Openshift 4.15 FIPS global-crypto policies comes as DEFAULT rather than FIPS

When an OCP FIPS is set, enabled_fips should return FIPS, but the crypto-policies should return FIPS as well.

However, OCP 4.15 returns DEFAULT at /etc/crypto-policies/config instead of FIPS inside container when OCP is started in FIPS mode The issue lies in OCP 4.15, where the container returns DEFAULT at crypto-policies instead of FIPS when FIPS mode is enabled.

This is a very specific configuration and should only affect a specific set of workloads such as older versions of OpenJDK 11 - only older versions. OpenJDK 11 later versions and all versions later read from /proc/sys/crypto/fips_enabled. More details on OpenJDK behavior can be found on: Red Hat OpenJDK FIPS settings in Openshift 4.

The cause for this problem is a CRI-O setting, where the container engine dpes not update the container settings. This was solved in CRI-O 1.29.

Root Cause:

This is discussed on the Jira OCPBUGS-53457.

The pull commits:
containers-1667
container-2174

Those two commits are not included in cri-o 1.28, and it failed to update the /etc/crypto-policies/config. CRI-o 1.29 has them.

Ansible.com

Red Hat Ecosystem Catalog

Red Hat Hybrid Cloud Console

Red Hat Store

Red Hat Summit and AnsibleFest

Openshift 4.15 FIPS global-crypto policies comes as DEFAULT rather than FIPS

Root Cause:

Comments

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Root Cause:

Comments

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links