Complying with FIPS requirements

The United States and Canadian governments published the Federal Information Processing Standard (FIPS) Publication 140-2, which specifies the security specifications for cryptographic modules that safeguard private data.

Federal clients must use software products that are FIPS-compliant. Section 5131 of the Information Technology Management Reform Act of 1996 requires FIPS 140-2 validation for every product that is sold to government agencies in the United States.

You can install Instana on Self-Hosted Custom Edition (Kubernetes or Red Hat OpenShift Container Platform) clusters. Instana uses six third-party data stores and their operators to process and store various types of data. Most of the data stores and their operators do not have the encryption modules that are required to comply with FIPS standards. Therefore, Instana provides the required cryptographic modules to the data stores and operators to make them FIPS-compliant. Also, you can use new Docker images that are built with the required modifications.

Prerequisites

Before you install Instana, make sure that you have a FIPS-enabled cluster.

Install the following components in the cluster:

Installing Red Hat OpenShift Container Platform in FIPS mode

You can configure OpenShift Container Platform clusters to operate in FIPS mode. For more information, see Support for FIPS cryptography External link icon.

Verification

To verify if your cluster is configured with FIPS mode, complete the following steps:

  1. Log in to the cluster as a user.

    You must have cluster administrator privileges.

  2. To verify whether FIPS is enabled, run the following command:

    kubectl get cm cluster-config-v1 -n kube-system -o json | jq -r '.data."install-config"' | grep -i "fips"
    
  3. In the command output, to verify that the fips: setting is set to true, run the following command:

    fips: true
      name: instanta-fips-test-01
      root@instanta-fips-test-01
    
  4. To obtain the names of the machine configurations, run the following command:

    kubectl get mcp
    
    • In the command output, the configuration name is in the CONFIG column. For example, see the following output:

      NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
      master   rendered-master-9315fe98ae7415bae951bd94e210ea13   True      False      False      3              3                   3                     0                      75d
      worker   rendered-worker-9c1c2865c14e5edf0c5c6c285678abb7   True      False      False      5              5                   5                     0                      75d
      
  5. For each configuration, to verify that Fips: is set to true, run the following command:

    kubectl describe mc <CONFIG> | grep Fips
    

    a. The previous example returns two configurations. Therefore, you must run the command on each configuration. For example, see the following command:

    kubectl describe rendered-master-9315fe98ae7415bae951bd94e210ea13 | grep Fips
    

    b. The command output must have Fips: true. For example, see the following output:

    Fips:  true
    

FIPS-compliant images of third-party data stores and operators

For a complete list of FIPS-compliant images of third-party operators and data stores, see Mirroring operator images in the image registry (bastion host).

Installing Instana

After you verify the FIPS configuration on your cluster, you can install Instana. For more information, see Using third-party Kubernetes Operators.