-
Story
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
5
-
False
-
None
-
False
-
-
-
CMP Sprint 80
UBI is no longer a valid base image for products requiring FIPS 140 regulatory compliance. This is because the version of openssl may change at any time, causing the product to be out of compliance. Instead, a new, stable RHEL image (rhel-els) which should be used for all FIPS-compliant workloads.
The check_payload tool should scan for the lack or presence of this base image as part of its work.
- if a container is using a supported rhel-els image, then we can safely assume it is using the correct crypto libraries.
- if a container is not using a supported rhel-els image, but the openssl version is considered acceptable, then the tool should issue a warning that the image should adopt rhel-els but still consider the image compliant.
- if a container is not using a supported rhel-els image and the openssl version is unacceptable, then the tool should consider the image non-compliant.
Deliverables
- Enhance the logic of check_payload tool to use the above logic.
- Define and gain agreement on a methodology for how check_payload maintains a current list of supported rhel-els versions.
Additional Information
- is related to
-
OCPSTRAT-853 Address remaining items required for OCP & layered products FIPS compliance
-
- Refinement
-
- relates to
-
OCPSTRAT-1224 Core payload release blocking job: FIPS mode and correct base images
-
- New
-
- links to