Skip to content

Use non-crypto rand for audit IDs to avoid FIPS overhead#2704

Draft
sdodson wants to merge 2 commits into
openshift:release-4.22from
sdodson:audit-id-no-fips-crypto
Draft

Use non-crypto rand for audit IDs to avoid FIPS overhead#2704
sdodson wants to merge 2 commits into
openshift:release-4.22from
sdodson:audit-id-no-fips-crypto

Conversation

@sdodson

@sdodson sdodson commented Jun 26, 2026

Copy link
Copy Markdown
Member

Summary

  • In FIPS mode, uuid.New() calls crypto/rand.Read() which routes through the FIPS-validated OpenSSL DRBG and getrandom() syscall on every API request. Audit IDs are correlation tokens with no security properties, so this cryptographic strength is unnecessary and expensive.
  • Replaces with uuid.NewRandomFromReader() backed by math/rand/v2, which uses a lock-free ChaCha8 source. This preserves the UUID v4 format for backward compatibility while eliminating the FIPS crypto overhead.

I've since found out that this approach is proposed upstream in google/uuid#206 and in addition to not being subject to FIPS mode implementation from golang-fips/go it's 10x faster in general than even the non FIPS implementation. The author there notes that their path is actually cryptographically secure, but I'm still not sure we require that in the first place.

Additional detail, this should be safe in Go 1.22 and later which adds math/rand/v2.

Test plan

  • Existing TestWithAuditID tests pass
  • Full staging/src/k8s.io/apiserver/pkg/endpoints/filters/ test suite passes
  • Verify reduced getrandom() syscall frequency under FIPS mode with strace

🤖 Generated with Claude Code

…erhead

In FIPS mode, uuid.New() calls crypto/rand.Read() which goes through
the FIPS-validated OpenSSL DRBG and getrandom() syscall on every API
request. Audit IDs are correlation tokens with no security properties,
so this cryptographic strength is unnecessary and expensive.

Replace with uuid.NewRandomFromReader() backed by math/rand/v2, which
uses a lock-free ChaCha8 source. This preserves the UUID v4 format for
backward compatibility while eliminating the FIPS crypto overhead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 26, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@sdodson: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci Bot added the vendor-update Touching vendor dir or related files label Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sdodson
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 42c06536-43c6-400a-9d0f-18d040b518fe

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • ✅ Review completed - (🔄 Check again to review again)
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

Exercises the real WithAuditInit UUID generation path (no Audit-ID
request header) and asserts the result parses as a valid UUID v4 with
RFC 4122 variant. This catches format regressions when changing the
random source backing audit ID generation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci-robot

Copy link
Copy Markdown

@sdodson: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. vendor-update Touching vendor dir or related files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants