feat: Add STIG/FIPs-compliant Network Operator deployment instructions

e0ne · e0ne · commit 703eed4de6b3 · 2025-11-12T13:56:33.000+02:00
Signed-off-by: Ivan Kolodiazhnyi &lt;ikolodiazhny@nvidia.com&gt;
diff --git a/docs/common/vars.rst b/docs/common/vars.rst
@@ -1,9 +1,10 @@
 .. |network-operator-version| replace:: v25.10.0-beta.5
 .. |network-operator-repository| replace:: nvcr.io/nvstaging/mellanox
 .. |helm-chart-version| replace:: 25.10.0-beta.5
-.. |doca-driver-version| replace:: doca3.2.0-25.10-1.1.7.0-0
+.. |doca-driver-version| replace:: doca3.2.0-25.10-1.2.2.0-0
 .. |doca-driver-repository| replace:: nvcr.io/nvstaging/mellanox
 .. |doca-driver-version-lts| replace:: 24.10-0.7.0.0-0
+.. |doca-driver-version-stig| replace:: doca3.2.0-25.10-1.2.2.0-0
 .. |doca-init-container-version| replace:: network-operator-v25.10.0-beta.5
 .. |doca-init-container-repository| replace:: nvcr.io/nvstaging/mellanox
 .. |sriov-device-plugin-version| replace:: network-operator-v25.10.0-beta.5
@@ -24,6 +25,7 @@
 .. |nic-feature-discovery-repository| replace:: nvcr.io/nvstaging/mellanox
 .. |sriovnetop-version| replace:: network-operator-v25.10.0-beta.5
 .. |sriovnetop-repository| replace:: nvcr.io/nvstaging/mellanox
+.. |sriovnetop-config-daemon-stig-version| replace:: network-operator-v25.10.0-beta.5
 .. |sriovnetop-sriov-cni-version| replace:: network-operator-v25.10.0-beta.5
 .. |sriovnetop-sriov-cni-repository| replace:: nvcr.io/nvstaging/mellanox
 .. |sriovnetop-ib-sriov-cni-version| replace:: network-operator-v25.10.0-beta.5
diff --git a/docs/index.rst b/docs/index.rst
@@ -25,6 +25,7 @@
    Platform Support <platform-support.rst>
    Getting Started with Kubernetes <getting-started-with-kubernetes.rst>
    Getting Started with Red Hat OpenShift <getting-started-with-openshift.rst>
+   NVIDIA Network Operator Government Ready <install-network-operator-gov-ready.rst>
    NIC Configuration Operator <nic-conf-operator/nic-configuration-operator.rst>
    [TECH PREVIEW] Configuration Assistance with Kubernetes Launch Kit <k8s-launch-kit.rst>
    Customization Options and CRDs <customizations/customization.rst>
diff --git a/docs/install-network-operator-gov-ready.rst b/docs/install-network-operator-gov-ready.rst
@@ -0,0 +1,211 @@
+.. license-header
+  SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-License-Identifier: Apache-2.0
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+.. headings # #, * *, =, -, ^, "
+.. include:: ./common/vars.rst
+
+
+.. _install-network-operator-gov-ready:
+
+########################################
+NVIDIA Network Operator Government Ready
+########################################
+
+The NVIDIA Network Operator now offers government-ready components for NVIDIA AI Enterprise customers.
+Government ready is NVIDIA's designation for software that meets applicable security requirements for deployment in your FedRAMP High or equivalent sovereign use case. 
+For more information on NVIDIA's government-ready support, refer to the white paper `AI Software for Regulated Environments <https://docs.nvidia.com/ai-enterprise/planning-resource/ai-software-regulated-environments-white-paper/latest/index.html>`_.
+
+=====================================
+Supported Network Operator Components
+=====================================
+The government-ready NVIDIA Network Operator includes the following components:
+
+.. _fn1: #base-image
+.. |fn1| replace:: :sup:`1`
+
+.. list-table::
+   :header-rows: 1
+
+   * - Component
+     - Version
+   * - NVIDIA Network Operator
+     - |network-operator-version|
+   * - NVIDIA Network Operator Init Container
+     - |doca-init-container-version|
+   * - DOCA-OFED Driver Container
+     - |doca-driver-version-stig|
+   * - RDMA Shared Device Plugin
+     - |k8s-rdma-shared-dev-plugin-version|
+   * - IP Over Infiniband (IPoIB) CNI plugin
+     - |ipoib-cni-version|
+   * - SRIOV Network Operator Config
+     - |sriovnetop-version|
+   * - SRIOV Network Operator Config Config Daemon
+     - |sriovnetop-config-daemon-stig-version|
+   * - SR-IOV Network Device Plugin
+     - |sriovnetop-sriov-device-plugin-version|
+   * - SR-IOV CNI plugin
+     - |sriovnetop-sriov-cni-version|
+   * - InfiniBand SR-IOV CNI plugin
+     - |sriovnetop-ib-sriov-cni-version|
+   * - K8s CNI network plugins
+     - |cni-plugins-version|
+   * - Multus CNI
+     - |multus-version|
+   * - RDMA CNI plugin
+     - |rdma-cni-repository|
+   * - NVIDIA IPAM Plugin
+     - |nvidia-ipam-version|
+
+:sup:`1`
+Hardened for STIG/FIPS compliance
+
+Artifacts for these components are available from the `NVIDIA NGC Catalog <https://registry.ngc.nvidia.com/orgs/nvidia/teams/mellanox/containers/doca-driver-stig-fips>`_.
+
+.. note::
+
+    Not all Network Operator components and features are available as government-ready containers in the v25.10.0 release.
+
+
+Validated Kubernetes Distributions
+==================================
+
+The government-ready NVIDIA Network Operator has been validated on the following Kubernetes distributions:
+
+- Canonical Kubernetes 1.34 with Ubuntu Pro 24.04 and FIPS-compliant kernel
+
+Install Government-Ready NVIDIA Network Operator
+================================================
+
