Enable Federal Information Process Standard (FIPS) for Azure Kubernetes Service (AKS) node pools - Azure Kubernetes Service (2024)

The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Azure Kubernetes Service (AKS) allows you to create Linux and Windows node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see Federal Information Processing Standard (FIPS) 140.

Prerequisites

• Azure CLI version 2.32.0 or later installed and configured. Run az --version to find the version. For more information about installing or upgrading the Azure CLI, see Install Azure CLI.

Limitations

• FIPS-enabled node pools have the following limitations:
  • FIPS-enabled node pools require Kubernetes version 1.19 and greater.
  • To update the underlying packages or modules used for FIPS, you must use Node Image Upgrade.
  • Container images on the FIPS nodes haven't been assessed for FIPS compliance.
  • Mounting of a CIFS share fails because FIPS disables some authentication modules. To work around this issue, see Errors when mounting a file share on a FIPS-enabled node pool.

Supported OS Versions

You can create FIPS-enabled node pools on all supported OS types, Linux and Windows. However, not all OS versions support FIPS-enabled nodepools. After a new OS version is released, there is typically a waiting period before it is FIPS compliant.

The below table includes the supported OS versions:

When requesting FIPS enabled Ubuntu, if the default Ubuntu version does not support FIPS, AKS will default to the most recent FIPS-supported version of Ubuntu. For example, Ubuntu 22.04 is default for Linux node pools. Since 22.04 does not currently support FIPS, AKS will default to Ubuntu 20.04 for Linux FIPS-enabled nodepools.

Create a FIPS-enabled Linux node pool

1. Create a FIPS-enabled Linux node pool using the az aks nodepool add command with the --enable-fips-image parameter.

   az aks nodepool add \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name fipsnp \ --enable-fips-image

   Note

   You can also use the --enable-fips-image parameter with the az aks create command when creating a cluster to enable FIPS on the default node pool. When adding node pools to a cluster created in this way, you still must use the --enable-fips-image parameter when adding node pools to create a FIPS-enabled node pool.

   See Also

   FIPS-140 Compliance mode for Microsoft Windows OS (and Bitlocker) via Intune or GPO

2. Verify your node pool is FIPS-enabled using the az aks show command and query for the enableFIPS value in agentPoolProfiles.

   az aks show \ --resource-group myResourceGroup \ --name myAKSCluster \ --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \ -o table

   The following example output shows the fipsnp node pool is FIPS-enabled:

   Name enableFips--------- ------------fipsnp Truenodepool1 False 

3. List the nodes using the kubectl get nodes command.

   kubectl get nodes

   The following example output shows a list of the nodes in the cluster. The nodes starting with aks-fipsnp are part of the FIPS-enabled node pool.

   NAME STATUS ROLES AGE VERSIONaks-fipsnp-12345678-vmss000000 Ready agent 6m4s v1.19.9aks-fipsnp-12345678-vmss000001 Ready agent 5m21s v1.19.9aks-fipsnp-12345678-vmss000002 Ready agent 6m8s v1.19.9aks-nodepool1-12345678-vmss000000 Ready agent 34m v1.19.9

4. Run a deployment with an interactive session on one of the nodes in the FIPS-enabled node pool using the kubectl debug command.

   kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

5. From the interactive session output, verify the FIPS cryptographic libraries are enabled. Your output should look similar to the following example output:

   root@aks-fipsnp-12345678-vmss000000:/# cat /proc/sys/crypto/fips_enabled1

FIPS-enabled node pools also have a kubernetes.azure.com/fips_enabled=true label, which deployments can use to target those node pools.

Create a FIPS-enabled Windows node pool

1. Create a FIPS-enabled Windows node pool using the az aks nodepool add command with the --enable-fips-image parameter. Unlike Linux-based node pools, Windows node pools share the same image set.

   az aks nodepool add \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name fipsnp \ --enable-fips-image \ --os-type Windows

2. Verify your node pool is FIPS-enabled using the az aks show command and query for the enableFIPS value in agentPoolProfiles.

   az aks show \ --resource-group myResourceGroup \ --name myAKSCluster \ --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \ -o table

3. Verify Windows node pools have access to the FIPS cryptographic libraries by creating an RDP connection to a Windows node in a FIPS-enabled node pool and check the registry. From the Run application, enter regedit.

4. Look for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy in the registry.

5. If Enabled is set to 1, then FIPS is enabled.

FIPS-enabled node pools also have a kubernetes.azure.com/fips_enabled=true label, which deployments can use to target those node pools.

Next steps

To learn more about AKS security, see Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS).