talos
talos copied to clipboard
siderolabs
Need FIPS 140-3 Compliant variant of Talos
Feature Request
In order to use Talos in any US Government context, we need all cryptography to be FIPS 140-2 compliant. Without FIPS compliance, we cannot consider using Talos in our production environments, and we would very much like Talos to be a serious contender in this space.
This would also make Talos a viable solution for any other high-security environments which care about FIPS 140-2 compliance.
Description
Provide a variant of the Talos image which contains only FIPS 140-2 authorized cryptography modules. FIPS variants of other opensource offerings exist. For reference:
- FIPS Istio https://tetrate.io/learn/fips/istio-fips/
- FIPS GitLab https://docs.gitlab.com/ee/development/fips_compliance.html
This was requested previously in #6230 but grew stale. You can search to see if a particular library is FIPS compliant here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
Do we have any update in getting Talos Linux to be FIPS Compliant ?
Absent a compelling commercial case, we are unlikely to explore FIPS compliance in the next 12 months.
You might have someone take enough interest eventually to contribute FIPS to this CNCF project without any need for commercial spending if there was some idea of where to start documented in this issue. If FIPS support is compiled into the kernel, it might be as easy as tossing an option to add "fips=1" to the boot loader. Looks like talos might be doing something similar with kspp? I see some possibly relevant stuff in the machinery/kernel too.
Absent a compelling commercial case, we are unlikely to explore FIPS compliance in the next 12 months.
What exactly are you looking for? US Government's budget isn't exactly a small customer. Not wishing to focus on that market is valid of course for many different reasons, but that's a business decisions, not a lack of commercial opportunity. Rancher, before they were bought by SUSE, created RKE2 (originally RKE Gov) specifically to address this market and forked off Rancher Government when SUSE bought the rest which is still successfully selling services to support government kubernetes installations. Red Hat is making tons off of US Gov selling OpenShift. Broadcom/VMWare has sold Tanzu hard to the government. There is also a lot of push toward more automated and higher security solutions which Talos has the potential to be, but FIPS is a foundational expectation. You can get things through that aren't that, but the compliance battle to do something different than the old way benefits from these things not being a hindrance.
In other words, it's a chicken and egg problem. You aren't likely to have someone champion your solution in gov space before you show a willingness to invest something. It'll take partnership with someone who knows the market to make the initial wins. As I said before though, being open source, maybe there is an alternative to Sidero Labs putting in some of that investment.
It's definitely a chicken and egg problem, and we agree there is a good business opportunity in the federal arena that getting FIPS compliant would help.
However, as a small company, unless we get someone saying "We will give you $500K contract if you get the FIPS cert", we are not going to do it in the short term.
- we've not had any luck with the federal space so far (we've spent a bunch of time applying for SBIR programs; we've engaged in a CRADA, but while there is interest, there has been slow progress due to gov personnel changes, budget, etc.)
- while there is an opportunity, selling to the gov space requires a big investment in engineering in just our build pipelines to support a different version; plus a parallel investment in different sales and marketing teams and collateral focussed on federal, etc.
We are just expanding our engineering team and marketing (from zero!) currently, so will be increasing investment over the short term before our revenue reflects that, and we are not in a position to invest for other long term initiatives just now.
SO... we will get to it. But in a while.
However, as a small company, unless we get someone saying "We will give you $500K contract if you get the FIPS cert", we are not going to do it in the short term.
What if the contract was just "get FIPS compliant?" How much would that cost?
https://github.com/golang/go/issues/69536 golang "crypto: obtain a FIPS 140-3 validation" if that helps
Just here to add my support to getting FIPS compliance...
I'm currently leading the K8S architecture for a very large gov agency, and while I am personally a huge fan of talos and would jump at the opportunity to include it as part of our design, the lack of FIPS sadly makes it a non-starter.
I'm actively working on scoping this to see what it will take. If you are interested in a FIPS build of Talos please reach out to [email protected] so we can understand your scope requirements and needs.
We just finished a FIPS assessment to provide us guidance on our options. Right now we don't plan on going through the full FIPS certification process, but we are working on a FIPS compliant option. If someone requires FIPS certification to use Talos please let me know.
Using the FIPS crypto in go requires a setting at build time and a setting at run time. At this point we have no plans to make FIPS compliant crypto the default build of Talos so we will have a separate build pipeline that uses FIPS crypto libraries and sets the FIPS compatibility at run time.
This will initially be for Talos' userspace PID 1 which runs the Talos API. We'll look into rebuilding and maintaining FIPS compliant versions of containerd and Kubernetes components (api server, kubelet, controller manager, etcd, scheduler) which would require recompiling and setting the runtime options.
Access to a Talos FIPS build and distribution of assets will require a support contract with Sidero because of the extra work, resources, and some of the process and business requirements for customers who need this option. The code will still be open source and available if you want to build/maintain your own FIPS compliant Talos but the compiled assets will not be freely distributed.
We just finished a FIPS assessment to provide us guidance on our options. Right now we don't plan on going through the full FIPS certification process, but we are working on a FIPS compliant option. If someone requires FIPS certification to use Talos please let me know.
Using the FIPS crypto in go requires a setting at build time and a setting at run time. At this point we have no plans to make FIPS compliant crypto the default build of Talos so we will have a separate build pipeline that uses FIPS crypto libraries and sets the FIPS compatibility at run time.
This will initially be for Talos' userspace PID 1 which runs the Talos API. We'll look into rebuilding and maintaining FIPS compliant versions of containerd and Kubernetes components (api server, kubelet, controller manager, etcd, scheduler) which would require recompiling and setting the runtime options.
Access to a Talos FIPS build and distribution of assets will require a support contract with Sidero because of the extra work, resources, and some of the process and business requirements for customers who need this option. The code will still be open source and available if you want to build/maintain your own FIPS compliant Talos but the compiled assets will not be freely distributed.
Great news. I cannot wait to stop using OpenShift :)
Also working a very large gov contract and leading the k8s arch. We love Talos but need to be able to demo it with FIPS compliance before it can be considered
