Version: main 🚧

FIPS 140-2 enablement

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards (FIPS) to ensure the security and interoperability of computer systems used by the U.S. government.

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how vCluster Standalone and all its components are built with FIPS-validated cryptographic libraries.

Use of FIPS compatible Go toolchain

vCluster is written in Go, and the FIPS-compliant builds are compiled using the GOFIPS140=v1.0.0 environment variable. The FIPS 140-3 validated Go Cryptographic Module now underlies Go’s built-in crypto libraries, starting with the Go Cryptographic Module v1.0.0 that is included in Go 1.24.

FIPS support in vCluster components

Most components used in vCluster are statically compiled with the GOFIPS140=v1.0.0 enabled Go compiler. From a component perspective, vCluster includes multiple sub-components it depends on.

The list below contains components built in a FIPS-compliant manner:

Kubernetes components sourced from Kubernetes image with -full-fips tag suffix:

containerd and containerd-shim
cni network plugins
kubeadm
kubectl
kubelet
kube-apiserver
kube-controller-manager
kube-scheduler
runc

Other components:

FIPS vCluster binaries

The vCluster Standalone FIPS-compliant binaries can be found in the vCluster GitHub Releases.

Run a FIPS-compliant vCluster

To run vCluster in a FIPS environment, you must pass --fips flag to install script.

The following is an example of a vcluster.yaml file that one can use to create a FIPS-compliant vCluster instance:

controlPlane:
  distro:
    k8s:
      version: v1.34.2 # pins kubernetes components version
  backingStore:
    etcd:
      embedded:
        enabled: true # The use of embedded etcd is recommended, yet optional
  standalone:
    enabled: true
privateNodes:
  enabled: true

To create the FIPS-compliant vCluster Standalone, save this config to /etc/vcluster/vcluster.yaml on the node and then run:

Modify the following with your specific values to replace on the whole page and generate copyable commands:

VCLUSTER_VERSION

Install FIPS-compliant vCluster Standalone on control plane node
curl -sfL https://github.com/loft-sh/vcluster/releases/download/v0.31.0/install-standalone.sh | sh -s -- --vcluster-name standalone --fips

As a result, vCluster Standalone will automatically use FIPS-compliant images and artifacts for vCluster Standalone and Kubernetes Components.

info

To use a different Kubernetes version in your virtual cluster than the host cluster, set the controlPlane.distro.k8s.version field in your configuration:

controlPlane:
  distro:
    k8s:
      image:
        tag: v1.34.2

Use of FIPS compatible Go toolchain​

FIPS support in vCluster components​

FIPS vCluster binaries​

Run a FIPS-compliant vCluster​

Use of FIPS compatible Go toolchain

FIPS support in vCluster components

FIPS vCluster binaries

Run a FIPS-compliant vCluster