Host deployment for FIPS#
Before you run a FIPS-enabled MKE 4 installation, you must syncrhonize the FIPS k0s binary to your hosts.
MKE 4 installs the FIPS k0s binary on each target host as-is and does not
install or configure host OS dependencies for that binary. Thus, each target
host must be prepared ahead of time with the required runtime libraries,
including libcrypto3-mirantis, to ensure that the FIPS k0s binary will run
successfully following synchronization.
Note
The dependency set that you you will install is dependent on your Linux distribution. For a list of the Linux distributions that MKE 4 supports, refer to the MKE 4 system requirements.
Prepare the FIPS host template#
Preparing the host template involves the installation of the
required dependencies, the configuration of the Mirantis FIPS repository, and
the creation of the libcrypto-k0s.so.3 symlinks for the detected distribution.
All of this is accomplished using the following prepare-fips.sh script, which
you can either run standalone on a target host (sudo bash prepare-fips.sh), or
you can supply it as cloud-init user data.
Note
Host preparation is only required for clusters for which the
fips.enabled: is set to true.
#!/bin/bash
# Prepare FIPS libcrypto for k0s on Linux hosts.
set -euo pipefail
K0S_CRYPTO_UBUNTU_SRC="/usr/lib/x86_64-linux-gnu/libcrypto3-mirantis/libcrypto.so.3"
K0S_CRYPTO_UBUNTU_DST="/usr/lib/x86_64-linux-gnu/libcrypto-k0s.so.3"
K0S_CRYPTO_RPM_SRC="/usr/lib64/libcrypto3-mirantis/libcrypto.so.3"
K0S_CRYPTO_RPM_DST="/usr/lib64/libcrypto-k0s.so.3"
install_ubuntu_libcrypto() {
apt-get update
apt-get install -y --no-install-recommends ca-certificates curl gnupg
mkdir -p /usr/share/keyrings
curl -fsSL https://repos.mirantis.com/ubuntu/gpg \
| gpg --batch --yes --dearmor -o /usr/share/keyrings/mirantis-archive-keyring.gpg
printf '%s\n' \
'Types: deb' \
'URIs: https://repos.mirantis.com/ubuntu' \
'Suites: jammy' \
'Architectures: amd64' \
'Components: stable-25.0/fips' \
'Signed-By: /usr/share/keyrings/mirantis-archive-keyring.gpg' \
>/etc/apt/sources.list.d/mirantis.sources
apt-get update
apt-get install -y --no-install-recommends libcrypto3-mirantis
mkdir -p "$(dirname "${K0S_CRYPTO_RPM_SRC}")"
ln -sfn "${K0S_CRYPTO_UBUNTU_SRC}" "${K0S_CRYPTO_UBUNTU_DST}"
ln -sfn "${K0S_CRYPTO_UBUNTU_SRC}" "${K0S_CRYPTO_RPM_SRC}"
ln -sfn "${K0S_CRYPTO_RPM_SRC}" "${K0S_CRYPTO_RPM_DST}"
ldconfig
}
install_rpm_libcrypto() {
local repo_os="$1"
cat >/etc/yum.repos.d/mirantis-fips.repo <<EOF
[mirantis-fips]
name=Mirantis Container Runtime FIPS
baseurl=https://repos.mirantis.com/${repo_os}/\$releasever/\$basearch/stable-25.0/fips
enabled=1
gpgcheck=1
gpgkey=https://repos.mirantis.com/${repo_os}/gpg
module_hotfixes=true
EOF
yum install -y libcrypto3-mirantis
ln -sfn "${K0S_CRYPTO_RPM_SRC}" "${K0S_CRYPTO_RPM_DST}"
ldconfig
}
. /etc/os-release
case "${ID}" in
ubuntu)
install_ubuntu_libcrypto
;;
rhel | rocky | centos)
install_rpm_libcrypto "${ID}"
;;
ol | oracle | oraclelinux)
install_rpm_libcrypto "oraclelinux"
;;
*)
echo "Skipping libcrypto3-mirantis setup for unsupported distro ID=${ID}"
;;
esac
Enable FIPS mode#
FIPS mode is a cluster-wide setting that you select at the time of cluster
creation, through the fips.enabled parameter in the cluster spec.
-
For a standalone/management cluster using
MkeConfig:apiVersion: mke.mirantis.com/v1alpha1 kind: MkeConfig spec: fips: enabled: true # ... -
For a child cluster using
MkeChildConfig:apiVersion: mke.mirantis.com/v1alpha1 kind: MkeChildConfig spec: fips: enabled: true # ...
Warning
The fips.enabled parameter is immutable, and thus it
must be set correctly at cluster creation time. Enabling FIPS on an existing
non-FIPS cluster is not supported, nor is disabling FIPS on a cluster
originally created with it enabled. Any attempt to modify this parameter
after creation will be rejected by the Kubernetes API server.