ExternalDNS Uses Non-FIPS Endpoints Without Configuration Option for FIPS Compliance

[selomehaileMonster]

ExternalDNS currently does not provide a way to use FIPS-compliant endpoints for cloud providers that require them. In FIPS-mandated environments, ExternalDNS defaults to non-FIPS endpoints, which can cause compliance issues and prevent usage in government or regulated environments.

Expected Behavior:
ExternalDNS should provide a way to explicitly configure FIPS-compliant service endpoints when required.

Steps to Reproduce:

1. Deploy ExternalDNS in an environment requiring FIPS compliance (e.g., AWS GovCloud, Azure Government).
2. Observe that ExternalDNS communicates with non-FIPS endpoints.
3. Attempting to enforce FIPS-compliant connections fails due to lack of configuration options.

In environments that require FIPS compliance, it's necessary to use FIPS-certified cryptographic endpoints when interacting with cloud services. Currently, ExternalDNS does not provide a way to configure these endpoints explicitly. If there is a way please let us know.

[ivankatliarchuk]

While it would be interesting project for someone to make external-dns FIPS compliant, not sure how to achieve this practically.

This open-source project not sure if will benefit from FIPS compliance, and the practical steps to achieve this are unclear. For example, targeting AWS GovCloud presents several challenges: the maintainer must reside on the US soil (achievable), have access to AWS GovCloud (difficult, as GovCloud services cannot be easily mocked), and obtain approval from the GovCloud access provider to work on an open-source project (also difficult). Current level of GovCloud support is very limited.

To become FIPS complaint

• Organization (kubernetes-sigs) that want to be FIPS compliant must implement the security controls and practices outlined in the relevant FIPS standard. (hard|impossible)
• The organization that is responsible for the product declares its FIPS compliance. (hard)
• Documentation typically accompanies the declaration, detailing how the FIPS requirements are met. (hard)

The value/benefits for open source product is unclear.

Achieving FIPS compliance is a significant undertaking, essentially a full-time job. Finding a volunteer with the time and expertise for this level of commitment is challenging, as we all have other work obligations. This project is primarily a hobby for everyone involved ;-)

/help

[k8s-ci-robot]

@ivankatliarchuk:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

This is an open source project. While it would be super useful to be FIPS compliant, not sure how to achieve this practically.

This open-source project not sure if will benefit from FIPS compliance, and the practical steps to achieve this are unclear. For example, targeting AWS GovCloud presents several challenges: the maintainer must reside on the US soil (achievable), have access to AWS GovCloud (difficult, as GovCloud services cannot be easily mocked), and obtain approval from the GovCloud access provider to work on an open-source project (also difficult). Current level of GovCloud support is very limited.

To become FIPS complaint

• Organization (kubernetes-sigs) that want to be FIPS compliant must implement the security controls and practices outlined in the relevant FIPS standard. (hard|impossible)
• The organization that is responsible for the product declares its FIPS compliance. (hard)
• Documentation typically accompanies the declaration, detailing how the FIPS requirements are met. (hard)

The value/benefits for open source product is unclear.

Achieving FIPS compliance is a significant undertaking, essentially a full-time job. Finding a volunteer with the time and expertise for this level of commitment is challenging, as we all have other work obligations. This project is primarily a hobby for everyone involved ;-)

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[selomehaileMonster]

All we need is the is the ability to configure the endpoints that should be used for FIP. Similar to the one one used for EKS, awsApiEndpoints: "elasticloadbalancing=https://elasticloadbalancing-fips.us-east-1.amazonaws.com,waf=https://waf-regional-fips.us-east-1.amazonaws.com,wafv2=https://wafv2-fips.us-east-1.amazonaws.com"

[ivankatliarchuk]

I see. My apologies, I misinterpreted the request

[ivankatliarchuk]

List of endpoints https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

I link stories.
Not exactly same, but at the moment there is no GovCloud support #1233

[selomehaileMonster]

Thank you for the list of endpoints link. But we need a way to be able to configure the endpoint. I didn't find what I was looking for in the #1233 issue

[ivankatliarchuk]

I linked issues, for visibility. GovCloud at the moment is not support. Pull requests welcome.