FIPS compliance - zhuje/openshift-wiki GitHub Wiki

Offical Docs

https://docs.google.com/document/d/1CTpSwITQfOgoOTlPITZNJZy0ltYz60hxkmWsLemCqw0/edit#heading=h.9fkl85d6p0c5

• https://docs.google.com/presentation/d/1o3IowxHX6BsnxGkIInaQ0lBgnn_K5Ex8jxwCYCeNsqs/edit#slide=id.g2679cb578c3_0_3

• https://github.com/golang-fips/go/issues/221

Related OU PR

https://issues.redhat.com/browse/OU-446

Objective

FIPS compliance is a government standard (Advance Encryption Standard) that must be met any library that is imported in our application. Common libraries that do NOT meet this standard is:

• x/cyrpto for golang
• bcyrpt1 in javascript

openshift/release -- configuration held for openshift repo CI

We need to add a reference fips-check-image-scan for our repositories to be scanned for fips compliance when the CI is run. See example below. https://github.com/openshift/release/blob/master/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml

How it works

• Node, Operator, Images must all work with the same version of operating system (currently RHEL 9 is the standard, as of August 26 2024).

Other Resources

https://docs.google.com/document/d/1CTpSwITQfOgoOTlPITZNJZy0ltYz60hxkmWsLemCqw0/edit?tab=t.0#heading=h.9fkl85d6p0c5 https://docs.google.com/document/d/1xqlMDSxT5VPT0JNzjkFSzszS_gk8O8aEbcpe_fEg540/edit?tab=t.0#heading=h.ncf7t4l1lmqq https://docs.google.com/document/d/1EMXp9jCy17_6-Iqsn3z12I7YlT2YFIvQ8seaBkdfeDs/edit?tab=t.0 https://docs.google.com/presentation/d/1o3IowxHX6BsnxGkIInaQ0lBgnn_K5Ex8jxwCYCeNsqs/edit#slide=id.g25069596393_0_13 https://docs.google.com/presentation/d/1kTagP3XZkuIzgdvEyIaAipeq6oNHUCUBjHhbAJJvDus/edit#slide=id.g1ef8d9dec51_0_1954