Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5951

RHACS FIPS Support (designed for FIPS + use of FIPS validated crypto)

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • RHACS
    • None
    • False
    • None
    • False
    • Not Selected

      CUSTOMER PROBLEM

      This section should specify the customer problem we are trying to solve and, broadly, how we plan to address it.

      Red Hat recently addressed an issue with FIPS-readiness of core go OpenShift binaries. As part of that work, engineering developed a scanner to validate FIPS-readiness for these binaries and plans to make this scanner easily available to all OpenShift customers. https://access.redhat.com/security/cve/cve-2023-3089 

      RH ACS has an opportunity to make this scanner available for custom images as part of an overall compliance assessment. 

      USERS

      This section should specify the intended user of the set of features specified in this epic and should link out to this page for a description of personas

      • Developers building go images for FIPS compliance.
      • Admins / SREs managing a cluster in FIPS mode who wish to ensure that only FIPS compliant workloads are deployed.
      • Compliance teams who wish to be able to report on the FIPS readiness / FIPS compliance of the go images on their FISMA/FedRAMP'd cluster.

      ACCEPTANCE CRITERIA

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • Provide the ability to run the RH FIPS compliance scanner on images built with go during the CI/CD process. This likely means calling it via roxctl. 
      • Provide the ability to run the RH FIPS compliance scanner on images built with go that are deployed to the cluster
      • Results are stored for future reference and are available via CLI, GUI and API
      • Results are included in FISMA/FedRAMP compliance checks, possibly through integration with the OCP Compliance Operator. 

      QUESTIONS

      This section should specify what questions we are trying to answer for the customer with this set of features.

      The scan should answer the question: Is my go container image FIPS ready or not? 

      ACTIONS

      This section should specify what actions we are trying to enable the user to take with our product.

      The goal is to help customers achieve FIPS compliance as a step toward FISMA/FedRAMP compliance. 

      CONSIDERATIONS

      This section may contain notes about any number of things that should be taken into consideration when building out this set of features, including (but not limited to) intended future direction for these features or for the corresponding feature family.

      We need to work with the OCP and ISC team to understand how the scanner will be delivered for platform component scans. 

      We need to determine how the scanner will be delivered, updated and run. 

      UX/UI

      Generally mocks should be attached to individual stories. However, if mocks combine multiple individual stories in order to enable the best user interaction, then the mocks should be linked here and this section should denote which stories are encompassed by the mocks.

      DELIVERY PRIORITY

      This section should outline the desired order of delivery for stories comprising this epic. For example:

              jjung@redhat.com JP Jung
              knewcome@redhat.com Kirsten Newcomer
              Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: