NVIDIA Network Operator Government Ready
On this page
The NVIDIA Network Operator now offers government-ready components for NVIDIA AI Enterprise customers. Government ready is NVIDIA’s designation for software that meets applicable security requirements for deployment in your FedRAMP High or equivalent sovereign use case. For more information on NVIDIA’s government-ready support, refer to the white paper AI Software for Regulated Environments.
Government-Ready Components Requiring NGC Access
Most Network Operator components are available as government-ready containers in the public container registry. However, the following STIG-FIPS certified components require an NGC API key and are available from a separate NGC repository:
Component |
Repository |
Image Name |
Version |
|---|---|---|---|
DOCA-OFED Driver Container |
nvcr.io/nvstaging/mellanox |
doca-driver-stig-fips |
doca3.3.0-26.01-0.9.6.0-0 |
SR-IOV Network Operator Config Daemon |
nvcr.io/nvstaging/mellanox |
sriov-network-operator-config-daemon-stig-fips |
network-operator-v26.1.0-rc.1-stig-fips |
NIC Configuration Operator |
nvcr.io/nvstaging/mellanox |
nic-configuration-operator-stig-fips |
network-operator-v26.1.0-rc.1-stig-fips-ubuntu / network-operator-v26.1.0-rc.1-stig-fips-rhel |
NIC Configuration Operator Daemon |
nvcr.io/nvstaging/mellanox |
nic-configuration-operator-daemon-stig-fips |
network-operator-v26.1.0-rc.1-stig-fips-ubuntu / network-operator-v26.1.0-rc.1-stig-fips-rhel |
Spectrum X Operator |
nvcr.io/nvstaging/mellanox |
spectrumx-operator-stig-fips |
network-operator-v26.1.0-rc.1-stig-fips-ubuntu / network-operator-v26.1.0-rc.1-stig-fips-rhel |
Note
All other Network Operator components are government-ready and available in the standard public container registry.
Validated Kubernetes Distributions
The government-ready NVIDIA Network Operator has been validated on the following Kubernetes distributions:
Canonical Kubernetes 1.34 with Ubuntu Pro 24.04 amd64 and FIPS-compliant kernel
Red Hat OpenShift Container Platform (OCP) 4.20 or newer with FIPS mode enabled
Common Prerequisites
The following prerequisites apply to all supported platforms:
An active NVIDIA AI Enterprise subscription and NGC API token to access Network Operator government-ready containers. Refer to Generating Your NGC API Key in the NVIDIA NGC User Guide for more information on NGC API tokens.
A namespace to deploy the NVIDIA Network Operator. The example install commands below use
nvidia-network-operatoras the namespace.Optionally, Service Mesh for intra-cluster traffic encryption. By default, the NVIDIA Network Operator does not encrypt traffic between its controller (and operands) and the Kubernetes API server. If you wish to encrypt this communication, you should deploy and maintain a service mesh application within the Kubernetes cluster to enable secure traffic.
Ubuntu/Canonical Kubernetes
Prerequisites
The
helmCLI installed on a client machine.You can run the following commands to install the Helm CLI:
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \ && chmod 700 get_helm.sh \ && ./get_helm.sh
An Ubuntu Pro token for Canonical Kubernetes deployments. This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04. Refer to the Ubuntu Pro documentation for more information on accessing Ubuntu Pro tokens.
Create NGC API Pull Secret
Add a Docker registry secret for downloading the Network Operator artifacts from NVIDIA NGC in the same namespace where you are planning to deploy the NVIDIA Network Operator.
Update ngc-api-key in the command below with your NGC API key.
$ kubectl create secret -n nvidia-network-operator docker-registry ngc-secret \
--docker-server=nvcr.io \
--docker-username='$oauthtoken' \
--docker-password=<ngc-api-key>
Install Network Operator Using Helm
Label your
nvidia-network-operatornamespace for the Operator to set the enforcement policy to privilege.$ kubectl label --overwrite ns nvidia-network-operator pod-security.kubernetes.io/enforce=privileged
Add the NVIDIA Helm repository:
$ helm repo add nvidia https://helm.ngc.nvidia.com/nvidia \ && helm repo update
Install the NVIDIA Network Operator with SR-IOV Network Operator.
$ helm install network-operator nvidia/network-operator \ --namespace nvidia-network-operator \ --set sriov-network-operator.images.sriovConfigDaemon=nvcr.io/nvstaging/mellanox/sriov-network-operator-config-daemon-stig-fips:network-operator-v26.1.0-rc.1-stig-fips \ --set sriov-network-operator.imagePullSecrets={ngc-secret} \ --set sriovNetworkOperator.enabled=true \ --set nfd.enabled=true
Configure NicClusterPolicy
For the NVIDIA DOCA OFED Driver, the UBUNTU_PRO_TOKEN environment variable in the NicClusterPolicy should be configured.
This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.
