From 9b884b3fc26fb3b6b320f1db26da3b1515fba7ad Mon Sep 17 00:00:00 2001 From: Connor Catlett Date: Tue, 26 Nov 2024 21:15:47 +0000 Subject: [PATCH] Add FIPS image and Helm parameter Signed-off-by: Connor Catlett --- Dockerfile | 1 + Makefile | 20 +++++++++++++++---- .../aws-ebs-csi-driver/templates/_helpers.tpl | 7 +++++++ .../templates/_node-windows.tpl | 6 +++++- charts/aws-ebs-csi-driver/templates/_node.tpl | 6 +++++- .../templates/controller.yaml | 6 +++++- charts/aws-ebs-csi-driver/templates/node.yaml | 1 + charts/aws-ebs-csi-driver/values.yaml | 6 ++++++ docs/fips.md | 15 ++++++++++++++ docs/makefile.md | 6 +++++- hack/cloudbuild.sh | 2 +- 11 files changed, 67 insertions(+), 9 deletions(-) create mode 100644 docs/fips.md diff --git a/Dockerfile b/Dockerfile index f53426cf84..b23d94fa4c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,7 @@ COPY . . ARG TARGETOS ARG TARGETARCH ARG VERSION +ARG GOEXPERIMENT RUN --mount=type=cache,target=/gomodcache --mount=type=cache,target=/gocache OS=$TARGETOS ARCH=$TARGETARCH make FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest-al23 AS linux-al2023 diff --git a/Makefile b/Makefile index c7da868d24..e6c099fc56 100644 --- a/Makefile +++ b/Makefile @@ -34,6 +34,10 @@ else BINARY=aws-ebs-csi-driver OSVERSION?=al2023 endif +FIPS?=false +ifeq ($(FIPS),true) + FIPS_DOCKER_ARGS=--build-arg=GOEXPERIMENT=boringcrypto +endif GO_SOURCES=go.mod go.sum $(shell find pkg cmd -type f -name "*.go") @@ -192,11 +196,18 @@ update-image-dependencies: update-sidecar-dependencies ## CI aliases # Targets intended to be executed mostly or only by CI jobs -.PHONY: all-push -all-push: all-image-registry push-manifest +.PHONY: sub-push +sub-push: all-image-registry push-manifest + +.PHONY: sub-push-fips +sub-push-fips: + $(MAKE) FIPS=true sub-push -.PHONY: all-push-with-a1compat -all-push-with-a1compat: sub-image-linux-arm64-al2 all-image-registry push-manifest +.PHONY: sub-push-a1compat +sub-push-a1-compat: sub-image-linux-arm64-al2 + +.PHONY: all-push +all-push: sub-push sub-push-fips sub-push-a1compat test-e2e-%: ./hack/prow-e2e.sh test-e2e-$* @@ -228,6 +239,7 @@ image: -t=$(IMAGE):$(TAG)-$(OS)-$(ARCH)-$(OSVERSION) \ --build-arg=GOPROXY=$(GOPROXY) \ --build-arg=VERSION=$(VERSION) \ + $(FIPS_DOCKER_ARGS) \ `./hack/provenance.sh` \ . diff --git a/charts/aws-ebs-csi-driver/templates/_helpers.tpl b/charts/aws-ebs-csi-driver/templates/_helpers.tpl index 73d3e140a2..62941efcb5 100644 --- a/charts/aws-ebs-csi-driver/templates/_helpers.tpl +++ b/charts/aws-ebs-csi-driver/templates/_helpers.tpl @@ -31,6 +31,13 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Determine image +*/}} +{{- define "aws-ebs-csi-driver.fullImagePath" -}} +{{ printf "%s%s:%s%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) (.Values.fips | ternary "-fips" "") }} +{{- end -}} + {{/* Common labels */}} diff --git a/charts/aws-ebs-csi-driver/templates/_node-windows.tpl b/charts/aws-ebs-csi-driver/templates/_node-windows.tpl index 5fdc6775ca..f53bffd0d1 100644 --- a/charts/aws-ebs-csi-driver/templates/_node-windows.tpl +++ b/charts/aws-ebs-csi-driver/templates/_node-windows.tpl @@ -64,7 +64,7 @@ spec: {{- end }} containers: - name: ebs-plugin - image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }} + image: {{ include "aws-ebs-csi-driver.fullImagePath" $ }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.node.windowsHostProcess }} command: @@ -111,6 +111,10 @@ spec: value: {{ .otelServiceName }} - name: OTEL_EXPORTER_OTLP_ENDPOINT value: {{ .otelExporterEndpoint }} + {{- if .Values.fips }} + - name: AWS_USE_FIPS_ENDPOINT + value: "true" + {{- end }} {{- end }} {{- with .Values.node.env }} {{- . | toYaml | nindent 12 }} diff --git a/charts/aws-ebs-csi-driver/templates/_node.tpl b/charts/aws-ebs-csi-driver/templates/_node.tpl index e25366ba7a..f4f1b03aa7 100644 --- a/charts/aws-ebs-csi-driver/templates/_node.tpl +++ b/charts/aws-ebs-csi-driver/templates/_node.tpl @@ -66,7 +66,7 @@ spec: {{- end }} containers: - name: ebs-plugin - image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }} + image: {{ include "aws-ebs-csi-driver.fullImagePath" $ }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: - node @@ -112,6 +112,10 @@ spec: - name: OTEL_EXPORTER_OTLP_ENDPOINT value: {{ .otelExporterEndpoint }} {{- end }} + {{- if .Values.fips }} + - name: AWS_USE_FIPS_ENDPOINT + value: "true" + {{- end }} {{- with .Values.node.env }} {{- . | toYaml | nindent 12 }} {{- end }} diff --git a/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/aws-ebs-csi-driver/templates/controller.yaml index da7310549d..598984ed20 100644 --- a/charts/aws-ebs-csi-driver/templates/controller.yaml +++ b/charts/aws-ebs-csi-driver/templates/controller.yaml @@ -71,7 +71,7 @@ spec: {{- end }} containers: - name: ebs-plugin - image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }} + image: {{ include "aws-ebs-csi-driver.fullImagePath" $ }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: - controller @@ -150,6 +150,10 @@ spec: - name: OTEL_EXPORTER_OTLP_ENDPOINT value: {{ .otelExporterEndpoint }} {{- end }} + {{- if .Values.fips }} + - name: AWS_USE_FIPS_ENDPOINT + value: "true" + {{- end }} {{- with .Values.controller.envFrom }} envFrom: {{- . | toYaml | nindent 12 }} diff --git a/charts/aws-ebs-csi-driver/templates/node.yaml b/charts/aws-ebs-csi-driver/templates/node.yaml index 2bba1f25c3..b68f1d1522 100644 --- a/charts/aws-ebs-csi-driver/templates/node.yaml +++ b/charts/aws-ebs-csi-driver/templates/node.yaml @@ -12,6 +12,7 @@ {{- include "node" (deepCopy $ | mustMerge $args) -}} {{- end }} {{- if .Values.a1CompatibilityDaemonSet }} +{{- not .Values.fips | required "FIPS mode not supported for A1 instance family compatibility image" -}} {{$args := dict "NodeName" "ebs-csi-node-a1compat" "Values" (dict diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml index 45579b8fad..083306e5ac 100644 --- a/charts/aws-ebs-csi-driver/values.yaml +++ b/charts/aws-ebs-csi-driver/values.yaml @@ -11,6 +11,12 @@ image: customLabels: {} # k8s-app: aws-ebs-csi-driver +# Instruct the AWS SDK to use AWS FIPS endpoints, and deploy container built with BoringCrypto (a FIPS-validated cryptographic library) instead of the Go default +# +# The EBS CSI Driver FIPS images have not undergone FIPS certification, and no official guarnatee is made about the compliance of these images under the FIPS standard +# Users relying on these images for FIPS compliance should perform their own independent evaluation +fips: false + sidecars: provisioner: env: [] diff --git a/docs/fips.md b/docs/fips.md new file mode 100644 index 0000000000..77e0c53842 --- /dev/null +++ b/docs/fips.md @@ -0,0 +1,15 @@ +# EBS CSI Driver FIPS Support + +## Support + +The EBS CSI Driver Helm chart can be configured to enable two modifications to better support environments that require FIPS certification. Both of these modifications are activated by changing the Helm parameter `fips` from `false` to `true`. + +### FIPS Endpoints + +The AWS SDK will be instructed to use FIPS endpoints [via the `AWS_USE_FIPS_ENDPOINT` environment variable](https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html). FIPS endpoints are only supported in some regions, and thus the option will only work in regions that have both an STS and EC2 FIPS endpoint available. For a full list of current regions with FIPS endpoints available, see [the FIPS section of the AWS documentation](https://aws.amazon.com/compliance/fips/). + +### FIPS Image + +The EBS CSI Driver image will be swapped with an image built using BoringCrypto as Go's cryptographic library. BoringCrypto has [an active FIPS 140-3 certification](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4735). + +The EBS CSI Driver FIPS images have not undergone FIPS certification, and no official guarantee is made about the compliance of these images under the FIPS standard. Users relying on these images for FIPS compliance should perform their own independent evaluation. diff --git a/docs/makefile.md b/docs/makefile.md index 1ab7b12b2c..67ff21003d 100644 --- a/docs/makefile.md +++ b/docs/makefile.md @@ -20,7 +20,11 @@ All other tools are downloaded for you at runtime. ### `make cluster/image` -Build and push a single image of the driver based on the local platform (the same overrides as `make` apply, as well as `OSVERSION` to override container OS version). In most cases, `make all-push` is more suitable. Environment variables are accepted to override the `REGISTRY`, `IMAGE` name, and image `TAG`. +Build and push an image of the driver for local development. Environment variables are accepted to override the `REGISTRY`, `IMAGE` name, and image `TAG`. Setting `FIPS` to `true` will build an image using a FIPS-validated cryptographic library. + +### `make all-push` + +Build and push all image variants of the driver needed for an official release. This target is not intended or designed to be run outside of CI. ## Local Development diff --git a/hack/cloudbuild.sh b/hack/cloudbuild.sh index 7a32466f62..61a1ce4647 100755 --- a/hack/cloudbuild.sh +++ b/hack/cloudbuild.sh @@ -42,4 +42,4 @@ loudecho "Push manifest list containing amazon linux and windows based images to export IMAGE=gcr.io/k8s-staging-provider-aws/aws-ebs-csi-driver export TAG=$GIT_TAG export VERSION=$PULL_BASE_REF -IMAGE=gcr.io/k8s-staging-provider-aws/aws-ebs-csi-driver make -j $(nproc) all-push-with-a1compat +IMAGE=gcr.io/k8s-staging-provider-aws/aws-ebs-csi-driver make -j $(nproc) all-push-for-release