Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

User guide

OpenShift sandboxed containers 1.9

Deploying sandboxed containers in OpenShift Container Platform

Red Hat Customer Content Services

Abstract

Deploying OpenShift sandboxed containers in OpenShift Container Platform on bare metal, public cloud, and IBM platforms.

Preface
Copy link

Providing feedback on Red Hat documentation

You can provide feedback or report an error by submitting the Create Issue form in Jira. The Jira issue will be created in the Red Hat Hybrid Cloud Infrastructure Jira project, where you can track the progress of your feedback.

  1. Ensure that you are logged in to Jira. If you do not have a Jira account, you must create a Red Hat Jira account.
  2. Launch the Create Issue form.

  3. Complete the Summary, Description, and Reporter fields.

    In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue.

  4. Click Create.

Chapter 1. About OpenShift sandboxed containers
Copy link

OpenShift sandboxed containers for OpenShift Container Platform integrates Kata Containers as an optional runtime, providing enhanced security and isolation by running containerized applications in lightweight virtual machines. This integration provides a more secure runtime environment for sensitive workloads without significant changes to existing OpenShift workflows. This runtime supports containers in dedicated virtual machines (VMs), providing improved workload isolation.

1.1. Features
Copy link

OpenShift sandboxed containers provides the following features:

Run privileged or untrusted workloads

You can safely run workloads that require specific privileges, without the risk of compromising cluster nodes by running privileged containers. Workloads that require special privileges include the following:

  • Workloads that require special capabilities from the kernel, beyond the default ones granted by standard container runtimes such as CRI-O, for example to access low-level networking features.
  • Workloads that need elevated root privileges, for example to access a specific physical device. With OpenShift sandboxed containers, it is possible to pass only a specific device through to the virtual machines (VM), ensuring that the workload cannot access or misconfigure the rest of the system.

  • Workloads for installing or using set-uid root binaries. These binaries grant special privileges and, as such, can present a security risk. With OpenShift sandboxed containers, additional privileges are restricted to the virtual machines, and grant no special access to the cluster nodes.

    Some workloads require privileges specifically for configuring the cluster nodes. Such workloads should still use privileged containers, because running on a virtual machine would prevent them from functioning.

Ensure isolation for sensitive workloads
The OpenShift sandboxed containers for Red Hat OpenShift Container Platform integrates Kata Containers as an optional runtime, providing enhanced security and isolation by running containerized applications in lightweight virtual machines. This integration provides a more secure runtime environment for sensitive workloads without significant changes to existing OpenShift workflows. This runtime supports containers in dedicated virtual machines (VMs), providing improved workload isolation.
Ensure kernel isolation for each workload
You can run workloads that require custom kernel tuning (such as sysctl, scheduler changes, or cache tuning) and the creation of custom kernel modules (such as out of tree or special arguments).
Share the same workload across tenants
You can run workloads that support many users (tenants) from different organizations sharing the same OpenShift Container Platform cluster. The system also supports running third-party workloads from multiple vendors, such as container network functions (CNFs) and enterprise applications. Third-party CNFs, for example, may not want their custom settings interfering with packet tuning or with sysctl variables set by other applications. Running inside a completely isolated kernel is helpful in preventing "noisy neighbor" configuration problems.
Ensure proper isolation and sandboxing for testing software
You can run containerized workloads with known vulnerabilities or handle issues in an existing application. This isolation enables administrators to give developers administrative control over pods, which is useful when the developer wants to test or validate configurations beyond those an administrator would typically grant. Administrators can, for example, safely and securely delegate kernel packet filtering (eBPF) to developers. eBPF requires CAP_ADMIN or CAP_BPF privileges, and is therefore not allowed under a standard CRI-O configuration, as this would grant access to every process on the Container Host worker node. Similarly, administrators can grant access to intrusive tools such as SystemTap, or support the loading of custom kernel modules during their development.
Ensure default resource containment through VM boundaries
By default, OpenShift sandboxed containers manages resources such as CPU, memory, storage, and networking in a robust and secure way. Since OpenShift sandboxed containers deploys on VMs, additional layers of isolation and security give a finer-grained access control to the resource. For example, an errant container will not be able to assign more memory than is available to the VM. Conversely, a container that needs dedicated access to a network card or to a disk can take complete control over that device without getting any access to other devices.

The required functionality for the OpenShift Container Platform platform is supported by two main components:

  • Kata runtime: This includes Red Hat Enterprise Linux CoreOS (RHCOS) and updates with every OpenShift Container Platform release.
  • OpenShift sandboxed containers Operator: Install the Operator using either the web console or OpenShift CLI (oc).

The OpenShift sandboxed containers Operator is a Rolling Stream Operator, which means the latest version is the only supported version. It works with all currently supported versions of OpenShift Container Platform. For more information, see OpenShift Container Platform Life Cycle Policy for additional details.

The Operator depends on the features that come with the RHCOS host and the environment it runs in.

