Canonical
on 11 November 2025
Canonical releases FIPS-enabled Kubernetes
Deploy a FedRAMP-ready kubernetes cluster and application suite, with FIPS 140-3 crypto and DISA-STIG hardening
Today at KubeCon North America, Canonical, the publisher of Ubuntu, released support to enable FIPS mode in its Kubernetes distribution, providing everything needed to create and manage a scalable cluster suitable for high-security and Federal deployments. As of version 1.34, Canonical Kubernetes is available with a built-in FIPS 140-3 capability using certified cryptographic modules, and can be easily hardened to DISA-STIG standards using comprehensive documentation when deployed as a snap package. KubeCon attendees in Atlanta can learn more about FIPS-enabled Canonical Kubernetes at booth 821.
Canonical Kubernetes is a performant, lightweight and securely designed CNCF-conformant distribution of Kubernetes. It provides everything needed for aBlog fully functioning cluster including a container runtime, a CNI, DNS services, an ingress gateway, metrics server and more. New versions ship within a week of the upstream release, and the Long Term Support versions are fully supported and security maintained by Canonical for 12 years. Long Term Support for Ubuntu and FIPS-enabled Canonical Kubernetes is offered through an Ubuntu Pro subscription. Canonical’s FIPS 140-3 compliant Kubernetes is also available as part of the NVIDIA AI Factory for Government reference design.
Gain stability with the option to upgrade for new features
Canonical is the first to offer 12 years of support for Kubernetes, which is far beyond upstream CNCF and other vendor commitments. This builds on the company’s history of successful Long Term Support for Ubuntu. Upstream Kubernetes is typically maintained and supported for about 14 months by the Kubernetes community, with 3 releases per year. Canonical will maintain a Long Term Support release every 2 years, in line with the Ubuntu LTS release cadence. Kubernetes clusters must be upgraded one version at a time. However, Canonical’s “interim” versions will be supported for 1 year past the next LTS release. This means that customers will be able to upgrade within 1 year of the next LTS release without downtime while knowing their cluster is covered by security maintenance every step along the way.
Get reliable security maintenance
Each component of the Kubernetes stack is backed by Canonical’s CVE patching service. The company’s dedicated security team triages all relevant vulnerabilities and backports upstream fixes to the currently supported software versions, ensuring a completely stable base without breaking existing deployments.
Comply with FedRAMP requirements
Canonical has been publishing FIPS-certified cryptographic modules for Ubuntu since 2016, which are relied on by customers across the Federal sector, on premises and on public clouds, powering a wide range of FedRAMP deployments. With the availability of Canonical Kubernetes and its built-in FIPS 140-3 mode using certified cryptographic modules, customers will have a faster and more direct route to meet their FedRAMP requirements.
FIPS 140-3 functionality requires Kubernetes to be deployed on top of a FIPS-enabled Ubuntu LTS host Operating System. Canonical Kubernetes enables both the Kubernetes DISA-STIG as well as running on a host OS hardened to DISA-STIG guidelines using the Ubuntu Security Guide (USG) tool. This enables full-stack crypto and security hardening compliance for Federal deployments. The Ubuntu STIG is widely deployed and approved across the Federal space, and applicable STIG controls can be applied to enable hardened containers, along with embedded FIPS crypto libraries.
FIPS modules and STIG hardening are available with an Ubuntu Pro subscription. Ubuntu Pro subscriptions apply on a per-machine basis, which means that any containerized application running on a Pro-enabled host machine is also included within Pro when the Pro token is enabled.
Visit us at our booth 821 at KubeCon North America on November 11-13, 2025 for an in-person conversation about how Canonical Kubernetes powers FedRAMP compliant deployments.
About Canonical
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
