Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-4598

[RN/KI] FIPS limitations in Dev Spaces 3.7

XMLWordPrintable

    • False
    • None
    • False
    • Hide
      = FIPS compliance update

      There’s a known issue with FIPS compliance that results in certain cryptographic modules not being FIPS-validated. Below is a list of requirements and limitations for using FIPS with {prod-short}:

      .Required cluster and operator updates

      Update your Red Hat OpenShift Container Platform installation to the latest z-stream update for 4.11, 4.12, or 4.13 as appropriate. If you do not already have FIPS enabled, you will need to uninstall and reinstall.

      Once the cluster is up and running, install {prod-short} 3.7.1 (3.7-264) and verify that the latest DevWorkspace operator bundle 0.21.2 (0.21-7) or newer is also installed and updated. See https://catalog.redhat.com/software/containers/devworkspace/devworkspace-operator-bundle/60ec9f48744684587e2186a3

      .Golang compiler in UDI image

      The Universal Developer Image (UDI) container includes a golang compiler, which was built without the `CGO_ENABLED=1` flag. The check-payload scanner ( https://github.com/openshift/check-payload ) will throw an error, but this can be safely ignored provided that anything you build with this compiler sets the correct flag `CGO_ENABLED=1` and does NOT use `extldflags -static` or `-tags no_openssl`.

      The resulting binaries can be scanned and should pass without error.

      .Statically linked binaries

      You can find statically linked binaries not related to cryptography in these two containers:

      * code-rhel8
      * idea-rhel8.

      As they are not related to cryptography, they do not affect FIPS compliance.

      .Helm support for FIPS

      The UDI container includes the `helm` binary, which was not compiled with FIPS support. If you are in a FIPS environment do not use `helm`.
      Show
      = FIPS compliance update There’s a known issue with FIPS compliance that results in certain cryptographic modules not being FIPS-validated. Below is a list of requirements and limitations for using FIPS with {prod-short}: .Required cluster and operator updates Update your Red Hat OpenShift Container Platform installation to the latest z-stream update for 4.11, 4.12, or 4.13 as appropriate. If you do not already have FIPS enabled, you will need to uninstall and reinstall. Once the cluster is up and running, install {prod-short} 3.7.1 (3.7-264) and verify that the latest DevWorkspace operator bundle 0.21.2 (0.21-7) or newer is also installed and updated. See https://catalog.redhat.com/software/containers/devworkspace/devworkspace-operator-bundle/60ec9f48744684587e2186a3 .Golang compiler in UDI image The Universal Developer Image (UDI) container includes a golang compiler, which was built without the `CGO_ENABLED=1` flag. The check-payload scanner ( https://github.com/openshift/check-payload ) will throw an error, but this can be safely ignored provided that anything you build with this compiler sets the correct flag `CGO_ENABLED=1` and does NOT use `extldflags -static` or `-tags no_openssl`. The resulting binaries can be scanned and should pass without error. .Statically linked binaries You can find statically linked binaries not related to cryptography in these two containers: * code-rhel8 * idea-rhel8. As they are not related to cryptography, they do not affect FIPS compliance. .Helm support for FIPS The UDI container includes the `helm` binary, which was not compiled with FIPS support. If you are in a FIPS environment do not use `helm`.
    • Known Issue
    • Done

      Dev Spaces 3.7.1 is FIPS compliant, but there are a few known issues that need to be documented / explained.

      The statically linked binaries listed below are not related to cryptography so are irrelevant for FIPS compliance.

      • code-rhel8 container
        • This container includes the ripgrep prebuilt binary `rg`, used for regex searching. As the executable is statically linked, the check-payload scanner will throw an error, but this can be safely ignored as long as you're not using ripgrep to do anything related to cryptography or SSL.

      The Universal Developer Image has two caveats with respect to FIPS support:

      • udi-rhel8 container
        • This container includes the `helm` binary, which was not compiled with FIPS support. If you are in a FIPS environment do not use `helm`.
        • This container includes a golang compiler, which was built without the `CGO_ENABLED=1` flag. The check-payload scanner will throw an error, but this can be safely ignored as long as anything you build with this compiler sets the correct `CGO_ENABLED=1`flag, and does NOT use `extldflags -static` or `-tags no_openssl`. Resulting binaries can be scanned and should pass without error.

      Other updates required to enable FIPS include:

      • devworkspace operator
        • This operator also includes a FIPS-related fix, which is required to be updated in your cluster along with Dev Spaces.
      • OCP installation itself
        • Testing and support for FIPS is only available on OCP 4.10.z-4.12.z. You must update to the latest z-stream OCP update. Enabling FIPS is a "day 1" operation: to enable or disable FIPS you need to uninstall and reinstall the cluster. (ref: https://access.redhat.com/solutions/5594191)

        1. image-2023-07-27-10-02-07-399.png
          54 kB
          Nick Boldt

              sdawley@redhat.com Samantha Dawley
              nickboldt Nick Boldt
              Jana Vrbkova Jana Vrbkova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: