Add FIPS compliance to trivy-k8s-wrapper for AMD64

Problem

Gitlab-agent works in -fips mode. Operational Container Scanning (OCS) prior to %16.9 was enabled by default. However, OCS uses the trivy-k8s-wrapper that is not -fips compliant.

When gitlab-agent runs in fips mode, we must disable OCS so that the agent can run (see #439441 (closed)). This causes impact on users and prevents them from using OCS.

Goal

Make trivy-k8s-wrapper fips compliant.

How to ensure we are FIPS compliant?

  • Follow the development guidelines.
  • Our specific cryptographic standards are outlined in this handbook article for reference.
  • All cryptography within the container has to use active FIPS validated cryptographic modules. active and historical modules are listed on the NIST CMVP page.
    • During audits we need to be able to point to specific FIPS cipher certificate number(s) from the CMVP that is in use within the container.
  • Demonstrating FIPS compliance is dependent on what module you are checking. Here are some examples that you can run within your container to check for FIPS compliance. You will have to run your container on a host that is in FIPS mode and running FIPS ciphers. (cat /proc/sys/crypto/fips_enabled)
    • dpkg -l | grep fips
    • cat /proc/sys/crypto/fips_enabled
    • openssl version
    • ssh -Q cipher localhost
    • sshd -T | grep fips
  • If you have other ciphers you need to check, Claude is pretty good at generating those checks.
  • Make sure that we use the UBI OpenSSL module

Implementation Plan

Implementation Plan

  • Create a new Docker image for FIPS. This image should use a Redhat image similar to Gemnasium instead of an alpine.
  • Go through the list in the section How to ensure we are FIPS compliant? and make sure we are FIPs compliant.
  • Move Dockerfiles in a build dir and update building scripts
  • Make sure we build fips image for both arm64 and amd64 architectures. - will be done in a follow-up issue
  • Update all build jobs so that they build also the FIPS images
  • Update the release jobs so that a release is built also for FIPS
  • Update OCS documentation on how to use a FIPS-compliant image. This could be done through the gitlab-agent configuration where we specify the repository. Example. - will be done in a follow-up issue. Consider if we need to release fips images in a different path so that we can just refer to them by repository without specifying tag.
Edited by Orin Naaman