Chapter 7. Uninstalling
You can uninstall OpenShift sandboxed containers and remove the Confidential Containers environment.
7.1. Uninstalling OpenShift sandboxed containers
You can uninstall OpenShift sandboxed containers by using the OpenShift Container Platform web console or the command line.
You uninstall OpenShift sandboxed containers by performing the following tasks:
- Delete the workload pods.
-
Delete the
KataConfig
custom resource. - Uninstall the OpenShift sandboxed containers Operator.
-
Delete the
KataConfig
custom resource definition.
7.1.1. Uninstalling OpenShift sandboxed containers by using the web console
You can uninstall OpenShift sandboxed containers by using the OpenShift Container Platform web console.
7.1.1.1. Deleting workload pods
You can delete the OpenShift sandboxed containers workload pods by using the OpenShift Container Platform web console.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. - You have a list of pods that use the OpenShift sandboxed containers runtime class.
Procedure
-
In the OpenShift Container Platform web console, navigate to Workloads
Pods. - Enter the name of the pod that you want to delete in the Search by name field.
- Click the pod name to open it.
-
On the Details page, check that
kata
orkata-remote
is displayed for Runtime class. - Click the Options menu and select Delete Pod.
- Click Delete.
7.1.1.2. Deleting the KataConfig custom resource
You can delete the KataConfig
custom resource (CR) by using the web console.
Deleting the KataConfig
CR removes and uninstalls the kata
runtime and its related resources from your cluster.
Deleting the KataConfig
CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:
- A larger OpenShift Container Platform deployment with a greater number of worker nodes.
- Activation of the BIOS and Diagnostics utility.
- Deployment on a hard drive rather than an SSD.
- Deployment on physical nodes such as bare metal, rather than on virtual nodes.
- A slow CPU and network.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted all running pods that use
kata
as theruntimeClass
.
Procedure
-
In the OpenShift Container Platform web console, navigate to Operators
Installed Operators. -
Enter
OpenShift sandboxed containers Operator
in the Search by name field. - Click the Operator to open it and then click the KataConfig tab.
-
Click the Options menu
and select Delete
KataConfig
. - Click Delete in the confirmation window.
Wait for the kata
runtime and resources to uninstall and for the worker nodes to reboot before continuing to the next step.
7.1.1.3. Uninstalling the OpenShift sandboxed containers Operator
You can uninstall the OpenShift sandboxed containers Operator by using OpenShift Container Platform web console.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KataConfig
custom resource.
Procedure
-
Navigate to Operators
Installed Operators. -
Enter
OpenShift sandboxed containers Operator
in the Search by name field. On the right side of the Operator Details page, select Uninstall Operator from the Actions list.
An Uninstall Operator? dialog box is displayed.
- Click Uninstall to remove the Operator, Operator deployments, and pods.
-
Navigate to Administration
Namespaces. -
Enter
openshift-sandboxed-containers-operator
in the Search by name field. - Click the Options menu and select Delete Namespace.
-
In the confirmation dialog, enter
openshift-sandboxed-containers-operator
and click Delete.
7.1.1.4. Deleting the KataConfig CRD
You can delete the KataConfig
custom resource definition (CRD) by using the OpenShift Container Platform web console.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KataConfig
custom resource. - You have uninstalled the OpenShift sandboxed containers Operator.
Procedure
-
In the web console, navigate to Administration
CustomResourceDefinitions. -
Enter the
KataConfig
name in the Search by name field. - Click the Options menu and select Delete CustomResourceDefinition.
- Click Delete in the confirmation window.
7.1.2. Uninstalling OpenShift sandboxed containers by using the CLI
You can uninstall OpenShift sandboxed containers by using the command-line interface (CLI).
7.1.2.1. Deleting workload pods
You can delete the OpenShift sandboxed containers workload pods by using the CLI.
Prerequisites
-
You have the JSON processor (
jq
) utility installed.
Procedure
Search for the pods by running the following command:
$ oc get pods -A -o json | jq -r '.items[] | \ select(.spec.runtimeClassName == "<runtime>").metadata.name' 1
- 1
- Specify
kata
for bare metal deployments. Specifykata-remote
for AWS, Azure, IBM Z®, and IBM® LinuxONE.
Delete each pod by running the following command:
$ oc delete pod <pod>
7.1.2.2. Deleting the KataConfig custom resource
You can delete the KataConfig
custom resource (CR) by using the command line.
Deleting the KataConfig
CR removes the runtime and its related resources from your cluster.
Deleting the KataConfig
CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:
- A larger OpenShift Container Platform deployment with a greater number of worker nodes.
- Activation of the BIOS and Diagnostics utility.
- Deployment on a hard drive rather than an SSD.
- Deployment on physical nodes such as bare metal, rather than on virtual nodes.
- A slow CPU and network.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have access to the cluster as a user with the
cluster-admin
role.
Procedure
Delete the
KataConfig
CR by running the following command:$ oc delete kataconfig example-kataconfig
The OpenShift sandboxed containers Operator removes all resources that were initially created to enable the runtime on your cluster.
ImportantWhen you delete the
KataConfig
CR, the CLI stops responding until all worker nodes reboot. You must for the deletion process to complete before performing the verification.Verify that the custom resource was deleted by running the following command:
$ oc get kataconfig example-kataconfig
Example output
No example-kataconfig instances exist
7.1.2.3. Uninstalling the OpenShift sandboxed containers Operator
You can uninstall the OpenShift sandboxed containers Operator by using the command line.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have access to the cluster as a user with the
cluster-admin
role. - You have deleted the OpenShift sandboxed containers workload pods.
-
You have deleted
KataConfig
custom resource.
Procedure
Delete the subscription by running the following command:
$ oc delete subscription sandboxed-containers-operator -n openshift-sandboxed-containers-operator
Delete the namespace by running the following command:
$ oc delete namespace openshift-sandboxed-containers-operator
7.1.2.4. Deleting the KataConfig CRD
You can delete the KataConfig
custom resource definition (CRD) by using the command line.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KataConfig
custom resource. - You have uninstalled the OpenShift sandboxed containers Operator.
Procedure
Delete the
KataConfig
CRD by running the following command:$ oc delete crd kataconfigs.kataconfiguration.openshift.io
Verify that the CRD was deleted by running the following command:
$ oc get crd kataconfigs.kataconfiguration.openshift.io
Example output
Unknown CRD kataconfigs.kataconfiguration.openshift.io
7.2. Removing the Confidential Containers environment
You can remove the Confidential Containers environment by using the OpenShift Container Platform web console or the command line.
You remove the Confidential Containers environment by performing the following tasks:
-
Delete the
KbsConfig
custom resource. - Uninstall the Confidential compute attestation Operator.
-
Delete the
KbsConfig
custom resource definition.
7.2.1. Removing the Confidential Containers environment by using the web console
You can remove the Confidential Containers environment by using the OpenShift Container Platform web console.
7.2.1.1. Deleting the KbsConfig custom resource
You can delete the KbsConfig
custom resource (CR) by using the web console.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. - You have uninstalled OpenShift sandboxed containers.
Procedure
-
In the OpenShift Container Platform web console, navigate to Operators
Installed Operators. -
Enter
Confidential compute attestation
in the Search by name field. - Click the Operator to open it and then click the KbsConfig tab.
-
Click the Options menu
and select Delete
KbsConfig
. - Click Delete in the confirmation window.
7.2.1.2. Uninstalling the Confidential compute attestation Operator
You can uninstall the Confidential compute attestation Operator by using OpenShift Container Platform web console.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KbsConfig
custom resource.
Procedure
-
Navigate to Operators
Installed Operators. -
Enter
Confidential compute attestation
in the Search by name field. On the right side of the Operator Details page, select Uninstall Operator from the Actions list.
An Uninstall Operator? dialog box is displayed.
- Click Uninstall to remove the Operator, Operator deployments, and pods.
-
Navigate to Administration
Namespaces. -
Enter
trustee-operator-system
in the Search by name field. - Click the Options menu and select Delete Namespace.
-
In the confirmation dialog, enter
trustee-operator-system
and click Delete.
7.2.1.3. Deleting the KbsConfig CRD
You can delete the KbsConfig
custom resource definition (CRD) by using the OpenShift Container Platform web console.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KbsConfig
custom resource. - You have uninstalled the Confidential compute attestation Operator.
Procedure
-
In the web console, navigate to Administration
CustomResourceDefinitions. -
Enter the
KbsConfig
name in the Search by name field. - Click the Options menu and select Delete CustomResourceDefinition.
- Click Delete in the confirmation window.
7.2.2. Removing the Confidential Containers environment by using the CLI
You can remove the Confidential Containers environment by using the command-line interface (CLI).
7.2.2.1. Deleting the KbsConfig custom resource
You can delete the KbsConfig
custom resource (CR) by using the command line.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have access to the cluster as a user with the
cluster-admin
role. - You have uninstalled OpenShift sandboxed containers.
Procedure
Delete the
KbsConfig
CR by running the following command:$ oc delete kbsconfig kbsconfig
Verify that the custom resource was deleted by running the following command:
$ oc get kbsconfig kbsconfig
Example output
No kbsconfig instances exist
7.2.2.2. Uninstalling the Confidential compute attestation Operator
You can uninstall the Confidential compute attestation Operator by using the command line.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KbsConfig
custom resource.
Procedure
Delete the subscription by running the following command:
$ oc delete subscription trustee-operator -n trustee-operator-system
Delete the namespace by running the following command:
$ oc delete namespace trustee-operator-system
7.2.2.3. Deleting the KbsConfig CRD
You can delete the KbsConfig
custom resource definition (CRD) by using the command line.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have access to the cluster as a user with the
cluster-admin
role. -
You have deleted the
KbsConfig
custom resource. - You have uninstalled the Confidential compute attestation Operator.
Procedure
Delete the
KbsConfig
CRD by running the following command:$ oc delete crd kbsconfigs.confidentialcontainers.org
Verify that the CRD was deleted by running the following command:
$ oc get crd kbsconfigs.confidentialcontainers.org
Example output
Unknown CRD kbsconfigs.confidentialcontainers.org