Merge pull request #205362 from erik-ha-msft/erikha-aks-windows-fips

[AKS] - FIPS for Windows

Author: v-regandowner

articles/aks/TOC.yml

@@ -297,6 +297,8 @@
               href: azure-disk-customer-managed-keys.md
             - name: Enable host-based encryption
               href: enable-host-encryption.md
+            - name: Enable FIPS
+              href: enable-fips-nodes.md
         - name: Application security
           items:
             - name: Use Azure AD pod identity (preview)

articles/aks/enable-fips-nodes.md

@@ -0,0 +1,135 @@
+---
+title: Enable Federal Information Process Standard (FIPS) for Azure Kubernetes Service (AKS) node pools
+description: Learn how to enable Federal Information Process Standard (FIPS) for Azure Kubernetes Service (AKS) node pools.
+author: erik-ha-msft
+ms.author: erikha
+ms.service: container-service
+ms.topic: how-to 
+ms.date: 07/19/2022
+ms.custom: template-how-to
+---
+
+# Enable Federal Information Process Standard (FIPS) for Azure Kubernetes Service (AKS) node pools
+
+The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Azure Kubernetes Service (AKS) allows you to create Linux and Windows node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140][fips].
+
+## Prerequisites
+
+You need the Azure CLI version 2.32.0 or later installed and configured. Run `az --version` to find the version. For more information about installing or upgrading the Azure CLI, see [Install Azure CLI][install-azure-cli].
+
+FIPS-enabled node pools have the following limitations:
+
+* FIPS-enabled node pools require Kubernetes version 1.19 and greater.
+* To update the underlying packages or modules used for FIPS, you must use [Node Image Upgrade][node-image-upgrade].
+* Container images on the FIPS nodes haven't been assessed for FIPS compliance.
+
+> [!IMPORTANT]
+> The FIPS-enabled Linux image is a different image than the default Linux image used for Linux-based node pools. To enable FIPS on a node pool, you must create a new Linux-based node pool. You can't enable FIPS on existing node pools.
+> 
+> FIPS-enabled node images may have different version numbers, such as kernel version, than images that are not FIPS-enabled. Also, the update cycle for FIPS-enabled node pools and node images may differ from node pools and images that are not FIPS-enabled.
+
+## Create a FIPS-enabled Linux node pool
+
+To create a FIPS-enabled Linux node pool, use the [az aks nodepool add][az-aks-nodepool-add] command with the `--enable-fips-image` parameter when creating a node pool.
+
+```azurecli-interactive
+az aks nodepool add \
+    --resource-group myResourceGroup \
+    --cluster-name myAKSCluster \
+    --name fipsnp \
+    --enable-fips-image
+```
+
+> [!NOTE]
+> You can also use the `--enable-fips-image` parameter with [az aks create][az-aks-create] when creating a cluster to enable FIPS on the default node pool. When adding node pools to a cluster created in this way, you still must use the `--enable-fips-image` parameter when adding node pools to create a FIPS-enabled node pool.
+
+To verify your node pool is FIPS-enabled, use [az aks show][az-aks-show] to check the *enableFIPS* value in *agentPoolProfiles*.
+
+```azurecli-interactive
+az aks show \
+    --resource-group myResourceGroup \
+    --name myAKSCluster \
+    --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \
+    -o table
+```
+
+The following example output shows the *fipsnp* node pool is FIPS-enabled and *nodepool1* isn't.
+
+```output
+Name       enableFips
+---------  ------------
+fipsnp     True
+nodepool1  False  
+```
+
+You can also verify deployments have access to the FIPS cryptographic libraries using `kubectl debug` on a node in the FIPS-enabled node pool. Use `kubectl get nodes` to list the nodes:
+
+```output
+$ kubectl get nodes
+NAME                                STATUS   ROLES   AGE     VERSION
+aks-fipsnp-12345678-vmss000000      Ready    agent   6m4s    v1.19.9
+aks-fipsnp-12345678-vmss000001      Ready    agent   5m21s   v1.19.9
+aks-fipsnp-12345678-vmss000002      Ready    agent   6m8s    v1.19.9
+aks-nodepool1-12345678-vmss000000   Ready    agent   34m     v1.19.9
+```
+
+In the above example, the nodes starting with `aks-fipsnp` are part of the FIPS-enabled node pool. Use `kubectl debug` to run a deployment with an interactive session on one of those nodes in the FIPS-enabled node pool.
+
+```azurecli-interactive
+kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
+```
+
+From the interactive session, you can verify the FIPS cryptographic libraries are enabled:
+
+```output
+root@aks-fipsnp-12345678-vmss000000:/# cat /proc/sys/crypto/fips_enabled
+1
+```
+
+FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which can be used by deployments to target those node pools.
+
+## Create a FIPS-enabled Windows node pool
+
+To create a FIPS-enabled Windows node pool, use the [az aks nodepool add][az-aks-nodepool-add] command with the `--enable-fips-image` parameter when creating a node pool. Unlike Linux-based node pools, Windows node pools share the same image set. 
+
+```azurecli-interactive
+az aks nodepool add \
+    --resource-group myResourceGroup \
+    --cluster-name myAKSCluster \
+    --name fipsnp \
+    --enable-fips-image \
+    --os-type Windows
+```
+
+To verify your node pool is FIPS-enabled, use [az aks show][az-aks-show] to check the *enableFIPS* value in *agentPoolProfiles*.
+
+```azurecli-interactive
+az aks show \
+    --resource-group myResourceGroup \
+    --name myAKSCluster \
+    --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \
+    -o table
+```
+
+To verify Windows node pools have access to the FIPS cryptographic libraries, [create an RDP connection to a Windows node][aks-rdp] in a FIPS-enabled node pool and check the registry.
+
+1. From the **Run** application, enter `regedit`.
+1. Look for `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy` in the registry.
+1. If `Enabled` is set to 1, then FIPS is enabled.
+
+:::image type="content" source="./media/enable-fips-nodes/enable-fips-nodes-windows.png" alt-text="Screenshot shows a picture of the registry editor to the FIPS Algorithm Policy, and it being enabled.":::
+
+FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which can be used by deployments to target those node pools.
+
+## Next steps
+
+To learn more about AKS security, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security].
+
+<!-- LINKS - Internal -->
+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[aks-best-practices-security]: operator-best-practices-cluster-security.md
+[aks-rdp]: rdp.md
+[fips]: /azure/compliance/offerings/offering-fips-140-2
+[install-azure-cli]: /cli/azure/install-azure-cli
+[node-image-upgrade]: node-image-upgrade.md

articles/aks/media/enable-fips-nodes/enable-fips-nodes-windows.png

@@ -409,7 +409,7 @@ As your application workloads demands, you may associate node pools to capacity
 
 For more information on the capacity reservation groups, please refer to [Capacity Reservation Groups][capacity-reservation-groups].
 
-Associating a node pool with an existing capacity reservation group can be done using [az aks nodepool add][az-aks-nodepool-add] command and specifying a capacity reservation group with the --capacityReservationGroup flag" The capacity reservation group should already exist , otherwise the node pool will be added to the cluster with a warning and no capacity reservation group gets associated. 
+Associating a node pool with an existing capacity reservation group can be done using [az aks nodepool add][az-aks-nodepool-add] command and specifying a capacity reservation group with the --capacityReservationGroup flag" The capacity reservation group should already exist, otherwise the node pool will be added to the cluster with a warning and no capacity reservation group gets associated. 
 
 ```azurecli-interactive
 az aks nodepool add -g MyRG --cluster-name MyMC -n myAP --capacityReservationGroup myCRG
@@ -605,77 +605,7 @@ For more information on using Azure tags with node pools, see [Use Azure tags in
 
 ## Add a FIPS-enabled node pool
 
-The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. AKS allows you to create Linux-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140-2][fips].
-
-### Prerequisites
-
-You need the Azure CLI version 2.32.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
-
-FIPS-enabled node pools have the following limitations:
-
-* Currently, you can only have FIPS-enabled Linux-based node pools running on Ubuntu 18.04.
-* FIPS-enabled node pools require Kubernetes version 1.19 and greater.
-* To update the underlying packages or modules used for FIPS, you must use [Node Image Upgrade][node-image-upgrade].
-* Container Images on the FIPS nodes haven't been assessed for FIPS compliance.
-
-> [!IMPORTANT]
-> The FIPS-enabled Linux image is a different image than the default Linux image used for Linux-based node pools. To enable FIPS on a node pool, you must create a new Linux-based node pool. You can't enable FIPS on existing node pools.
-> 
-> FIPS-enabled node images may have different version numbers, such as kernel version, than images that are not FIPS-enabled. Also, the update cycle for FIPS-enabled node pools and node images may differ from node pools and images that are not FIPS-enabled.
-
-To create a FIPS-enabled node pool, use [az aks nodepool add][az-aks-nodepool-add] with the *--enable-fips-image* parameter when creating a node pool.
-
-```azurecli-interactive
-az aks nodepool add \
-    --resource-group myResourceGroup \
-    --cluster-name myAKSCluster \
-    --name fipsnp \
-    --enable-fips-image
-```
-
-> [!NOTE]
-> You can also use the *--enable-fips-image* parameter with [az aks create][az-aks-create] when creating a cluster to enable FIPS on the default node pool. When adding node pools to a cluster created in this way, you still must use the *--enable-fips-image* parameter when adding node pools to create a FIPS-enabled node pool.
-
-To verify your node pool is FIPS-enabled, use [az aks show][az-aks-show] to check the *enableFIPS* value in *agentPoolProfiles*.
-
-```azurecli-interactive
-az aks show --resource-group myResourceGroup --name myAKSCluster --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" -o table
-```
-
-The following example output shows the *fipsnp* node pool is FIPS-enabled and *nodepool1* isn't.
-
-```output
-Name       enableFips
----------  ------------
-fipsnp     True
-nodepool1  False  
-```
-
-You can also verify deployments have access to the FIPS cryptographic libraries using `kubectl debug` on a node in the FIPS-enabled node pool. Use `kubectl get nodes` to list the nodes:
-
-```output
-$ kubectl get nodes
-NAME                                STATUS   ROLES   AGE     VERSION
-aks-fipsnp-12345678-vmss000000      Ready    agent   6m4s    v1.19.9
-aks-fipsnp-12345678-vmss000001      Ready    agent   5m21s   v1.19.9
-aks-fipsnp-12345678-vmss000002      Ready    agent   6m8s    v1.19.9
-aks-nodepool1-12345678-vmss000000   Ready    agent   34m     v1.19.9
-```
-
-In the above example, the nodes starting with `aks-fipsnp` are part of the FIPS-enabled node pool. Use `kubectl debug` to run a deployment with an interactive session on one of those nodes in the FIPS-enabled node pool.
-
-```azurecli-interactive
-kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
-```
-
-From the interactive session, you can verify the FIPS cryptographic libraries are enabled:
-
-```output
-root@aks-fipsnp-12345678-vmss000000:/# cat /proc/sys/crypto/fips_enabled
-1
-```
-
-FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which can be used by deployments to target those node pools.
+For more information on enabling Federal Information Process Standard (FIPS) for your AKS cluster, see [Enable Federal Information Process Standard (FIPS) for Azure Kubernetes Service (AKS) node pools][enable-fips-nodes].
 
 ## Manage node pools using a Resource Manager template
 
@@ -911,6 +841,7 @@ Use [proximity placement groups][reduce-latency-ppg] to reduce latency for your
 [az-group-delete]: /cli/azure/group#az_group_delete
 [az-deployment-group-create]: /cli/azure/deployment/group#az_deployment_group_create
 [az-aks-nodepool-add]: /cli/azure/aks#az_aks_nodepool_add
+[enable-fips-nodes]: enable-fips-nodes.md
 [gpu-cluster]: gpu-cluster.md
 [install-azure-cli]: /cli/azure/install-azure-cli
 [operator-best-practices-advanced-scheduler]: operator-best-practices-advanced-scheduler.md
@@ -927,7 +858,6 @@ Use [proximity placement groups][reduce-latency-ppg] to reduce latency for your
 [public-ip-prefix-benefits]: ../virtual-network/ip-services/public-ip-address-prefix.md
 [az-public-ip-prefix-create]: /cli/azure/network/public-ip/prefix#az_network_public_ip_prefix_create
 [node-image-upgrade]: node-image-upgrade.md
-[fips]: /azure/compliance/offerings/offering-fips-140-2
 [use-tags]: use-tags.md
 [use-labels]: use-labels.md
 [cordon-and-drain]: resize-node-pool.md#cordon-the-existing-nodes