Canonical
on 11 November 2025
Canonical releases FIPS-enabled Kubernetes
Deploy a FedRAMP-ready Kubernetes cluster and application suite, with FIPS 140-3 crypto and DISA-STIG hardening,
Today at KubeCon North America, Canonical, the publisher of Ubuntu, released support to enable FIPS mode in its Kubernetes distribution, providing everything needed to create and manage a scalable cluster suitable for high-security or Federal deployments. As of version 1.34, Canonical Kubernetes is available with a built-in FIPS 140-3 capability that uses certified cryptographic modules. Your deployment with this FIPS capability can be easily hardened to DISA-STIG standards using comprehensive documentation when deployed as a snap package.
KubeCon attendees in Atlanta can learn more about FIPS-enabled Canonical Kubernetes at booth 821.
What is Canonical Kubernetes?
Canonical Kubernetes is a performant, lightweight, and securely designed CNCF-conformant distribution of Kubernetes. It provides everything needed for a fully functioning cluster, including a container runtime, a CNI, DNS services, an ingress gateway, metrics server, and more. New versions of Canonical Kubernetes ship within a week of the upstream release, and Long Term Support (LTS) versions (which are released every 2 years) are fully supported and security maintained by Canonical for up to 12 years. Long Term Support for Ubuntu and FIPS-enabled Canonical Kubernetes is offered through an Ubuntu Pro subscription. Canonical’s FIPS 140-3 compliant Kubernetes is also available as part of the NVIDIA AI Factory for Government reference design.
Gain stability with the option to upgrade for new features
Canonical is the first software provider to offer 12 years of support for Kubernetes, which is far beyond the support window offered by upstream CNCF and other vendors. Upstream Kubernetes is typically maintained and supported for about 14 months by the Kubernetes community, with 3 releases per year. In comparison, Canonical maintains an LTS release every 2 years, in line with the Ubuntu LTS release cadence.
Traditionally, Kubernetes clusters must be upgraded one version at a time. However, Canonical’s “interim” versions will be supported for 1 year past the next LTS release, allowing customers to upgrade within 1 year of the next LTS release, without downtime, all while knowing their cluster is fully covered by security maintenance.
Get reliable security maintenance
Each component of the Kubernetes stack is backed by Canonical’s CVE patching service. Our dedicated security team triages all relevant vulnerabilities and backports upstream fixes to the currently supported software versions, ensuring a completely stable base without breaking existing deployments.
Comply with FedRAMP requirements
Canonical has been publishing FIPS-certified cryptographic modules for Ubuntu since 2016. These modules are vital for customers across the Federal sector and for on-premises and public clouds, powering a wide range of FedRAMP deployments. With the availability of Canonical Kubernetes and its built-in FIPS 140-3 mode using certified cryptographic modules, customers will have a faster and more direct route to meet their FedRAMP requirements.
FIPS 140-3 functionality requires Kubernetes to be deployed on top of a FIPS-enabled Ubuntu LTS host Operating System. Canonical Kubernetes enables Kubernetes DISA-STIG, and allows you to deploy onto a host OS hardened to DISA-STIG guidelines using the Ubuntu Security Guide (USG) tool. What’s more, applicable STIG controls can be applied to enable hardened containers, along with embedded FIPS cryptographic libraries. Ubuntu STIG hardening has been extensively tested and deployed across the Federal landscape, making it a proven route to meeting FedRAMP security standards.
FIPS modules and STIG hardening are available with an Ubuntu Pro subscription. Ubuntu Pro subscriptions apply on a per-machine basis, which means that any containerized application running on a Pro-enabled host machine is also included within Pro when the Pro token is enabled.
Visit us at our booth 821 at KubeCon North America on November 11-13, 2025 for an in-person conversation about how Canonical Kubernetes powers FedRAMP compliant deployments.
About Canonical
Canonical, the publisher of Ubuntu, provides open source security, support ,and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
