Create FIPS 140 Images

Use Konvoy Image Builder to create images with FIPS-compliant binaries

Create FIPS-140 images

Konvoy Image Builder can produce images containing FIPS-140 compliant binaries. Use the fips.yaml override file provided with the konvoy-image bundle.

For example, this command produces a FIPS-compliant image on CentOS 8:

konvoy-image build --overrides overrides/fips.yaml images/ami/centos-8.yaml
Copy

Pre-provisioned infrastructure

If you are targeting a pre-provisioned infrastructure, you can create a FIPS-compliant cluster by doing the following:

  1. Create a bootstrap cluster

  2. Create a secret on the bootstrap cluster with the contents from fips.yamloverride file and any other user overrides you wish to provide

kubectl create secret generic $CLUSTER_NAME-fips-overrides --from-file=overrides.yaml=overrides.yaml
kubectl label secret $CLUSTER_NAME-fips-overrides clusterctl.cluster.x-k8s.io/move=
Copy