You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today we have this nice high level knob fips: true. However, for RHEL, only certain minor releases are certified.
I believe this is tracked in the OpenShift process that builds releases in an effectively manual way. But I think it'd be better if we:
Provided some metadata in the OS stream that described that the content was FIPS certified; strawman: flag in /usr/lib/os-release that also gets exposed in the ostree commit metadata and the machine-os-content container metadata
Teach the MCD to require this flag on the oscontainer before even pulling an OS update down if fips: true
The main goal here would be to avoid potential errors in the release stream - we simply could not accidentally publish an OS update that was not FIPS validated into an OCP release, because our CI would block it directly.
The text was updated successfully, but these errors were encountered:
The TL;DR on the private discussion is that outside of situations where Red Hat does not seek FIPs certification for a given RHEL version, like RHEL 8.3, the FIPS certification is largely de-coupled an OpenShift payload and thus machine-os-content. So when RHEL 8.4 and everything built atop 8.4 attains certification that covers previously released bits.
We do intend to inhibit clusters from upgrading into non FIPS certified versions, but at this time it will need to be a solution which exists outside of the shipped payload, most likely via Targeted Edge Blocking as @yuqi-zhang mentioned.
Today we have this nice high level knob
fips: true
. However, for RHEL, only certain minor releases are certified.I believe this is tracked in the OpenShift process that builds releases in an effectively manual way. But I think it'd be better if we:
/usr/lib/os-release
that also gets exposed in the ostree commit metadata and themachine-os-content
container metadatafips: true
The main goal here would be to avoid potential errors in the release stream - we simply could not accidentally publish an OS update that was not FIPS validated into an OCP release, because our CI would block it directly.
The text was updated successfully, but these errors were encountered: