Request: Please make FIPS 140-2 compliant images available #201
Comments
|
As another member of @gesarki's team, we are hopeful to be able to make this small contribution to upstream. We feel that achieving various levels of compliance certification can place a large burden on organizations and we could contribute this small piece upstream for others to benefit. As a bonus, it would also streamline our future efforts in remaining compliant. As such, we feel this is a win-win and are hoping to find a way to contribute this small change. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
At Acquia we’re currently using this component as part of our globally distributed Kubernetes infrastructure.
Like most providers, we expend a lot of effort ensuring that we remain compliant with varied regulatory regimes across different localities. Currently we're working towards FIPS compliance which is required by federal institutions like healthcare, banking, and defense organizations to set cryptographic standards for highly sensitive data.
The FIPS 140-2 encryption compliance requirement poses a common problem that is likely to be shared by any organizations looking to obtain a FEDRAMP certification and which use a myriad of OSS Kubernetes components under the hood.
FIPS compliance stands as a barrier to entry for smaller organizations. Accepting our contribution would take a small step towards lowering that barrier for the general public and other open source projects.
We, and any other cloud based software providers that are building atop Kubernetes, would benefit from the availability of off-the-shelf FIPS-compliant variants of this project’s images.
While many tools exist to tweak deployment manifests, it can be complex and fragile to rebuild upstream images with constraints placed on encryption libraries. This type of change would be far easier to make inside the originating repo.
Internally, we have explored several paths forward to achieve our compliance objectives. We are hoping to be able to contribute the required changes upstream in a way that benefits the community at large and minimizes toil.
Initially, we are requesting that the current maintainers and community consider supporting FIPS images. We have a notional approach to contribute and would like to collaborate.
Please let us know your thoughts in this Issue or by reaching out directly.
At this time, we have an internal approach that we are using on our internal Go-based controllers and other container images. There are some basic requirements that we’d ask to be built into a
-fipsvariant including assertions that could live in the upstream build steps or in later CI steps.What we do internally is:
Thank you for your time considering this request as well as your efforts supporting this project!
Acquia KaaS Core Services team
The text was updated successfully, but these errors were encountered: