Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 9. Upgrading

The upgrade of the OpenShift sandboxed containers components consists of the following steps:

  1. Upgrade OpenShift Container Platform to update the Kata runtime and its dependencies.
  2. Upgrade the OpenShift sandboxed containers Operator to update the Operator subscription.

You can upgrade OpenShift Container Platform before or after the OpenShift sandboxed containers Operator upgrade, with the one exception noted below. Always apply the KataConfig patch immediately after upgrading the OpenShift sandboxed containers Operator.

9.1. Upgrading resources
Copy link

Red Hat Enterprise Linux CoreOS (RHCOS) extensions deploy the OpenShift sandboxed containers resources onto the cluster.

The RHCOS extension sandboxed containers contains the required components to run OpenShift sandboxed containers, such as the Kata containers runtime, the hypervisor QEMU, and other dependencies. You upgrade the extension by upgrading the cluster to a new release of OpenShift Container Platform.

For more information about upgrading OpenShift Container Platform, see Updating Clusters.

9.2. Upgrading the Operator
Copy link

Use Operator Lifecycle Manager (OLM) to upgrade the OpenShift sandboxed containers Operator either manually or automatically. Selecting between manual or automatic upgrade during the initial deployment determines the future upgrade mode. For manual upgrades, the OpenShift Container Platform web console shows the available updates that the cluster administrator can install.

For more information about upgrading the OpenShift sandboxed containers Operator in Operator Lifecycle Manager (OLM), see Updating installed Operators.

9.3. Updating the pod VM image
Copy link

For peer pod deployments, you must update the pod VM image. Upgrading the OpenShift sandboxed containers Operator when the value of enablePeerpods: is true does not update the pod VM image automatically. You must also delete and re-create the KataConfig custom resource (CR).

Note

You can also check the peer pod config map for AWS and Azure deployments to ensure that the image ID is empty before re-creating the KataConfig CR.

9.3.1. Deleting the KataConfig custom resource
Copy link

You delete the KataConfig custom resource (CR) by using the command line.

Procedure

  1. Delete the KataConfig CR by running the following command: 

    $ oc delete kataconfig example-kataconfig
    Copy to Clipboard Toggle word wrap

  2. Verify the CR removal by running the following command: 

    $ oc get kataconfig example-kataconfig
    Copy to Clipboard Toggle word wrap

    Example output

    No example-kataconfig instances exist
    Copy to Clipboard Toggle word wrap

Important

You must ensure that all pods are deleted. Any remaining pod resources might result in an unexpected bill from your cloud provider.

9.3.2. Verifying the image ID is empty
Copy link

For AWS and Azure deployments, after you delete the KataConfig custom resource (CR), you must verify that the image ID in the peer pods config map is empty.

Procedure

  1. Obtain the peer pods config map by running the following command: 

    $ oc get configmap -n openshift-sandboxed-containers-operator peer-pods-cm -o jsonpath="{.data.<image_id>}"
    1
    Copy to Clipboard Toggle word wrap
    1
    For AWS, replace <image_id> with PODVM_AMI_ID. For Azure, replace <image_id> with AZURE_IMAGE_ID.

  2. If the value is not empty, update the value and patch the config map by running the following command: 

    $ oc patch configmap peer-pods-cm -n openshift-sandboxed-containers-operator -p '{"data":{"<image_id>":""}}'
    Copy to Clipboard Toggle word wrap

9.3.3. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors can increase the reboot time:

  • A large OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    Copy to Clipboard Toggle word wrap
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc create -f example-kataconfig.yaml
    Copy to Clipboard Toggle word wrap

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
    Copy to Clipboard Toggle word wrap

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify that you have built the peer pod image and uploaded it to the libvirt volume by running the following command: 

    $ oc describe configmap peer-pods-cm -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    Example output

    Name: peer-pods-cm
Namespace: openshift-sandboxed-containers-operator
Labels: <none>
Annotations: <none>

Data
====
CLOUD_PROVIDER: libvirt

BinaryData
====
Events: <none>
    Copy to Clipboard Toggle word wrap

  5. Monitor the kata-oc machine config pool progress to ensure that it is in the UPDATED state, when UPDATEDMACHINECOUNT equals MACHINECOUNT, by running the following command: 

    $ watch oc get mcp/kata-oc
    Copy to Clipboard Toggle word wrap

  6. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
    Copy to Clipboard Toggle word wrap

  7. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME             HANDLER          AGE
kata-remote      kata-remote      152m
    Copy to Clipboard Toggle word wrap

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat