Validate FIPS in cluster

Validate FIPS operations in your cluster

You can use the FIPS validation tool to verify that specific components and services are FIPS-compliant by checking the signatures of the files against a signed signature file, and by checking that services are using the certified algorithms.

Download Signature Files

You need to download an appropriate, signed signature file before you run validation. Use the links in the table that follows to obtain a valid file:

EL version Kubernetes version Manifest URL
7 v1.21.3 v1.21.3 EL 7 Manifest
8 v1.21.3 v1.21.3 EL 8 Manifest
7 v1.21.6 v1.21.6 EL 7 Manifest
8 v1.21.6 v1.21.6 EL 8 Manifest

Run FIPS validation

To validate that specific components and services are FIPS-compliant, run the command:

dkp check cluster fips --signature-file=manifest.asc --signature-configmap=signatures --output-configmap=output

The full command usage and flags include:

dkp check cluster fips [flags]

Flags:

-h, --help                     help for fips
  -n, --namespace string         If present, the namespace scope for this CLI request. (default "default")
  --output-configmap string      ConfigMap with fips signature data to verify. [required]
  --signature-configmap string   ConfigMap with fips signature data to verify. [required]
  --signature-file string        File containing fips signature data.

Validation command example

Upon successful completion, the command’s output displays details about the deployment in JSON format. If validation fails, the command returns a non-zero status.

For example, to validate FIPS-mode operation with the signature file, manifest-rhel8.json.asc, you would run the following command:

dkp check cluster fips \
 --signature-file manifest-rhel8.json.asc \
 --signature-configmap prod-rhel8-fips-signatures \
 --output-configmap prod-rhel8-fips-validation

Run FIPS validation with existing ConfigMap

If you already have a signature ConfigMap, you can omit the signature-file flag, as in the following sample command:

dkp check cluster fips \
 --signature-configmap prod-rhel8-fips-signatures \
 --output-configmap prod-rhel8-fips-validation

In this case, the validation tool checks the cluster using the existing signature data and returns deployment details in JSON format.