Skip to content

Switch to use Go 1.24+ runtime FIPS support. #783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sky1122 wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Switch to use Go 1.24+ runtime FIPS support. #783

sky1122 wants to merge 2 commits into from

Conversation

@sky1122
Copy link
Contributor

@sky1122 sky1122 commented Dec 22, 2025
edited
Loading

Issue number:

Closes #799

Description of changes:

Switch Kubernetes to use Go 1.24+ runtime FIPS support.
Packaging the GODEBUG=fips140=only config file in fips variants

Note: these are the minimal changes for switching Go 1.24+ runtime FIPS support.
The rest of the changes need to be clean up will go to a separate release with the SDK clean up release

Testing done:
Testing with non fips cypher image registry

Events:
  Type     Reason     Age                     From               Message
  ----     ------     ----                    ----               -------
  Normal   Scheduled  7m35s                   default-scheduler  Successfully assigned default/test-pull-nonfips to ip-192-168-31-220.us-west-2.compute.internal
  Normal   Pulling    4m38s (x5 over 7m35s)   kubelet            Pulling image "localhost:5001/test:latest"
  Warning  Failed     4m38s (x5 over 7m35s)   kubelet            Failed to pull image "localhost:5001/test:latest": failed to pull and unpack image "localhost:5001/test:latest": failed to resolve image: failed to do request: Head "https://localhost:5001/v2/test/manifests/latest": remote error: tls: handshake failure
  Warning  Failed     4m38s (x5 over 7m35s)   kubelet            Error: ErrImagePull
  Warning  Failed     2m24s (x20 over 7m34s)  kubelet            Error: ImagePullBackOff
  Normal   BackOff    2m11s (x21 over 7m34s)  kubelet            Back-off pulling image "localhost:5001/test:latest"

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@sky1122 sky1122 mentioned this pull request Dec 23, 2025
Open
bcressey
bcressey reviewed Jan 7, 2026
View reviewed changes
packages/kubernetes-1.29/kubernetes-1.29.spec Outdated

export KUBE_OUTPUT_SUBPATH="_fips_output/local"
export GOEXPERIMENT="boringcrypto"
# Runtime FIPS: use GODEBUG=fips140=only instead of compile-time boringcrypto
Copy link
Contributor

@bcressey bcressey Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think these comments are useful. In general, a comment should cover the current code and implementation details, not historical details that can be looked up in Git history.

The Kubernetes builds are complicated and have a lot of moving parts already, so in this case it might be better to just copy the same binaries into the FIPS and non-FIPS subpackages. It will also help compile times quite a lot.

@sky1122
release: add Go FIPS 140-3 runtime support for FIPS variants
7bb958f 
Add fips-go.conf systemd drop-in that sets GODEBUG=fips140=only for
all services in FIPS variants. This enables Go's native FIPS 140-3
mode at runtime, restricting crypto packages to FIPS-approved algorithms.

Signed-off-by: Jingwei Wang <[email protected]>
@sky1122 sky1122 force-pushed the fips branch 2 times, most recently from 9c77ef2 to cbe3791 Compare January 14, 2026 19:14
@sky1122
[skip ci]kubernetes: switch to runtime FIPS instead of compile-time b…
5074097 
…oringcrypto

Remove GOEXPERIMENT=boringcrypto from FIPS builds of kubelet and
kube-proxy. FIPS compliance is now handled at runtime via
GODEBUG=fips140=only using Go 1.24+ native FIPS 140-3 support.

Signed-off-by: Jingwei Wang <[email protected]>
@sky1122 sky1122 marked this pull request as ready for review January 15, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcressey bcressey bcressey left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Go 1.24+ runtime FIPS 140-3 support

2 participants

@sky1122 @bcressey