NVIDIA Network Operator Government Ready
The NVIDIA Network Operator now offers government-ready components for NVIDIA AI Enterprise customers. Government ready is NVIDIA’s designation for software that meets applicable security requirements for deployment in your FedRAMP High or equivalent sovereign use case. For more information on NVIDIA’s government-ready support, refer to the white paper AI Software for Regulated Environments.
The government-ready NVIDIA Network Operator includes the following components:
Component | Version |
|---|---|
| NVIDIA Network Operator | v25.10.0 |
| NVIDIA Network Operator Init Container | network-operator-v25.10.0 |
| DOCA-OFED Driver Container | doca3.2.0-25.10-1.2.8.0-2 |
| RDMA Shared Device Plugin | network-operator-v25.10.0 |
| IP Over Infiniband (IPoIB) CNI plugin | network-operator-v25.10.0 |
| SRIOV Network Operator Config | network-operator-v25.10.0 |
| SRIOV Network Operator Config Config Daemon | network-operator-v25.10.0-stig-fips |
| SR-IOV Network Device Plugin | network-operator-v25.10.0 |
| SR-IOV CNI plugin | network-operator-v25.10.0 |
| InfiniBand SR-IOV CNI plugin | network-operator-v25.10.0 |
| K8s CNI network plugins | network-operator-v25.10.0 |
| Multus CNI | network-operator-v25.10.0 |
| RDMA CNI plugin | nvcr.io/nvidia/mellanox |
| NVIDIA IPAM Plugin | network-operator-v25.10.0 |
Artifacts for these components are available from the NVIDIA NGC Catalog.
Not all Network Operator components and features are available as government-ready containers in the v25.10.0 release.
Validated Kubernetes Distributions
The government-ready NVIDIA Network Operator has been validated on the following Kubernetes distributions:
Canonical Kubernetes 1.34 with Ubuntu Pro 24.04 amd64 and FIPS-compliant kernel
Install Government-Ready NVIDIA Network Operator
Once you have your Prerequisites configured, use the following steps to install the NVIDIA Network Operator on Canonical Kubernetes distributions:
Prerequisites
An active NVIDIA AI Enterprise subscription and NGC API token to access Network Operator government-ready containers. Refer to Generating Your NGC API Key in the NVIDIA NGC User Guide for more information on NGC API tokens.
An Ubuntu Pro token for Canonical Kubernetes deployments. This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04. Refer to the Ubuntu Pro documentation for more information on accessing Ubuntu Pro tokens.
The
helmCLI installed on a client machine.You can run the following commands to install the Helm CLI:
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 \ && chmod 700 get_helm.sh \ && ./get_helm.sh
A namespace to deploy the NVIDIA Network Operator. The example install commands below use
nvidia-network-operatoras the namespace.Optionally, Service Mesh for intra-cluster traffic encryption. By default, the NVIDIA Network Operator does not encrypt traffic between its controller (and operands) and the Kubernetes API server. If you wish to encrypt this communication, you should deploy and maintain a service mesh application within the Kubernetes cluster to enable secure traffic.
Create NGC API Pull Secret
Add a Docker registry secret for downloading the Network Operator artifacts from NVIDIA NGC in the same namespace where you are planning to deploy the NVIDIA Network Operator.
Update ngc-api-key in the command below with your NGC API key.
$ kubectl create secret -n nvidia-network-operator docker-registry ngc-secret \
--docker-server=nvcr.io \
--docker-username='$oauthtoken' \
--docker-password=<ngc-api-key>
Install NVIDIA Network Operator Government-Ready Components
Label your
nvidia-network-operatornamespace for the Operator to set the enforcement policy to privilege.$ kubectl label --overwrite ns nvidia-network-operator pod-security.kubernetes.io/enforce=privileged
Add the NVIDIA Helm repository:
$ helm repo add nvidia https://helm.ngc.nvidia.com/nvidia \ && helm repo update
Install the NVIDIA Network Operator with SR-IOV Network Operator.
$ helm install network-operator nvidia/network-operator \ --namespace nvidia-network-operator \ --set sriov-network-operator.images.sriovConfigDaemon=nvcr.io/nvidia/mellanox/sriov-network-operator-config-daemon-stig-fips:network-operator-v25.10.0-stig-fips \ --set sriov-network-operator.imagePullSecrets={ngc-secret} \ --set sriovNetworkOperator.enabled=true \ --set nfd.enabled=true
Update Ubuntu Pro Token in NicClusterPolicy
UBUNTU_PRO_TOKEN environment variable of the Network Operator NicClusterPolicy should be configured.
apiVersion: mellanox.com/v1alpha1
kind: NicClusterPolicy
metadata:
name: nic-cluster-policy
spec:
ofedDriver:
image: doca-driver-stig-fips
repository: nvcr.io/nvidia/mellanox
version: doca3.2.0-25.10-1.2.8.0-2
imagePullSecrets:
- ngc-secret
env:
- name: UBUNTU_PRO_TOKEN
value: "<YOUR_UBUNTU_PRO_TOKEN>"
This token is required for the driver container to download kernel headers and other necessary packages from the Canonical repository when using the FIPS-enabled kernel on Ubuntu 24.04.