Hi guys, just trying to get some background knowledge on the state of FIPS compliance for some of the CNI plugins. based on the network options RKE2 supports other CNIs on top of Canal. However, only Canal is FIPS compliant:

As of v1.21.2, RKE2 supports selecting a different CNI via the

--cni

flag and comes bundled with several CNIs including Canal (default), Calico, Cilium, and Multus. Of these, only Canal (the default) is rebuilt for FIPS compliance.

I want to understand why RKE2 supports these different CNIs, but doesn't recompile them for FIPS compliance. Doesn't that go against RKE2's ethos of having a fully conformant distribution for US Government sector customers? Are there any options for people that want to use something like Multus, Calico (Enterprise) or Cilium but need all encryption to be FIPS validated?

Because rebuilding them all ourselves is a ton of work? Calico we support in partnership with Tigera so we hew as close to upstream as possible. For the rest, we haven't had a serious ask from our government customers for hardened versions.

Is only Canal FIPS compliant or is Calico as well since Calico is part of Canal?

yeah, it uses a different version