Openshift 4.15 FIPS global-crypto policies comes as DEFAULT rather than FIPS

When an OCP FIPS is set, enabled_fips should return FIPS, but the crypto-policies should return FIPS as well.

However, OCP 4.15 returns DEFAULT at /etc/crypto-policies/config instead of FIPS inside container when OCP is started in FIPS mode. The issue lies in OCP 4.15, where the container returns DEFAULT at crypto-policies instead of FIPS when FIPS mode is enabled, although the workload should not rely upon that information.

This is a very specific configuration and should only affect a specific set of workloads such as older versions of OpenJDK 11 - only older versions. OpenJDK 11 later versions and all versions later read from /proc/sys/crypto/fips_enabled. More details on OpenJDK behavior can be found on: Red Hat OpenJDK FIPS settings in Openshift 4. OpenSSL might use this information as well as reference, rather than /proc/sys/crypto/fips_enabled.

The cause for this problem is a CRI-O setting, where the container engine does not update the container settings. This was solved in CRI-O 1.29.

Root Cause:

This is discussed on the Jira OCPBUGS-53457.

The pull commits:
containers-1667
container-2174

Those two commits are not included in CRI-O 1.28, and it failed to update the /etc/crypto-policies/config. CRI-O 1.29 has them.

The workloads should not rely on /etc/crypto-policies/config and rely on /proc/sys/crypto/fips_enabled instead.