Skip to main content

FIPS-Compliant Components

Federal Information Processing Standards (FIPS) is a series of standards developed by the National Institute of Standards and Technology (NIST) in the United States for computer security and encryption algorithms.

FIPS 140-2 is a specific standard for security requirements for cryptographic modules. It outlines the criteria these modules must meet to ensure their security and integrity.

FIPS Support in Clusters

Palette VerteX provides FIPS-compliant infrastructure components in Kubernetes clusters it deploys. These components are:


  • Operating System (OS)

    • Ubuntu Pro
  • Kubernetes

    • Palette eXtended Kubernetes (PXK)
    • Palette eXtended Kubernetes - Edge (PXK-E)
  • Container Network Interface (CNI)

    • Calico
  • Container Storage Interface (CSI)

    • vSphere CSI

Management Plane

All services in the management plane are FIPS compiled with Go using BoringCrypto libraries and static linking. Refer to the Spectro Cloud Cryptographic Module resource to learn about our NIST certificate.


FIPS-Compliant Kubernetes

Our customized version of Kubernetes is FIPS-compliant. Both Palette eXtended Kubernetes (PXK) and Palette eXtended Kubernetes-Edge (PXK-E) are compiled with FIPS-compliant compiler and libraries.


info

Refer to the Palette eXtended Kubernetes (PXK) and Palette eXtended Kubernetes-Edge (PXK-E) documentation to learn more about the each Kubernetes distribution.

All PXK and PXKE components and supporting open-source components are compiled in their native programming language using language specific FIPS-compliant libraries and static linking. If the component is not available in the form of a FIPS-compliant binary, we compile it with FIPS-compliant compiler and libraries. The following tables list the FIPS-compliant components in PXK and PXK-E:


Core Kubernetes Components

ComponentDescription
API ServerThe API server is the central management entity that receives all REST requests for the cluster.
Controller ManagerThe controller manager is a daemon that embeds the core control loops shipped with Kubernetes.
SchedulerThe scheduler is a daemon that finds the best node for a pod, based on the scheduling requirements you specify.
KubeletThe kubelet is the primary node agent that is deployed on each node.
Kube-proxyThe kube-proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
KubeadmKubeadm is a tool built to provide best-practice “fast paths” for creating Kubernetes clusters.
KubectlKubectl is a command line interface for issuing commands against Kubernetes clusters.

Auxiliary Kubernetes Components

ComponentDescription
CoreDNSCoreDNS is a Domain Name System (DNS) server deployed as a cluster DNS service.
EtcdEtcd is a distributed key-value store used as Kubernetes’ backing store for all cluster data.
Metrics ServerMetrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.
Ingress ControllerNginx is used as the ingress controller. An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and Transport Layer Security (TLS) termination for Kubernetes services.
Nginx ServerThe Nginx server is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache.
Nginx Ingress ControllerThe Nginx ingress controller uses ConfigMap to store the Nginx configuration.

Runtime Components

ComponentDescription
containerdContainerd is an industry-standard container runtime with an emphasis on simplicity, robustness, and portability.
containerd-shimContainerd-shim is a shim used by containerd to launch containers.
containerd-shim-runc-v1Containerd-shim-runc-v1 is a shim used by containerd to launch containers.
containerd-shim-runc-v2Containerd-shim-runc-v2 is a shim used by containerd to launch containers.
ctrCtr is a command line interface for containerd.
crictlCrictl is a command line interface for CRI-compatible container runtimes.
runcRunc is a CLI tool for spawning and running containers according to the OCI specification.

Container Network Interface Components

ComponentDescription
CalicoCalico is a Container Network Interface plugin that provides networking and network policy for Kubernetes clusters.

Container Storage Interface Components

ComponentDescription
AWS EBS CSIAWS EBS CSI is a CSI plugin that provides storage for Kubernetes clusters.
vSphere CSIvSphere CSI is a CSI plugin that provides storage for Kubernetes clusters.
Longhorn CSILonghorn CSI is a CSI plugin that provides storage for Kubernetes clusters. Longhorn is the only supported CSI for PXKE.

AWS EBS CSI Components
ComponentDescription
DriverThe driver is a CSI plugin that provides storage for Kubernetes clusters.
External AttacherThe external attacher is a CSI plugin that attaches volumes to nodes.
External ProvisionerThe external provisioner is a CSI plugin that provisions volumes.
External ResizerThe external resizer is a CSI plugin that resizes volumes.
External SnapshotterThe external snapshotter is a CSI plugin that takes snapshots of volumes.
Liveness ProbeThe liveness probe is a CSI plugin that checks the health of the driver.
Node Driver RegistrarThe node driver registrar is a CSI plugin that registers the driver with the kubelet.

Longhorn CSI Components
ComponentDescription
Backing image managerManages backing images for Longhorn volumes.
AttacherHandles attaching and detaching of volumes to nodes.
ProvisionerManages provisioning and de-provisioning of storage resources.
ResizerEnables resizing of storage volumes.
SnapshotterManages snapshots of Longhorn volumes.
Node driver registrarRegisters the CSI driver with the Kubernetes node.
Liveness probeMonitors health of CSI components.
Longhorn engineCore component that handles read and write operations to the storage backend.
Longhorn instance managerManages Longhorn engine and replica instances.
Longhorn share managerManages shared volumes and exposes them via protocols like Network File System (NFS).
Longhorn UIUser interface for managing Longhorn components and resources.
Longhorn support bundle kitCollects logs and system information for debugging.
info

The Longhorn Manager component is partially FIPS-compliant. This component uses utiltities that are not using a FIPS-compliant version of OpenSSL. The following utilities are not FIPS-compliant:

  • openssl
  • curl
  • nfs-utils
  • bind-tools