NVIDIA Network Operator Government Ready

The NVIDIA Network Operator now offers government-ready components for NVIDIA AI Enterprise customers. Government ready is NVIDIA’s designation for software that meets applicable security requirements for deployment in your FedRAMP High or equivalent sovereign use case. For more information on NVIDIA’s government-ready support, refer to the white paper AI Software for Regulated Environments.

Supported Network Operator Components

The government-ready NVIDIA Network Operator includes the following components:

Component

Version

NVIDIA Network Operator

v25.10.0-rc.1

NVIDIA Network Operator Init Container

network-operator-v25.10.0-rc.1

DOCA-OFED Driver Container

doca3.2.0-25.10-1.2.2.0-0

RDMA Shared Device Plugin

network-operator-v25.10.0-rc.1

IP Over Infiniband (IPoIB) CNI plugin

network-operator-v25.10.0-rc.1

SRIOV Network Operator Config

network-operator-v25.10.0-rc.1

SRIOV Network Operator Config Config Daemon

network-operator-v25.10.0-rc.1-stig-fips

SR-IOV Network Device Plugin

network-operator-v25.10.0-rc.1

SR-IOV CNI plugin

network-operator-v25.10.0-rc.1

InfiniBand SR-IOV CNI plugin

network-operator-v25.10.0-rc.1

K8s CNI network plugins

network-operator-v25.10.0-rc.1

Multus CNI

network-operator-v25.10.0-rc.1

RDMA CNI plugin

nvcr.io/nvstaging/mellanox

NVIDIA IPAM Plugin

network-operator-v25.10.0-rc.1

Artifacts for these components are available from the NVIDIA NGC Catalog.

Note

Not all Network Operator components and features are available as government-ready containers in the v25.10.0 release.

Validated Kubernetes Distributions

The government-ready NVIDIA Network Operator has been validated on the following Kubernetes distributions:

  • Canonical Kubernetes 1.34 with Ubuntu Pro 24.04 amd64 and FIPS-compliant kernel

Install Government-Ready NVIDIA Network Operator

Once you have your Prerequisites configured, use the following steps to install the NVIDIA Network Operator on Canonical Kubernetes distributions:

  1. Create NGC API Pull Secret

  2. Install NVIDIA Network Operator Government-Ready Components

Prerequisites

  • An active NVIDIA AI Enterprise subscription and NGC API token to access Network Operator government-ready containers. Refer to Generating Your NGC API Key in the NVIDIA NGC User Guide for more information on NGC API tokens.

  • An Ubuntu Pro token for Canonical Kubernetes deployments. This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04. Refer to the Ubuntu Pro documentation for more information on accessing Ubuntu Pro tokens.

  • The helm CLI installed on a client machine.

    You can run the following commands to install the Helm CLI:

    $ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \
    && chmod 700 get_helm.sh \
    && ./get_helm.sh

  • A namespace to deploy the NVIDIA Network Operator. The example install commands below use nvidia-network-operator as the namespace.

  • Optionally, Service Mesh for intra-cluster traffic encryption. By default, the NVIDIA Network Operator does not encrypt traffic between its controller (and operands) and the Kubernetes API server. If you wish to encrypt this communication, you should deploy and maintain a service mesh application within the Kubernetes cluster to enable secure traffic.

Create NGC API Pull Secret

Add a Docker registry secret for downloading the Network Operator artifacts from NVIDIA NGC in the same namespace where you are planning to deploy the NVIDIA Network Operator. Update ngc-api-key in the command below with your NGC API key.

$ kubectl create secret -n nvidia-network-operator docker-registry ngc-secret \
    --docker-server=nvcr.io \
    --docker-username='$oauthtoken' \
    --docker-password=<ngc-api-key>

Install NVIDIA Network Operator Government-Ready Components

  1. Label your nvidia-network-operator namespace for the Operator to set the enforcement policy to privilege.

    $ kubectl label --overwrite ns nvidia-network-operator pod-security.kubernetes.io/enforce=privileged

  2. Add the NVIDIA Helm repository:

    $ helm repo add nvidia https://helm.ngc.nvidia.com/nvidia \
    && helm repo update

  3. Install the NVIDIA Network Operator with SR-IOV Network Operator.

    $  helm install network-operator nvidia/network-operator \
     --namespace nvidia-network-operator \
     --set sriov-network-operator.images.sriovConfigDaemon=doca-driver-stig-fips \
     --set sriov-network-operator.imagePullSecrets={ngc-secret} \
     --set sriovNetworkOperator.enabled=true
     --set nfd.enabled=true

Update Ubuntu Pro Token in NicClusterPolicy

UBUNTU_PRO_TOKEN environment variable of the Network Operator NicClusterPolicy should be configured.

apiVersion: mellanox.com/v1alpha1
kind: NicClusterPolicy
metadata:
  name: nic-cluster-policy
spec:
  ofedDriver:
    image: doca-driver-stig-fips
    repository: nvcr.io/nvstaging/mellanox
    version: doca3.2.0-25.10-1.2.2.0-0
    env:
      - name: UBUNTU_PRO_TOKEN
        value: "<YOUR_UBUNTU_PRO_TOKEN>"

This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.