From e83cbd20e714f686a4964fff7c8cfa085c422faf Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Wed, 5 Jul 2023 16:27:01 -0400 Subject: [PATCH] Adding FIPS admonition about installing from FIPS enabled system --- installing/installing-fips.adoc | 21 ++++++++++++------- modules/agent-installer-fips-compliance.adoc | 2 +- modules/distr-tracing-product-overview.adoc | 5 +++++ modules/installation-aws-config-yaml.adoc | 4 ++-- modules/installation-azure-config-yaml.adoc | 8 +++---- ...tallation-azure-stack-hub-config-yaml.adoc | 4 ++-- ...are-metal-agent-installer-config-yaml.adoc | 2 +- .../installation-bare-metal-config-yaml.adoc | 2 +- ...installation-configuration-parameters.adoc | 2 +- modules/installation-gcp-config-yaml.adoc | 6 +++--- ...gcp-user-infra-shared-vpc-config-yaml.adoc | 2 +- .../installation-ibm-cloud-config-yaml.adoc | 6 +++--- modules/installation-nutanix-config-yaml.adoc | 4 ++-- .../installation-special-config-storage.adoc | 8 +++---- modules/installation-vsphere-config-yaml.adoc | 2 +- modules/machine-config-overview.adoc | 2 +- modules/osdk-csv-manual-annotations.adoc | 2 +- modules/rhel-compute-overview.adoc | 2 +- modules/rhel-compute-requirements.adoc | 2 +- ...ractive-cluster-creation-mode-options.adoc | 2 +- modules/security-compliance-nist.adoc | 2 +- modules/ssh-agent-using.adoc | 2 +- service_mesh/v2x/ossm-reference-jaeger.adoc | 5 +++++ 23 files changed, 56 insertions(+), 41 deletions(-) diff --git a/installing/installing-fips.adoc b/installing/installing-fips.adoc index 2ba5b1770f..491d5a8d28 100644 --- a/installing/installing-fips.adoc +++ b/installing/installing-fips.adoc @@ -6,16 +6,21 @@ include::_attributes/common-attributes.adoc[] toc::[] -You can install an {product-title} cluster that uses FIPS Validated / Modules in Process cryptographic libraries on `x86_64`, `ppc64le`, and `s390x` architectures. +You can install an {product-title} cluster that uses FIPS validated or Modules In Process cryptographic libraries on the `x86_64`, `ppc64le`, and `s390x` architectures. -For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the `install-config.yaml` file, which governs the cluster options that a user can change during cluster deployment. With {op-system-base-full} machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines. These configuration methods ensure that your cluster meet the requirements of a FIPS compliance audit: only FIPS Validated / Modules in Process cryptography packages are enabled before the initial system boot. +[IMPORTANT] +==== +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. +==== + +For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the `install-config.yaml` file, which governs the cluster options that a user can change during cluster deployment. With {op-system-base-full} machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines. These configuration methods ensure that your cluster meets the requirements of a FIPS compliance audit: only FIPS validated or Modules In Process cryptography packages are enabled before the initial system boot. Because FIPS must be enabled before the operating system that your cluster uses boots for the first time, you cannot enable FIPS after you deploy a cluster. [id="installation-about-fips-validation_{context}"] == FIPS validation in {product-title} -{product-title} uses certain FIPS Validated / Modules in Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3655361[RHEL8 core crypto components]. For example, when users SSH into {product-title} clusters and containers, those connections are properly encrypted. +{product-title} uses certain FIPS validated or Modules In Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3655361[RHEL8 core crypto components]. For example, when users use SSH to connect to {product-title} clusters and containers, those connections are properly encrypted. {product-title} components are written in Go and built with Red Hat's golang compiler. When you enable FIPS mode for your cluster, all {product-title} components that require cryptographic signing call {op-system-base} and {op-system} cryptographic libraries. @@ -32,7 +37,7 @@ Because FIPS must be enabled before the operating system that your cluster uses |FIPS support in CRI-O runtimes. |FIPS support in {product-title} services. -|FIPS Validated / Modules in Process cryptographic module and algorithms that are obtained from {op-system-base} 8 and {op-system} binaries and images. +|FIPS validated or Modules In Process cryptographic module and algorithms that are obtained from {op-system-base} 8 and {op-system} binaries and images. | |Use of FIPS compatible golang compiler. @@ -46,24 +51,24 @@ Because FIPS must be enabled before the operating system that your cluster uses [id="installation-about-fips-components_{context}"] == FIPS support in components that the cluster uses -Although the {product-title} cluster itself uses FIPS Validated / Modules in Process modules, ensure that the systems that support your {product-title} cluster use FIPS Validated / Modules in Process modules for cryptography. +Although the {product-title} cluster itself uses FIPS validated or Modules In Process modules, ensure that the systems that support your {product-title} cluster use FIPS validated or Modules In Process modules for cryptography. [id="installation-about-fips-components-etcd_{context}"] === etcd -To ensure that the secrets that are stored in etcd use FIPS Validated / Modules in Process encryption, boot the node in FIPS mode. After you install the cluster in FIPS mode, you can xref:../security/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the FIPS-approved `aes cbc` cryptographic algorithm. +To ensure that the secrets that are stored in etcd use FIPS validated or Modules In Process encryption, boot the node in FIPS mode. After you install the cluster in FIPS mode, you can xref:../security/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the FIPS-approved `aes cbc` cryptographic algorithm. [id="installation-about-fips-components-storage_{context}"] === Storage -For local storage, use {op-system-base}-provided disk encryption or Container Native Storage that uses {op-system-base}-provided disk encryption. By storing all data in volumes that use {op-system-base}-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS Validated / Modules in Process encryption. +For local storage, use {op-system-base}-provided disk encryption or Container Native Storage that uses {op-system-base}-provided disk encryption. By storing all data in volumes that use {op-system-base}-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS validated or Modules In Process encryption. You can configure your cluster to encrypt the root filesystem of each node, as described in xref:../installing/install_config/installing-customizing.adoc#installing-customizing[Customizing nodes]. [id="installation-about-fips-components-runtimes_{context}"] === Runtimes -To ensure that containers know that they are running on a host that is using FIPS Validated / Modules in Process cryptography modules, use CRI-O to manage your runtimes. CRI-O supports FIPS mode, in that it configures the containers to know that they are running in FIPS mode. +To ensure that containers know that they are running on a host that is using FIPS validated or Modules In Process cryptography modules, use CRI-O to manage your runtimes. [id="installing-fips-mode_{context}"] == Installing a cluster in FIPS mode diff --git a/modules/agent-installer-fips-compliance.adoc b/modules/agent-installer-fips-compliance.adoc index fef47f8db3..e44e77a415 100644 --- a/modules/agent-installer-fips-compliance.adoc +++ b/modules/agent-installer-fips-compliance.adoc @@ -12,5 +12,5 @@ Federal Information Processing Standards (FIPS) compliance is one of the most cr [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== diff --git a/modules/distr-tracing-product-overview.adoc b/modules/distr-tracing-product-overview.adoc index c0a0ad3248..414af6a263 100644 --- a/modules/distr-tracing-product-overview.adoc +++ b/modules/distr-tracing-product-overview.adoc @@ -36,3 +36,8 @@ The {DTShortName} consists of three components: * *{TempoName}*, which is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo project]. * *{OTELNAME}*, which is based on the open source link:https://opentelemetry.io/[OpenTelemetry project]. + +[IMPORTANT] +==== +Jaeger does not use FIPS validated cryptographic modules. +==== diff --git a/modules/installation-aws-config-yaml.adoc b/modules/installation-aws-config-yaml.adoc index 8158c14a57..de3271b71b 100644 --- a/modules/installation-aws-config-yaml.adoc +++ b/modules/installation-aws-config-yaml.adoc @@ -372,7 +372,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <14> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -388,7 +388,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <12> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] diff --git a/modules/installation-azure-config-yaml.adoc b/modules/installation-azure-config-yaml.adoc index 66f7aeae24..a80edb78aa 100644 --- a/modules/installation-azure-config-yaml.adoc +++ b/modules/installation-azure-config-yaml.adoc @@ -213,7 +213,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <15> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -227,7 +227,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <16> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -241,7 +241,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <17> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -255,7 +255,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <11> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] diff --git a/modules/installation-azure-stack-hub-config-yaml.adoc b/modules/installation-azure-stack-hub-config-yaml.adoc index a4717e2b12..0a2426df29 100644 --- a/modules/installation-azure-stack-hub-config-yaml.adoc +++ b/modules/installation-azure-stack-hub-config-yaml.adoc @@ -95,7 +95,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <12> If your Azure Stack Hub environment uses an internal certificate authority (CA), add the necessary certificate bundle in `.pem` format. <13> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. @@ -188,7 +188,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <14> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] diff --git a/modules/installation-bare-metal-agent-installer-config-yaml.adoc b/modules/installation-bare-metal-agent-installer-config-yaml.adoc index 20cd5025e8..aae4ef0267 100644 --- a/modules/installation-bare-metal-agent-installer-config-yaml.adoc +++ b/modules/installation-bare-metal-agent-installer-config-yaml.adoc @@ -96,7 +96,7 @@ platform: + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <12> This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for {product-title} components. diff --git a/modules/installation-bare-metal-config-yaml.adoc b/modules/installation-bare-metal-config-yaml.adoc index dfa6976cf5..16b0d7256f 100644 --- a/modules/installation-bare-metal-config-yaml.adoc +++ b/modules/installation-bare-metal-config-yaml.adoc @@ -255,7 +255,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on `x86_64`, `ppc64le`, and `s390x` architectures. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== endif::openshift-origin[] ifndef::restricted[] diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index e5b8d34df2..0fb32c889d 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -598,7 +598,7 @@ ifndef::openshift-origin,ibm-power-vs[] |Enable or disable FIPS mode. The default is `false` (disabled). If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead. [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on `x86_64`, `ppc64le`, and `s390x` architectures. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== [NOTE] ==== diff --git a/modules/installation-gcp-config-yaml.adoc b/modules/installation-gcp-config-yaml.adoc index d9207076d2..a0a83bdd33 100644 --- a/modules/installation-gcp-config-yaml.adoc +++ b/modules/installation-gcp-config-yaml.adoc @@ -227,7 +227,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <14> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -241,7 +241,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <15> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -255,7 +255,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <11> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] diff --git a/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc b/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc index e2eca17b69..bc8b650834 100644 --- a/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc +++ b/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc @@ -90,7 +90,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <10> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] diff --git a/modules/installation-ibm-cloud-config-yaml.adoc b/modules/installation-ibm-cloud-config-yaml.adoc index 1f056ce0ef..830c457d64 100644 --- a/modules/installation-ibm-cloud-config-yaml.adoc +++ b/modules/installation-ibm-cloud-config-yaml.adoc @@ -91,7 +91,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <7> Optional: provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -179,7 +179,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <13> Optional: provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -269,7 +269,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <15> Optional: provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] diff --git a/modules/installation-nutanix-config-yaml.adoc b/modules/installation-nutanix-config-yaml.adoc index fabc2a596c..94ed7d1c15 100644 --- a/modules/installation-nutanix-config-yaml.adoc +++ b/modules/installation-nutanix-config-yaml.adoc @@ -123,7 +123,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <10> Optional: You can provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] @@ -266,7 +266,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== <11> Optional: You can provide the `sshKey` value that you use to access the machines in your cluster. + diff --git a/modules/installation-special-config-storage.adoc b/modules/installation-special-config-storage.adoc index 3a176a12cc..31e21eda28 100644 --- a/modules/installation-special-config-storage.adoc +++ b/modules/installation-special-config-storage.adoc @@ -250,11 +250,11 @@ For more details, see "About disk mirroring". + [IMPORTANT] ==== -If you are configuring nodes to use both disk encryption and mirroring, both features must be configured in the same Butane config. -If you are configuring disk encryption on a node with FIPS mode enabled, you must include the `fips` directive in the same Butane config, even if FIPS mode is also enabled in a separate manifest. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. If you are configuring nodes to use both disk encryption and mirroring, both features must be configured in the same Butane configuration file. +If you are configuring disk encryption on a node with FIPS mode enabled, you must include the `fips` directive in the same Butane configuration file, even if FIPS mode is also enabled in a separate manifest. ==== -. Create a control plane or compute node manifest from the corresponding Butane config and save it to the `/openshift` directory. +. Create a control plane or compute node manifest from the corresponding Butane configuration file and save it to the `/openshift` directory. For example, to create a manifest for the compute nodes, run the following command: + [source,terminal] @@ -264,7 +264,7 @@ $ butane $HOME/clusterconfig/worker-storage.bu -o /opens + Repeat this step for each node type that requires disk encryption or mirroring. -. Save the Butane configs in case you need to update the manifests in the future. +. Save the Butane configuration file in case you need to update the manifests in the future. . Continue with the remainder of the {product-title} installation. + diff --git a/modules/installation-vsphere-config-yaml.adoc b/modules/installation-vsphere-config-yaml.adoc index e1010f93eb..f3f5479b55 100644 --- a/modules/installation-vsphere-config-yaml.adoc +++ b/modules/installation-vsphere-config-yaml.adoc @@ -173,7 +173,7 @@ ifndef::openshift-origin[] + [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== endif::openshift-origin[] ifndef::restricted[] diff --git a/modules/machine-config-overview.adoc b/modules/machine-config-overview.adoc index 29e5a804f7..234312e206 100644 --- a/modules/machine-config-overview.adoc +++ b/modules/machine-config-overview.adoc @@ -62,7 +62,7 @@ ifndef::openshift-origin[] [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on `x86_64`, `ppc64le`, and `s390x` architectures. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== endif::openshift-origin[] * **extensions**: Extend {op-system} features by adding selected pre-packaged software. For this feature, available extensions include link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#protecting-systems-against-intrusive-usb-devices_security-hardening[usbguard] and kernel modules. diff --git a/modules/osdk-csv-manual-annotations.adoc b/modules/osdk-csv-manual-annotations.adoc index 6b24113109..e75b994736 100644 --- a/modules/osdk-csv-manual-annotations.adoc +++ b/modules/osdk-csv-manual-annotations.adoc @@ -37,7 +37,7 @@ The following table lists Operator metadata annotations that can be manually def [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on `x86_64`, `ppc64le`, and `s390x` architectures. +The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== - `proxy-aware`: Operator supports running on a cluster behind a proxy. Operator accepts the standard proxy environment variables `HTTP_PROXY` and `HTTPS_PROXY`, which Operator Lifecycle Manager (OLM) provides to the Operator automatically when the cluster is configured to use a proxy. Required environment variables are passed down to Operands for managed workloads. diff --git a/modules/rhel-compute-overview.adoc b/modules/rhel-compute-overview.adoc index 7552f9d5fd..d929632b68 100644 --- a/modules/rhel-compute-overview.adoc +++ b/modules/rhel-compute-overview.adoc @@ -8,7 +8,7 @@ [id="rhel-compute-overview_{context}"] = About adding RHEL compute nodes to a cluster -In {product-title} {product-version}, you have the option of using {op-system-base-full} machines as compute machines in your cluster if you use a user-provisioned or installer-provisioned infrastructure installation on the `x86_64` architecture. You must use {op-system-first} machines for the control plane machines in your cluster. +In {product-title} {product-version}, you have the option of using {op-system-base-full} machines as compute machines in your cluster if you use a user-provisioned or installer-provisioned infrastructure installation on the `x86_64`, `ppc64le`, and `s390x` architectures. You must use {op-system-first} machines for the control plane machines in your cluster. If you choose to use {op-system-base} compute machines in your cluster, you are responsible for all operating system life cycle management and maintenance. You must perform system updates, apply patches, and complete all other required tasks. diff --git a/modules/rhel-compute-requirements.adoc b/modules/rhel-compute-requirements.adoc index 1f2c298d1d..278cea02b8 100644 --- a/modules/rhel-compute-requirements.adoc +++ b/modules/rhel-compute-requirements.adoc @@ -33,7 +33,7 @@ For the most recent list of major functionality that has been deprecated or remo [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on `x86_64`, `ppc64le`, and `s390x` architectures. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== endif::[] ** NetworkManager 1.0 or later. diff --git a/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc b/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc index c783438dee..ae29555712 100644 --- a/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc +++ b/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc @@ -102,7 +102,7 @@ The ROSA with Hosted Control Planes functionality is currently offered as a Tech |Enable or disable FIPS mode. The default is `false` (disabled). If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead. [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== |`Encrypt etcd data (optional)` diff --git a/modules/security-compliance-nist.adoc b/modules/security-compliance-nist.adoc index 5bbf82a089..ecc48c1f09 100644 --- a/modules/security-compliance-nist.adoc +++ b/modules/security-compliance-nist.adoc @@ -20,7 +20,7 @@ technologies are allowed on nodes. [IMPORTANT] ==== -The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures. ==== endif::openshift-origin[] diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc index a11a803f7e..ab18cc69a4 100644 --- a/modules/ssh-agent-using.adoc +++ b/modules/ssh-agent-using.adoc @@ -175,7 +175,7 @@ $ ssh-keygen -t ed25519 -N '' -f / <1> ifndef::ibm-power-vs[] [NOTE] ==== -If you plan to install an {product-title} cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the `x86_64` architecture, do not create a key that uses the `ed25519` algorithm. Instead, create a key that uses the `rsa` or `ecdsa` algorithm. +If you plan to install an {product-title} cluster that uses FIPS validated or Modules In Process cryptographic libraries on the `x86_64`, `ppc64le`, and `s390x` architectures. do not create a key that uses the `ed25519` algorithm. Instead, create a key that uses the `rsa` or `ecdsa` algorithm. ==== endif::ibm-power-vs[] diff --git a/service_mesh/v2x/ossm-reference-jaeger.adoc b/service_mesh/v2x/ossm-reference-jaeger.adoc index 829579e013..907fdebafc 100644 --- a/service_mesh/v2x/ossm-reference-jaeger.adoc +++ b/service_mesh/v2x/ossm-reference-jaeger.adoc @@ -8,6 +8,11 @@ toc::[] When the {SMProductShortName} Operator deploys the `ServiceMeshControlPlane` resource, it can also create the resources for distributed tracing. {SMProductShortName} uses Jaeger for distributed tracing. +[IMPORTANT] +==== +Jaeger does not use FIPS validated cryptographic modules. +==== + include::modules/ossm-enabling-jaeger.adoc[leveloffset=+1] include::modules/ossm-config-smcp-jaeger.adoc[leveloffset=+1]