+Once you have your :ref:`gov-ready-prerequisites` configured, use the following steps to install the NVIDIA Network Operator on Canonical Kubernetes distributions:
+
+#. :ref:`install-nfd`
+#. :ref:`create-ngc-api-pull-secret`
+#. :ref:`create-ubuntu-pro-token-secret`
+#. :ref:`deploy-nvidia-network-operator-gov-ready`
+
+.. _gov-ready-prerequisites:
+
+Prerequisites
+-------------
+
+- An active NVIDIA AI Enterprise subscription and NGC API token to access Network Operator government-ready containers.
+  Refer to `Generating Your NGC API Key <https://docs.nvidia.com/ngc/gpu-cloud/ngc-user-guide/index.html#generating-api-key>`_ in the NVIDIA NGC User Guide for more information on NGC API tokens.
+
+- An Ubuntu Pro token for Canonical Kubernetes deployments.
+  This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.
+  Refer to the `Ubuntu Pro documentation <https://documentation.ubuntu.com/pro-client/en/v30/howtoguides/get_token_and_attach/>`_ for more information on accessing Ubuntu Pro tokens.
+
+- The ``helm`` CLI installed on a client machine.
+
+  You can run the following commands to install the Helm CLI:
+
+  .. code-block:: console
+
+     $ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \
+         && chmod 700 get_helm.sh \
+         && ./get_helm.sh
+
+- A namespace to deploy the NVIDIA Network Operator.
+  The example install commands below use ``nvidia-network-operator`` as the namespace.
+
+- Optionally, Service Mesh for intra-cluster traffic encryption.
+  By default, the NVIDIA Network Operator does not encrypt traffic between its controller (and operands) and the Kubernetes API server.
+  If you wish to encrypt this communication, you should deploy and maintain a service mesh application within the Kubernetes cluster to enable secure traffic.
+
+.. _install-nfd:
+
+Install Node Feature Discovery (NFD)
+------------------------------------
+
+NFD is an open-source project that is a dependency for the Operator on each node in your cluster.
+It must be deployed before installing the NVIDIA Network Operator.
+
+Network Operator does not maintain a government ready version of NFD, it is recommended that you install the upstream NFD version that aligns with the :ref:`network-operator-component-matrix`.
+The NFD container is built on top of a scratch image, providing a highly secure container environment.
+For information on NFD CVEs and security updates, refer to the `NFD GitHub repository <https://github.com/kubernetes-sigs/node-feature-discovery/security>`_.
+
+Refer to the NFD documentation for `installation instructions <https://kubernetes-sigs.github.io/node-feature-discovery/stable/get-started/index.html>`_.
+
+
+.. _create-ngc-api-pull-secret:
+
+Create NGC API Pull Secret
+--------------------------
+
+Add a Docker registry secret for downloading the Network Operator artifacts from NVIDIA NGC in the same namespace where you are planning to deploy the NVIDIA Network Operator.
+Update ``ngc-api-key`` in the command below with your NGC API key.
+
+.. code-block:: console
+
+   $ kubectl create secret -n nvidia-network-operator docker-registry ngc-secret \
+       --docker-server=nvcr.io \
+       --docker-username='$oauthtoken' \
+       --docker-password=<ngc-api-key>
+
+.. _create-ubuntu-pro-token-secret:
+
+Create Ubuntu Pro Token Secret
+------------------------------
+
+Create a Kubernetes secret to hold the value of your Ubuntu Pro token secret. 
+This secret will be used in the install command in the next step.
+
+The Ubuntu Pro Token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.
+
+.. _deploy-nvidia-network-operator-gov-ready:
+
+Install NVIDIA Network Operator Government-Ready Components
+-----------------------------------------------------------
+
+#. Label your ``nvidia-network-operator`` namespace for the Operator to set the enforcement policy to privilege.
+
+   .. code-block:: console
+
+      $ kubectl label --overwrite ns nvidia-network-operator pod-security.kubernetes.io/enforce=privileged
+
+#. Add the NVIDIA Helm repository:
+
+   .. code-block:: console
+
+      $ helm repo add nvidia https://helm.ngc.nvidia.com/nvidia \
+          && helm repo update
+
+#. Install the NVIDIA Network Operator with SR-IOV Network Operator.
+
+   .. code-block:: console
+
+      $  helm install network-operator nvidia/network-operator \
+           --namespace nvidia-network-operator \
+           --set sriov-network-operator.images.sriovConfigDaemon=doca-driver-stig-fips \
+           --set sriov-network-operator.imagePullSecrets={ngc-secret} \
+           --set sriovNetworkOperator.enabled=true
+           --set nfd.enabled=true
+
+.. _update-ubuntu-pro-token-in-nicclusterpolicy:
+
+Update Ubuntu Pro Token in NicClusterPolicy
+===========================================
+
+``UBUNTU_PRO_TOKEN`` environment variable of the Network Operator NicClusterPolicy should be configured.
+
+.. code-block:: console
+
+   $ kubectl edit nicclusterpolicy nic-cluster-policy
+
+Then update the secret with your new Ubuntu Pro Token.
+This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.
+
diff --git a/docs/nic-conf-operator/nic-fw-configuration.rst b/docs/nic-conf-operator/nic-fw-configuration.rst
@@ -222,7 +222,7 @@ Configure and apply the NICFirmwareSource CR
 
 Deploy the NICFirmwareSource CR:
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/example-nicfwsource-connectx6dx.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/example-nicfwsource-connectx6dx.yaml
     :language: yaml
     :lines: 18-
 
@@ -253,7 +253,7 @@ Configure and apply the NicFirmwareTemplate CR
 
 Configure and apply the NicFirmwareTemplate CR:
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/example-nicfirmwaretemplate-connectx6-dx.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/example-nicfirmwaretemplate-connectx6-dx.yaml
     :language: yaml
     :lines: 18-
 
@@ -318,7 +318,7 @@ Configure NIC Firmware using the NIC Configuration Operator
 Configure and apply the NicConfigurationTemplate CR
 ---------------------------------------------------
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/example-nicconfigurationtemplate-connectx6dx.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/example-nicconfigurationtemplate-connectx6dx.yaml
     :language: yaml
     :lines: 18-
 
diff --git a/docs/nic-conf-operator/spectrum-x-configuration.rst b/docs/nic-conf-operator/spectrum-x-configuration.rst
@@ -48,27 +48,27 @@ To enable the DOCA SPC-X CC algorithm on NIC devices, the DOCA SPC-X CC .deb pac
 To access the package, contact your NVIDIA CPM.
 The package should be made available in the cluster and then its URL should be provided in the packageUrlSource field of the SpectrumXOperator CR.
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicfirmwaresource-spectrum-x-cc-only.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicfirmwaresource-spectrum-x-cc-only.yaml
     :language: yaml
     :lines: 18-
 
