-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Analyze FIPS support #7781
Comments
@rikatz: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@rikatz: This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@rikatz for inspiration :) aledbf@ead3cba |
Also check this rancher/rke2#659 (comment) |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/lifecycle frozen |
See #3543 for discussions on this. I already have changes that can be upstreamed to provide FIPS support, but we would have to decide whether to make UBI the default base image, or provide a separate image. |
UBI offers a number of advantages, though the image size is a bit larger: * Makes it possible for NGINX to run in a FIPS environment. The OpenSSL libraries are FIPS-validated. * Provides more security over Alpine. Red Hat addresses security issues faster Than Alpine. * Alpine's use of musl may cause slightly different behavior than glibc (e.g. with DNS).
Openssl 3.0 is now certified and also available in alpine 3.16 or later. Nginx also supports openssl 3 in 1.22+ and the go code would just need compiled using goboring.
|
Thanks for linking to this, I see this FIPS fork has been well maintained so far: So to check in as an update to Stan's PR that was closed in April 2022: are there currently any plans to upstream these changes to provide more native FIPS support? |
So, something here: I'm not sure the implication on it, and also probably we need boringcrypto also for Go builds. On the PR, I'm not sure we want to move away from Alpine, instead I would like to:
|
/close We don't have ppl willing to maintain this, and I wont be able to work on it. |
@rikatz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Some folks reached me about FIPS support / compliance specifically when ingress-nginx is used with govt stuff.
I'm not aware on how to deal with this yet (as far as I read we can use some openssl module from specific distro, or compile using BoringSSL) and there is also an nginx inc module to verify this compliance.
Not sure what we should look into here yet, but seems like something that will be requested more in a future :)
/help
/kind feature
The text was updated successfully, but these errors were encountered: