|
| 1 | +# FIPS 140-3 Compliance |
| 2 | + |
| 3 | +Attune supports running in FIPS 140-3 compliant mode for environments that |
| 4 | +require validated cryptography (US federal agencies, FedRAMP, financial |
| 5 | +services, healthcare). |
| 6 | + |
| 7 | +## How it works |
| 8 | + |
| 9 | +The Attune container image is built with Go's native FIPS cryptographic module |
| 10 | +embedded (`GOFIPS140=latest`). This module holds |
| 11 | +[CMVP Certificate #5247](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/5247) |
| 12 | +(FIPS 140-3 Level 1), issued by NIST in April 2026. |
| 13 | + |
| 14 | +FIPS mode is activated at runtime via the `GODEBUG=fips140=<mode>` environment |
| 15 | +variable. The binary always contains the validated module; the flag controls |
| 16 | +whether it is active. |
| 17 | + |
| 18 | +## Enabling FIPS mode |
| 19 | + |
| 20 | +### Via Helm (recommended) |
| 21 | + |
| 22 | +```yaml |
| 23 | +# values.yaml |
| 24 | +fips: |
| 25 | + enabled: true |
| 26 | + mode: "on" # or "only" for strict mode |
| 27 | +``` |
| 28 | +
|
| 29 | +```bash |
| 30 | +helm upgrade attune oci://ghcr.io/attune-io/charts/attune \ |
| 31 | + --set fips.enabled=true |
| 32 | +``` |
| 33 | + |
| 34 | +### Via kubectl (manual deployment) |
| 35 | + |
| 36 | +Add the environment variable to the manager container: |
| 37 | + |
| 38 | +```yaml |
| 39 | +env: |
| 40 | + - name: GODEBUG |
| 41 | + value: "fips140=on" |
| 42 | +``` |
| 43 | +
|
| 44 | +## FIPS modes |
| 45 | +
|
| 46 | +| Mode | Behavior | Recommended for | |
| 47 | +|------|----------|-----------------| |
| 48 | +| `on` | Prefer FIPS-approved algorithms; allow non-FIPS fallback when needed | Most deployments | |
| 49 | +| `only` | Strictly FIPS-only; reject any non-FIPS algorithm | Environments requiring strict compliance | |
| 50 | + |
| 51 | +### Choosing between `on` and `only` |
| 52 | + |
| 53 | +**Use `on` (default)** for most deployments. This mode uses FIPS-approved |
| 54 | +algorithms for all cryptographic operations while allowing fallback to |
| 55 | +non-FIPS algorithms when required by the environment. |
| 56 | + |
| 57 | +**Use `only` with caution.** Strict mode rejects non-FIPS algorithms entirely. |
| 58 | +This can break TLS connections to the Kubernetes API server if the server |
| 59 | +negotiates X25519 key exchange (common in default configurations). X25519 is |
| 60 | +not a FIPS-approved algorithm, so `fips140=only` refuses to use it, causing |
| 61 | +`client-go` connection failures. |
| 62 | + |
| 63 | +!!! warning "Strict mode and Kubernetes API server" |
| 64 | + If you use `fips.mode: "only"`, verify your API server's TLS configuration |
| 65 | + supports FIPS-approved key exchange algorithms (ECDHE with P-256 or P-384). |
| 66 | + The default Kubernetes TLS cipher suite includes X25519, which `fips140=only` |
| 67 | + rejects. |
| 68 | + |
| 69 | +## Verifying FIPS mode |
| 70 | + |
| 71 | +Check the operator logs after deployment: |
| 72 | + |
| 73 | +```bash |
| 74 | +kubectl logs -n attune-system deploy/attune-controller-manager | head -20 |
| 75 | +``` |
| 76 | + |
| 77 | +When FIPS mode is active, the Go runtime logs: |
| 78 | +``` |
| 79 | +GODEBUG fips140=on |
| 80 | +``` |
| 81 | + |
| 82 | +## Industry context |
| 83 | + |
| 84 | +FIPS mode in Attune follows the same pattern used by other Kubernetes operators: |
| 85 | + |
| 86 | +- **Default off, opt-in to enable** (same as MinIO AIStor, Oracle Coherence, |
| 87 | + Elastic ECK, Bitnami charts, Tyk) |
| 88 | +- **Runtime toggle via environment variable** (no separate binary or image) |
| 89 | +- **CMVP-certified module** (Go's native module, not a third-party fork) |
| 90 | + |
| 91 | +This approach avoids maintaining separate FIPS and non-FIPS container images |
| 92 | +while providing validated cryptography when required. |
| 93 | + |
| 94 | +## FAQ |
| 95 | + |
| 96 | +**Do I need microsoft/go or BoringCrypto?** |
| 97 | +No. Go 1.24+ includes a native FIPS 140-3 module with its own CMVP |
| 98 | +certificate. The microsoft/go fork (which routes crypto to OpenSSL/CNG) is a |
| 99 | +corporate policy choice, not a certification requirement. |
| 100 | + |
| 101 | +**Does FIPS mode affect performance?** |
| 102 | +Minimally. The FIPS module runs self-tests on startup (adds ~50ms) and uses |
| 103 | +FIPS-approved algorithms that are comparable in performance to their |
| 104 | +non-FIPS counterparts. |
| 105 | + |
| 106 | +**Is the FIPS module always present in the image?** |
| 107 | +Yes. The image is built with `GOFIPS140=latest`, which embeds the validated |
| 108 | +module snapshot. The `fips.enabled` Helm value only controls whether the |
| 109 | +module is activated at runtime via `GODEBUG`. |
0 commit comments