Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to enable Federal Information Processing Standard (FIPS) when you create an Azure Red Hat OpenShift cluster.
The Federal Information Processing Standard 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. The Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment (CSE) of Canada maintain the testing against the FIPS 140 standard.
Support for FIPS cryptography
Starting with Release 4.10, you can deploy an Azure Red Hat OpenShift cluster in FIPS mode. FIPS mode ensures the control plane is using FIPS 140-2 cryptographic modules. To be FIPS compliant, all workloads and operators deployed on a cluster need to use FIPS 140-2.
You can install an Azure Red Hat OpenShift cluster that uses FIPS Validated or FIPS Modules in Process cryptographic libraries on the x86_64 architecture.
Note
If you're using Azure File storage, you can't enable FIPS mode.
Enable FIPS on your cluster
You must enable FIPs when you create an Azure Red Hat OpeShift cluster because FIPS can't be enabled or disabled after the cluster is created. The following example shows parameters that use values defined as environment variables for resource group, cluster name, and virtual network name. The --fips parameter enables FIPS mode and doesn't require a value.
az aro create \
--resource-group $RESOURCEGROUP \
--name $CLUSTER \
--vnet $VIRTUALNETWORK \
--master-subnet master-subnet \
--worker-subnet worker-subnet \
--fips
For more information, see az-aro-create. To enable FIPS on the cluster, there are two options:
--fips: Uses cryptographic modules that might be in the validation process.--fips-validated-modules: Ensures that only validated cryptographic modules are used.
Next steps
To learn how to deploy an Azure Red Hat OpenShift cluster, see Create an Azure Red Hat OpenShift 4 cluster.