add fips note

65d8d676 · bhearn7 · c1036531 · 65d8d676
Commit 65d8d676 authored Aug 23, 2021 by bhearn7
Show whitespace changes
Inline Side-by-side

Showing with 121 additions and 0 deletions

docs/security.md docs/security.md +121 -0

No files found.
--- a/docs/security.md
+++ b/docs/security.md
@@ -23,3 +23,124 @@ The Identity Provider must:
 - Allow unencrypted requests and responses

 Click the [link](https://docs.anchore.com/current/docs/overview/sso/) for more Anchore security information.
+
+## Note on FIPS
+
+With the current version of Anchore Enterprise (3.1.0), certain functions of Anchore may not work on FIPS enabled nodes. This is a [known issue](https://github.com/anchore/anchore-engine/issues/882) that is being worked on. Until a fix is released, please use node affinity to schedule Anchore pods on non-FIPS nodes:
+
+```yaml
+# Example Big Bang values
+addons:
+  anchore:
+    values:
+      anchoreAnalyzer:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreApi:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreCatalog:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchorePolicyEngine:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreSimpleQueue:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreEngineUpgradeJob:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreEnterpriseFeedsUpgradeJob:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreEnterpriseReports:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreEnterpriseNotifications:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreEnterpriseUi:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+      anchoreEnterpriseEngineUpgradeJob:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: type
+                  operator: In
+                  values:
+                  - <YOUR_NON_FIPS_NODE_LABEL_HERE>
+```
\ No newline at end of file