FIPS 140-3 Enablement

FIPS 140-3 is a U.S. Federal Government security standard used to approve cryptographic modules. This document explains how RKE2 is built with FIPS validated cryptographic libraries.

Verification of compliance is avaliable in: FIPS 140-3 Verifed.

Use of FIPS Compatible Go compiler

The Go compiler being used can be found here. Each component of the system is built with the version of this compiler that matches the same standard Go compiler version that would be used otherwise.

This version of Go replaces the standard Go crypto libraries with the FIPS validated BoringCrypto module. For more information, see the GoBoring README for more details. This module is validated by NIST as the BoringCrypto module on a wide range of systems.

FIPS Support in Cluster Components

Most RKE2 components are statically compiled using the GoBoring Go compiler. Architecturally, RKE2 is divided into several sections, and the following list outlines these sections and their associated components:

  • Kubernetes

    • API Server

    • Controller Manager

    • Scheduler

    • Kubelet

    • Kube Proxy

    • Metric Server

    • Kubectl

  • Helm Charts

    • Flannel

    • Calico

    • CoreDNS

    • Traefik

Runtime

To ensure the entire architecture utilizes FIPS 140-3 compliant algorithms, RKE2 runtime utilities are statically compiled with the FIPS-enabled Go compiler. This guarantees compliance across every level of the stack, from Kubernetes daemons to container orchestration mechanics.

  • etcd

  • containerd

    • containerd-shim

    • containerd-shim-runc-v1

    • containerd-shim-runc-v2

    • ctr

  • crictl

  • runc

CNI

RKE2 supports selecting an alternative CNI via the --cni flag. It comes bundled with several options, including Canal (default), Calico, Cilium, and Multus. However, only Canal is rebuilt for FIPS compliance.

Ingress

RKE2 ships with two ingress controllers: ingress-nginx and Traefik. Both are FIPs compliant.

The ingress-nginx controller and the complete Traefik stack (controller and proxy server) are written in Go and compiled using the FIPS compatible Go compiler.

Ingress-nginx uses the nginx proxy server which is written in C and depends on OpenSSL to function properly. As a result, it leverages a FIPS-validated version of OpenSSL to achieve FIPS compliance.

The ingress-nginx controller reaches End of Life (EOL) in March 2026.

SUSE® Rancher Prime: RKE2 users will continue to receive support and CVE fixes (8+) for the entire lifecycle of RKE2 v1.32, v1.33, v1.34, v1.35 and v1.36. We recommend switching to Traefik by following the Migrating from Ingress-NGINX to Traefik in a standalone RKE2 cluster guide.