Note
The following example demonstrates how to configure the government-ready components that require NGC access (STIG-FIPS variants not available in the public registry). This example should be adapted to your specific environment. You can add other components as needed from the standard Network Operator configuration.
apiVersion: mellanox.com/v1alpha1
kind: NicClusterPolicy
metadata:
name: nic-cluster-policy
spec:
ofedDriver:
image: doca-driver-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: doca3.3.0-26.01-0.9.6.0-0
imagePullSecrets:
- ngc-secret
env:
- name: UBUNTU_PRO_TOKEN
value: "<YOUR_UBUNTU_PRO_TOKEN>"
spectrumXOperator:
image: spectrum-x-operator-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: network-operator-v26.1.0-rc.1-stig-fips-ubuntu
imagePullSecrets:
- ngc-secret
nicConfigurationOperator:
operator:
image: nic-configuration-operator-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: network-operator-v26.1.0-rc.1-stig-fips-ubuntu
imagePullSecrets:
- ngc-secret
configurationDaemon:
image: nic-configuration-operator-daemon-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: network-operator-v26.1.0-rc.1-stig-fips-ubuntu
imagePullSecrets:
- ngc-secret
nicFirmwareStorage:
create: true
pvcName: nic-fw-storage-pvc
storageClassName: nic-fw-storage-class
availableStorageSize: 1Gi
logLevel: info
Red Hat OpenShift Container Platform
Prerequisites
An OpenShift Container Platform cluster installed in FIPS mode. Refer to the OpenShift FIPS Installation Guide for detailed instructions on installing OpenShift Container Platform in FIPS mode.
Note
To enable FIPS mode for your OpenShift cluster, you must run the installation program from a RHEL 9 computer that is configured to operate in FIPS mode. Use a FIPS-capable version of the installation program and set
fips: truein theinstall-config.yamlfile before cluster deployment.
Verify FIPS Mode
Before proceeding with the Network Operator configuration, verify that your OpenShift cluster is running in FIPS mode.
You can check FIPS mode by running the following command on any node:
$ oc debug node/<node-name> -- chroot /host cat /proc/sys/crypto/fips_enabled
The output should be 1 if FIPS mode is enabled.
All nodes should report 1 when checking /proc/sys/crypto/fips_enabled.
Install Network Operator
For OpenShift Container Platform, follow the standard OpenShift Operator installation process using the OpenShift Catalog or OC CLI.
Refer to the NVIDIA Network Operator Deployment Guide with OpenShift for detailed instructions on installing the operator via:
OpenShift Web Console (OperatorHub)
OpenShift OC CLI
Create NGC API Pull Secret
Add a Docker registry secret for downloading the Network Operator government-ready artifacts from NVIDIA NGC:
$ oc create secret -n nvidia-network-operator docker-registry ngc-secret \
--docker-server=nvcr.io \
--docker-username='$oauthtoken' \
--docker-password=<ngc-api-key>
Replace <ngc-api-key> with your NGC API key.
Configure NicClusterPolicy
For OpenShift deployments, create or update the NicClusterPolicy to use the government-ready FIPS images.
Note
The following example demonstrates how to configure the government-ready components that require NGC access (STIG-FIPS variants not available in the public registry). This example should be adapted to your specific environment. You can add other components as needed from the standard Network Operator configuration.
apiVersion: mellanox.com/v1alpha1
kind: NicClusterPolicy
metadata:
name: nic-cluster-policy
spec:
ofedDriver:
image: doca-driver-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: doca3.3.0-26.01-0.9.6.0-0
imagePullSecrets:
- ngc-secret
spectrumXOperator:
image: spectrum-x-operator-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: network-operator-v26.1.0-rc.1-stig-fips-rhel
imagePullSecrets:
- ngc-secret
nicConfigurationOperator:
operator:
image: nic-configuration-operator-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: network-operator-v26.1.0-rc.1-stig-fips-rhel
imagePullSecrets:
- ngc-secret
configurationDaemon:
image: nic-configuration-operator-daemon-stig-fips
repository: nvcr.io/nvstaging/mellanox
version: network-operator-v26.1.0-rc.1-stig-fips-rhel
imagePullSecrets:
- ngc-secret
nicFirmwareStorage:
create: true
pvcName: nic-fw-storage-pvc
storageClassName: nic-fw-storage-class
availableStorageSize: 1Gi
logLevel: info
Additional Considerations
Security Context Constraints (SCC): The Network Operator requires privileged access. OpenShift will automatically apply the appropriate SCCs when the operator is deployed in the
nvidia-network-operatornamespace.etcd Encryption: For enhanced security in FIPS mode, consider enabling etcd encryption using the FIPS-approved AES CBC cryptographic algorithm. Refer to the OpenShift documentation on encrypting etcd data.
Storage: If using persistent storage, ensure it uses RHEL-provided disk encryption for data at rest protection in FIPS environments.
Network Policy: OpenShift’s OVN-Kubernetes network plugin is FIPS-compliant. Ensure any additional network policies are compatible with your FIPS requirements.