You can use the FIPS validation tool to verify that specific components and services are FIPS-compliant by checking the signatures of the files against a signed signature file, and by checking that services are using the certified algorithms.
Download Signature Files
You need to download an appropriate, signed signature file before you run validation. Use the links in the table that follows to obtain a valid file:
EL version | Kubernetes version | Manifest URL |
---|---|---|
7 | v1.21.3 | v1.21.3 EL 7 Manifest |
8 | v1.21.3 | v1.21.3 EL 8 Manifest |
7 | v1.21.6 | v1.21.6 EL 7 Manifest |
8 | v1.21.6 | v1.21.6 EL 8 Manifest |
Run FIPS validation
To validate that specific components and services are FIPS-compliant, run the command:
dkp check cluster fips --signature-file=manifest.asc --signature-configmap=signatures --output-configmap=output
The full command usage and flags include:
dkp check cluster fips [flags]
Flags:
-h, --help help for fips
-n, --namespace string If present, the namespace scope for this CLI request. (default "default")
--output-configmap string ConfigMap with fips signature data to verify. [required]
--signature-configmap string ConfigMap with fips signature data to verify. [required]
--signature-file string File containing fips signature data.
Validation command example
Upon successful completion, the command’s output displays details about the deployment in JSON format. If validation fails, the command returns a non-zero status.
For example, to validate FIPS-mode operation with the signature file, manifest-rhel8.json.asc
, you would run the following command:
dkp check cluster fips \
--signature-file manifest-rhel8.json.asc \
--signature-configmap prod-rhel8-fips-signatures \
--output-configmap prod-rhel8-fips-validation
Run FIPS validation with existing ConfigMap
If you already have a signature ConfigMap, you can omit the signature-file
flag, as in the following sample command:
dkp check cluster fips \
--signature-configmap prod-rhel8-fips-signatures \
--output-configmap prod-rhel8-fips-validation
In this case, the validation tool checks the cluster using the existing signature data and returns deployment details in JSON format.