FIPS Validate
The fips-validate
command checks the
Federal Information Processing Standards
(FIPS) compliance of your Kubernetes clusters. You can use the command to ensure that your clusters are FIPS-compliant
by scanning the images and exposed service endpoints in your clusters.
If you have the environment variable KUBECONFIG
set, the fips-validate
will automatically use the kubeconfig file
and skip prompting you for the kubeconfig file path.
Subcommands
The fips-validate
command exposes the following subcommands:
-
images
: Validate the FIPS compliance of the images in your clusters. -
services
: Validate the FIPS compliance of the service endpoints in your clusters. -
clean
: Remove the FIPS validation resources from your clusters.
Prerequisites
The fips-validate
command requires the following prerequisites:
-
Ensure you have access to the kubeconfig file for the cluster that you want to validate. The file needs to be accessible from the machine where you issue the
fips-validate
command. Refer to the Set up Kubectl guide to learn how to get the kubeconfig file for your cluster. -
Sufficient permissions to create a new namespace and deploy resources in the namespace. We recommend using an elevated ClusterRole such as cluster-admin to ensure that the command can create the necessary resources.
-
The Kubernetes cluster must be accessible from the machine where you issue the
fips-validate
command. Ensure that the kubeconfig file is correctly configured to access the cluster. -
The Kubernetes cluster must have internet access to download the images when using the
images
subcommand.
Limitations
-
The only supported runtime is Go. Images with binaries compiled in other languages are marked as
unknown
in the report. -
Only services exposing port
443
are verified. -
Non-HTTP based service endpoints are not supported.
Images
The images
subcommand validates the FIPS compliance of the images in your clusters. The command scans all the images
of active containers. The image is downloaded from the source and unpacked through Luet and all
files that are Executable and Linkable Format binaries are scanned. The scan checks if the binaries are compiled with
FIPS compliant cryptographic libraries.
To enable the scan, the command deploys resources into a Kubernetes namespace named vertex-ns
, unless otherwise
specified, in the target cluster. Upon completion of the scan, the command prints the results of the scan to the
terminal and cleans up the resources from the cluster.
The images
subcommand accepts the following flags:
Short Flag | Long Flag | Description | Type |
---|---|---|---|
-n | --namespace | The namespace in which to deploy the resources for the FIPS scan. The default namespace is vertex-ns | string |
-f | --out | The output file path to save the scan results. The default output is the terminal. | string |
-h | --help | Display the help message for the images subcommand. | boolean |
Limitations
- Images hosted in private registries are not supported.
- Only Go binaries are supported. Images with binaries compiled in other languages are marked as
unknown
in the report.
Examples
Validate the FIPS compliance of the images in your cluster.
palette fips-validate images
Validate the FIPS compliance of the images in your cluster and save the results to a file.
palette fips-validate images --out /path/to/fips-scan-results.txt
Validate the FIPS compliance of the images in your cluster and deploy the resources in a custom namespace.
palette fips-validate images --namespace my-scan-ns
Review Results
The report contains a list of images and the FIPS compliance status of the binaries in the images. Each row in the report contains the following columns:
Column | Description |
---|---|
NO. | The number of the image in the order of the scan. |
BINARY | The name of the executable binary. |
ARCH | The architecture of the binary. |
PATH | The path of the binary in the image. |
VERSION | The version of the programming language used to create the binary. Go is the only supported language from a version detection capability. |
EXE | How the binary was compiled, either statically or dynamically. |
CRYPTO | The cryptographic library used to compile the binary. |
The following is an example of the FIPS compliance report. The validated image is FIPS compliant as the binary is compiled with the BoringSSL cryptographic library.
---------------------------------------------------------------
image: gcr.io/spectro-images-public/release-fips/cluster-api-aws/cluster-api-aws-controller:v1.5.2-spectro-4.3.0
┌─────┬─────────┬────────┬──────────┬──────────┬────────┬────────┐
│ NO. │ BINARY │ ARCH │ PATH │ VERSION │ EXE │ CRYPTO │
├─────┼─────────┼────────┼──────────┼────── ────┼────────┼────────┤
│ 1 │ manager │ x86-64 │ /manager │ go1.21.6 │ static │ boring │
└─────┴─────────┴────────┴──────────┴──────────┴────────┴────────┘
If the scan is not able to determine the FIPS compliance status of a binary, the status is marked as unknown
in the
summary section. The individual row will contain a note stating the reason for the unknown status.
image: ghcr.io/spectrocloud/hello-universe:1.1.1
note: binaries are not using boring crypto and/or not statically linked
┌─────┬──────────────────┬────────┬─────────────────────────────────┬─────────┬────────┬─────────┐
│ NO. │ BINARY │ ARCH │ PATH │ VERSION │ EXE │ CRYPTO │
├─────┼──────────────────┼────────┼─────────────────────────────────┼─────────┼────────┼─────────┤
│ 1 │ legacy.so │ x86-64 │ /usr/lib/ossl-modules/legacy.so │ unknown │ static │ openssl │
│ 2 │ padlock.so │ x86-64 │ /usr/lib/engines-3/padlock.so │ unknown │ static │ openssl │
│ 3 │ libcurl.so.4.8.0 │ x86-64 │ /usr/lib/libcurl.so.4.8.0 │ unknown │ static │ openssl │
│ 4 │ node │ x86-64 │ /usr/local/bin/node │ unknown │ static │ openssl │
│ 5 │ libcrypto.so.3 │ x86-64 │ /lib/libcrypto.so.3 │ unknown │ static │ openssl │
└─────┴──────────────────┴────────┴─────────────────────────────────┴─────────┴────────┴─────────┘
The end of the report contains a summary of the scan results. The summary includes all the images scanned and the status of each image.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬─────────┐
│ IMAGE │ STATUS │
|---------------------------------------------------------------------------------------------------------------------------|
│ gcr.io/spectro-dev-public/vishu/spectro-drive:latest │ unknown │
│ gcr.io/spectro-images-public/release/kube-rbac-proxy:spectro-v0.14.0-20230508 │ failed │
│ gcr.io/spectro-images-public/release-fips/system-upgrade-controller:v0.11.4_spectro │ passed │
│ us-east1-docker.pkg.dev/spectro-palette-images/public/daily-fips/upgrade:20240305.0000 │ passed │
│ gcr.io/spectro-images-fips/kube-scheduler:v1.28.5 │ passed │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴─────────┘
Services
The services
subcommand validates the FIPS compliance of the service endpoints in your clusters. The command scans the
service endpoints and conducts a handshake with each endpoint through testssl. The handshake is
used to verify if the service endpoint is using FIPS compliant TLS versions and cryptographic ciphers. The service
endpoint's certificate is also verified if it's within a valid timeframe by verifying its start and expiration dates.
The following flags are available for the services
subcommand:
Short Flag | Long Flag | Description | Type |
---|---|---|---|
-n | --namespace | The namespace in which to deploy the resources for the FIPS scan. The default namespace is vertex-ns | string |
-f | --out | The output file path to save the scan results. The default output is the terminal. | string |
-h | --help | Display the help message for the images subcommand. | boolean |
Checks
The following is a list of checks is performed by the services
subcommand:
Check | Description |
---|---|
cipher-tls12 | Verifies TLS 1.2 cipher suites. |
cipher-tls13 | Verifies TLS 1.3 cipher suites. |
SSLv2, SSLv3, TLS1, TLS1_1 | Checks for the presence of deprecated SSL/TLS versions. |
cipherlist_NULL | Checks for the presence of NULL encryption cipher suites. |
cipherlist_aNULL | Checks for the presence of aNULL encryption cipher suites. |
cipherlist_EXPORT | Checks for the presence of EXPORT encryption cipher suites. |
cipherlist_3DES_IDEA | Checks for the presence of 3DES and IDEA encryption cipher suites. |
cipherlist_OBSOLETED | Checks for the presence of obsoleted encryption cipher suites. |
cipherlist_LOW | Checks for the presence of LOW encryption cipher suites. |
cert_notBefore | Validates the start date of the certificate. |
cert_notAfter | Validates the expiration date of the certificate. |
FS_TLS12_sig_algs | Verifies the supported signature algorithms for TLS 1.2. |
HSTS | Validates the presence of HTTP Strict Transport Security (HSTS) headers. |
DNS_CAArecord | Confirms the presence of DNS Certification Authority Authorization (CAA) records. |
security_headers | Checks for the presence of recommended security headers. Refer to testssl.sh documentation for more context. Search for the --header description. |
overall_grade | Assesses the overall security grade of the configuration. |
cert_ | Ensures certificate-related configurations meet requirements, excluding specific cases. |
Examples
Validate the FIPS compliance of the service endpoints in your cluster.
palette fips-validate services
Validate the FIPS compliance of the service endpoints in your cluster and save the results to a file.
palette fips-validate services --out /path/to/fips-scan-results.txt
Validate the FIPS compliance of the service endpoints in your cluster and deploy the resources in a custom namespace.
palette fips-validate services --namespace my-scan-ns
Review Results
The report contains a list of service endpoints and the FIPS compliance status of the service endpoints. Each row in the report contains the following columns:
Column | Description |
---|---|
NO. | The number of the service endpoint in the order of the scan. |
ID | The finding identifier. |
FINDING | The description of the finding. Depending on the finding, you may receive a technical finding. Refer to the Findings section in case you receive a technical finding. |
SEVERITY | The severity of the finding. |
STATUS | The status of the finding. Allowed values are PASSED or FAILED . |
endpoint: oldrelease-vc1.cluster-65ea4b3b9fe382461d51fbb3
┌─────┬────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ────────────────┬──────────┬────────┐
│ NO. │ ID │ FINDING │ SEVERITY │ STATUS │
├─────┼────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼──────────┼────────┤
│ 1 │ cipherlist_OBSOLETED │ offered │ CRITICAL │ FAILED │
│ 2 │ cipher-tls1_2_xcca9 │ TLSv1.2 xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 │ HIGH │ FAILED │
│ 3 │ cipher-tls1_3_x1303 │ TLSv1.3 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 │ HIGH │ FAILED │
│ 4 │ Cache-Control_multiple │ Multiple Cache-Control headers. Using first header: no-cache, private │ MEDIUM │ FAILED │
│ 5 │ LUCKY13 │ potentially vulnerable, uses TLS CBC ciphers │ LOW │ FAILED │
└─────┴────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴──────────┴────────┘
Findings
A finding is a result of a failed check. The FINDING
column may contain technical details of the finding. The
technical finding contains the following information:
-
The TLS version
-
The cipher suite HEX code.
-
The name of the cipher suite.
-
The key exchange algorithm.
-
The encryption algorithm.
-
The encryption key length.
-
The authentication algorithm.
To help you better understand technical findings values, use the following example.
TLSv1.3 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
The table below explains the example finding value and what each value represents. The values are separated by a space.
Value | Explanation |
---|---|
TLSv1.3 | The TLS version. |
x1303 | The cipher suite HEX code. |
TLS_CHACHA20_POLY1305_SHA256 | The name of the cipher suite. |
ECDH 253 | The key exchange algorithm. |
ChaCha20 | The encryption algorithm. |
256 | The encryption key length. |
TLS_CHACHA20_POLY1305_SHA256 | The authentication algorithm. |
The service endpoint is using the TLSv1.3
version with TLS_CHACHA20_POLY1305_SHA256
cipher suit. The TLS version and
the cipher suite is not considered FIPS compliant and the status is marked as FAILED
.
A successful check will not have a finding identifier. The following is an example of a successful check.
---------------------------------------------------------------
endpoint: palette-webhook-service.palette-system
note: all validations passed
---------------------------------------------------------------
The end of the report contains a summary of the scan results. The summary includes all the service endpoints scanned and the status of each endpoint. Below is an example of the summary section.
┌────────────────────────────────────────────────────────────────┬────────┐
│ ENDPOINT │ STATUS │
├────────────────────────────────────────────────────────────────┼────────┤
│ capa-webhook-service.capi-webhook-system │ passed │
│ capi-kubeadm-bootstrap-webhook-service.capi-webhook-system │ passed │
│ capi-kubeadm-control-plane-webhook-service.capi-webhook-system │ passed │
│ capi-webhook-service.capi-webhook-system │ passed │
│ capvc-webhook-service.capi-webhook-system │ failed │
│ cert-manager-webhook.cert-manager │ passed │
│ metrics-server.cluster-65e4cb59cbfc84ea5877af4c │ passed │
│ oldrelease-vc1.cluster-65ea4b3b9fe382461d51fbb3 │ failed │
│ oldrelease-vc1-headless.cluster-65ea4b3b9fe382461d51fbb3 │ failed │
│ oldrelease-vc1-lb.cluster-65ea4b3b9fe382461d51fbb3 │ failed │
│ kubernetes.default │ passed │
│ palette-webhook-service.palette-system │ passed │
│ 10-0-3-97.kubernetes.default:2380 │ failed │
│ 10-0-3-97.kubernetes.default:10250 │ passed │
└──────────────────────────────────────────── ────────────────────┴────────┘
Clean
The clean
subcommand removes the FIPS validation resources from your clusters. The command is intended to be used in
scenarios where the images
or services
subcommands may fail to clean up the resources from the cluster. As a
workaround, you can manually trigger the clean
subcommand to remove the resources from the cluster.
The clean
subcommand accepts the following flags:
Short Flag | Long Flag | Description | Type |
---|---|---|---|
-h | --help | Display the help message for the clean subcommand. | boolean |
Examples
Remove the FIPS validation resources from your cluster.
export KUBECONFIG=/path/to/kubeconfig
palette fips-validate clean