 If firmware on the devices also needs to be updated, extend the NicFirmwareSource CR with fields for ConnectX and BlueField firmware. Please, use the correct firmware for your devices.
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicfirmwaresource-spectrum-x-full.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicfirmwaresource-spectrum-x-full.yaml
     :language: yaml
     :lines: 18-
 
 Configure and apply the NicFirmwareTemplate CR:
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicfirmwaretemplate-spectrum-x.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicfirmwaretemplate-spectrum-x.yaml
     :language: yaml
     :lines: 18-
 
 ======================================
 Enable SPC-X optimizations for devices
 ======================================
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicconfigurationtemplate-spectrum-x.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/docs/examples/spectrum-x/example-nicconfigurationtemplate-spectrum-x.yaml
     :language: yaml
     :lines: 18-
 
@@ -78,6 +78,6 @@ Configuration details
 
 Following configuration parameters are applied with spectrumXOptimized.enabled == true and spectrumXOptimized.version == "RA2.0":
 
-.. rli:: https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/bindata/spectrum-x/RA2.0.yaml
+.. |sriovnetop-config-daemon-stig-version| https://raw.githubusercontent.com/Mellanox/nic-configuration-operator/refs/tags/network-operator-|network-operator-version|/bindata/spectrum-x/RA2.0.yaml
     :language: yaml
     :lines: 17-
diff --git a/docs/platform-support.rst b/docs/platform-support.rst
@@ -264,6 +264,7 @@ Limitations
    - Only ``generic`` kernel variant is tested and supported as a GA.
    - ``nvidia``, ``aws``, ``azure``, and ``oracle`` kernel variants are supported as a Tech Preview and have limited testing.
 
+.. _network-operator-component-matrix:
 
 =================================
 Network Operator Component Matrix
diff --git a/hack/release/release.go b/hack/release/release.go
@@ -62,6 +62,7 @@ type Release struct {
 	SriovNetworkOperator         *ReleaseImageSpec
 	SriovNetworkOperatorWebhook  *ReleaseImageSpec
 	SriovConfigDaemon            *ReleaseImageSpec
+	SriovConfigStigFips          *ReleaseImageSpec
 	SriovCni                     *ReleaseImageSpec
 	SriovIbCni                   *ReleaseImageSpec
 	Mofed                        *ReleaseImageSpec
diff --git a/hack/release/templates/vars/vars.template b/hack/release/templates/vars/vars.template
@@ -4,6 +4,7 @@
 .. |doca-driver-version| replace:: {{ .Mofed.Version }}
 .. |doca-driver-repository| replace:: {{ .Mofed.Repository }}
 .. |doca-driver-version-lts| replace:: 24.10-0.7.0.0-0
+.. |doca-driver-version-stig| replace:: {{ .MofedStigFips.Version }}
 .. |doca-init-container-version| replace:: {{ .NetworkOperatorInitContainer.Version }}
 .. |doca-init-container-repository| replace:: {{ .NetworkOperatorInitContainer.Repository }}
 .. |sriov-device-plugin-version| replace:: {{ .SriovDevicePlugin.Version }}
@@ -24,6 +25,8 @@
 .. |nic-feature-discovery-repository| replace:: {{ .NicFeatureDiscovery.Repository }}
 .. |sriovnetop-version| replace:: {{ .SriovNetworkOperator.Version }}
 .. |sriovnetop-repository| replace:: {{ .SriovNetworkOperator.Repository }}
+.. |sriovnetop-config-daemon-stig-version| replace:: {{ .SriovConfigDaemonStigFips.Version }}
+.. |sriovnetop-config-daemon-stig-repository| replace:: {{ .SriovConfigDaemonStigFips.Repository }}
 .. |sriovnetop-sriov-cni-version| replace:: {{ .SriovCni.Version }}
 .. |sriovnetop-sriov-cni-repository| replace:: {{ .SriovCni.Repository }}
 .. |sriovnetop-ib-sriov-cni-version| replace:: {{ .SriovIbCni.Version }}
