NVIDIA GPU Operator Government Ready#
The NVIDIA GPU Operator now offers government-ready components for NVIDIA AI Enterprise customers. Government ready is NVIDIA’s designation for software that meets applicable security requirements for deployment in your FedRAMP High or equivalent sovereign use case. For more information on NVIDIA’s government-ready support, refer to the white paper AI Software for Regulated Environments.
Supported GPU Operator Components#
The government-ready NVIDIA GPU Operator includes the following components:
Component |
Version |
|---|---|
NVIDIA GPU Operator |
v25.10.0 |
NVIDIA GPU Feature Discovery |
0.18.0 |
NVIDIA Container Toolkit |
1.18.0 |
NVIDIA Device Plugin |
0.18.0 |
NVIDIA DCGM-exporter |
4.4.1-4.6.0 |
NVIDIA MIG Manager |
0.13.0 |
NVIDIA Driver |
580.95.05 1 |
1 Hardened for STIG/FIPS compliance
Artifacts for these components are available from the NVIDIA NGC Catalog.
Note
Not all GPU Operator components and features are available as government-ready containers in the v25.10.0 release. For example, GPUDirect Storage and KubeVirt are not yet supported.
Validated Kubernetes Distributions#
The government-ready NVIDIA GPU Operator has been validated on the following Kubernetes distributions:
Canonical Kubernetes 1.34 with Ubuntu Pro 24.04 and FIPS-compliant kernel
Red Hat OpenShift 4.19 in FIPS mode
Install Government-Ready NVIDIA GPU Operator#
Once you have your Prerequisites configured, use the following steps to install the NVIDIA GPU Operator on Canonical Kubernetes distributions:
Note
For deployment on OpenShift, refer to the NVIDIA GPU Operator Government Ready on Openshift page.
Prerequisites#
An active NVIDIA AI Enterprise subscription and NGC API token to access GPU Operator government-ready containers. Refer to Generating Your NGC API Key in the NVIDIA NGC User Guide for more information on NGC API tokens.
An Ubuntu Pro token for Canonical Kubernetes deployments. This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04. Refer to the Ubuntu Pro documentation for more information on accessing Ubuntu Pro tokens.
The
helmCLI installed on a client machine.You can run the following commands to install the Helm CLI:
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \ && chmod 700 get_helm.sh \ && ./get_helm.sh
A namespace to deploy the NVIDIA GPU Operator. The example install commands below use
gpu-operatoras the namespace.Optionally, Service Mesh for intra-cluster traffic encryption. By default, the NVIDIA GPU Operator does not encrypt traffic between its controller (and operands) and the Kubernetes API server. If you wish to encrypt this communication, you should deploy and maintain a service mesh application within the Kubernetes cluster to enable secure traffic.
Install Node Feature Discovery (NFD)#
NFD is an open-source project that is a dependency for the Operator on each node in your cluster. It must be deployed before installing the NVIDIA GPU Operator.
GPU Operator does not maintain a government ready version of NFD, it is recommended that you install the upstream NFD version that aligns with the GPU Operator Component Matrix. The NFD container is built on top of a scratch image, providing a highly secure container environment. For information on NFD CVEs and security updates, refer to the NFD GitHub repository.
Refer to the NFD documentation for installation instructions.
Create NGC API Pull Secret#
Add a Docker registry secret for downloading the GPU Operator artifacts from NVIDIA NGC in the same namespace where you are planning to deploy the NVIDIA GPU Operator.
Update ngc-api-key in the command below with your NGC API key.
$ kubectl create secret -n gpu-operator docker-registry ngc-secret \
--docker-server=nvcr.io \
--docker-username='$oauthtoken' \
--docker-password=<ngc-api-key>
Create Ubuntu Pro Token Secret#
Create a Kubernetes secret to hold the value of your Ubuntu Pro token secret. This secret will be used in the install command in the next step.
The Ubuntu Pro Token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.
Get the Ubuntu Pro token:
$ echo UBUNTU_PRO_TOKEN=<your Ubuntu Pro token> > ubuntu-fips.env
Replace
<your Ubuntu Pro token>with your actual Ubuntu Pro token.Create Ubuntu Pro token Secret:
$ kubectl create secret generic ubuntu-fips-secret \ --from-env-file=./ubuntu-fips.env --namespace gpu-operator
Note that the namespace in the above command is
gpu-operator. Update this to the namespace you are planning to use for the NVIDIA GPU Operator.
Install NVIDIA GPU Operator Government-Ready Components#
Label your
gpu-operatornamespace for the Operator to set the enforcement policy to privilege.$ kubectl label --overwrite ns gpu-operator pod-security.kubernetes.io/enforce=privileged
Add the NVIDIA Helm repository:
$ helm repo add nvidia https://helm.ngc.nvidia.com/nvidia \ && helm repo update
Install the NVIDIA GPU Operator.
$ helm install gpu-operator nvidia/gpu-operator \ --namespace gpu-operator \ --set driver.secretEnv=ubuntu-fips-secret \ --set driver.repository=nvcr.io/nvidia \ --set driver.version=580.95.05-stig-fips \ --set driver.image=gpu-driver-stig-fips \ --set driver.imagePullSecrets={ngc-secret} \ --set nfd.enabled=false
Refer to Common Chart Customization Options for more information about installation options.
Update Ubuntu Pro Token in ClusterPolicy#
You can update your Ubuntu Pro Token after installation by editing your Ubuntu Pro Token secret.
This secret name is set as value of driver.secretEnv of the GPU Operator ClusterPolicy.
Edit your Ubuntu Pro Token secret.
$ kubectl edit secrets <ubuntu-fips-secret>
Then update the secret with your new Ubuntu Pro Token. This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.