||||
<9> If you use an existing VNet, specify its name.
|
||||
<10> If you use an existing VNet, specify the name of the subnet to host the control plane machines.
|
||||
<11> If you use an existing VNet, specify the name of the subnet to host the compute machines.
|
||||
<12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
<13> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
|
||||
endif::vnet[]
|
||||
ifndef::vnet[]
|
||||
<8> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<8> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
<9> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
|
||||
endif::vnet[]
|
||||
+
|
||||
|
||||
@@ -104,7 +104,7 @@ one IP address pool. If you need to access the services from an external network
|
||||
configure load balancers and routers to manage the traffic.
|
||||
<10> You must set the platform to `none`. You cannot provide additional platform
|
||||
configuration variables for bare metal infrastructure.
|
||||
<11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
ifndef::restricted[]
|
||||
<12> The pull secret that you obtained from the
|
||||
link:https://cloud.redhat.com/openshift/install/pull-secret[Pull Secret] page on the {cloud-redhat-com} site. This pull secret allows you to authenticate with the services that are
|
||||
|
||||
@@ -149,7 +149,7 @@ For production {product-title} clusters on which you want to perform installatio
|
||||
|A valid, local public SSH key that you added to the `ssh-agent` process.
|
||||
|
||||
|`fips`
|
||||
|Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
|Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
|`false` or `true`
|
||||
|
||||
|`publish`
|
||||
|
||||
@@ -105,11 +105,11 @@ ifdef::vpc[]
|
||||
<6> If you use an existing VPC, specify its name.
|
||||
<7> If you use an existing VPC, specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified.
|
||||
<8> If you use an existing VPC, specify the name of the existing subnet to deploy the compute machines to. The subnet must belong to the VPC that you specified.
|
||||
<9> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<9> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
<10> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
|
||||
endif::vpc[]
|
||||
ifndef::vpc[]
|
||||
<6> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<6> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
<7> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
|
||||
endif::vpc[]
|
||||
+
|
||||
|
||||
@@ -98,7 +98,7 @@ in vSphere.
|
||||
<9> The password associated with the vSphere user.
|
||||
<10> The vSphere datacenter.
|
||||
<11> The default vSphere datastore to use.
|
||||
<12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
|
||||
<12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
||||
ifndef::restricted[]
|
||||
<13> The pull secret that you obtained from the
|
||||
link:https://cloud.redhat.com/openshift/install/pull-secret[Pull Secret] page on the {cloud-redhat-com} site. This pull secret allows you to authenticate with the services that are
|
||||
|
||||
Reference in New Issue
Block a user