Note

You must install Red Hat Enterprise Linux CoreOS (RHCOS) on the worker nodes. RHEL nodes are not supported.

The following compatibility matrix for OpenShift sandboxed containers and OpenShift Container Platform releases identifies compatible features and environments.

Expand
Table 1.1. Supported architectures
ArchitectureOpenShift Container Platform version

x86_64

4.8 or later

s390x

4.14 or later

There are two ways to deploy Kata containers runtime:

  • Bare metal
  • Peer pods

Peer pods technology for the deployment of OpenShift sandboxed containers in public clouds was available as Developer Preview in OpenShift sandboxed containers 1.5 and OpenShift Container Platform 4.14.

With the release of OpenShift sandboxed containers 1.7, the Operator requires OpenShift Container Platform version 4.15 or later.

Expand
Table 1.2. Feature availability by OpenShift version
FeatureDeployment methodOpenShift Container Platform 4.15OpenShift Container Platform 4.16

Confidential Containers

Bare metal

  

Peer pods

Technology Preview

Technology Preview [1]

GPU support [2]

Bare metal

  

Peer pods

Developer Preview

Developer Preview

  1. Technology Preview of Confidential Containers has been available since OpenShift sandboxed containers 1.7.0.
  2. GPU functionality is not available on IBM Z.
Expand
Table 1.3. Supported cloud platforms for OpenShift sandboxed containers
PlatformGPUConfidential Containers

AWS Cloud Computing Services

Developer Preview

 

Microsoft Azure Cloud Computing Services

Developer Preview

Technology Preview [1]

  1. Technology Preview of Confidential Containers has been available since OpenShift sandboxed containers 1.7.0.

1.3. Node eligibility checks
Copy link

You can verify that your bare-metal cluster nodes support OpenShift sandboxed containers by running a node eligibility check. The most common reason for node ineligibility is lack of virtualization support. If you run sandboxed workloads on ineligible nodes, you will experience errors.

High-level workflow

  1. Install the Node Feature Discovery Operator.
  2. Create the NodeFeatureDiscovery custom resource (CR).
  3. Enable node eligibility checks when you create the Kataconfig CR. You can run node eligibility checks on all worker nodes or on selected nodes.

Additional resources

1.4. Common terms
Copy link

The following terms are used throughout the documentation.

Sandbox

A sandbox is an isolated environment where programs can run. In a sandbox, you can run untested or untrusted programs without risking harm to the host machine or the operating system.

In the context of OpenShift sandboxed containers, sandboxing is achieved by running workloads in a different kernel using virtualization, providing enhanced control over the interactions between multiple workloads that run on the same host.

Pod

A pod is a construct that is inherited from Kubernetes and OpenShift Container Platform. It represents resources where containers can be deployed. Containers run inside of pods, and pods are used to specify resources that can be shared between multiple containers.

In the context of OpenShift sandboxed containers, a pod is implemented as a virtual machine. Several containers can run in the same pod on the same virtual machine.

OpenShift sandboxed containers Operator
The OpenShift sandboxed containers Operator manages the lifecycle of sandboxed containers on a cluster. You can use the OpenShift sandboxed containers Operator to perform tasks such as the installation and removal of sandboxed containers, software updates, and status monitoring.
Kata Containers
Kata Containers is a core upstream project that is used to build OpenShift sandboxed containers. OpenShift sandboxed containers integrate Kata Containers with OpenShift Container Platform.
KataConfig
KataConfig objects represent configurations of sandboxed containers. They store information about the state of the cluster, such as the nodes on which the software is deployed.
Runtime class
A RuntimeClass object describes which runtime can be used to run a given workload. A runtime class that is named kata is installed and deployed by the OpenShift sandboxed containers Operator. The runtime class contains information about the runtime that describes resources that the runtime needs to operate, such as the pod overhead.
Peer pod

A peer pod in OpenShift sandboxed containers extends the concept of a standard pod. Unlike a standard sandboxed container, where the virtual machine is created on the worker node itself, in a peer pod, the virtual machine is created through a remote hypervisor using any supported hypervisor or cloud provider API.

The peer pod acts as a regular pod on the worker node, with its corresponding VM running elsewhere. The remote location of the VM is transparent to the user and is specified by the runtime class in the pod specification. The peer pod design circumvents the need for nested virtualization.

IBM Secure Execution
IBM Secure Execution for Linux is an advanced security feature introduced with IBM z15® and LinuxONE III. This feature extends the protection provided by pervasive encryption. IBM Secure Execution safeguards data at rest, in transit, and in use. It enables secure deployment of workloads and ensures data protection throughout its lifecycle. For more information, see Introducing IBM Secure Execution for Linux.
Confidential Containers

Confidential Containers protects containers and data by verifying that your workload is running in a Trusted Execution Environment (TEE). You can deploy this feature to safeguard the privacy of big data analytics and machine learning inferences.

Trustee is a component of Confidential Containers. Trustee is an attestation service that verifies the trustworthiness of the location where you plan to run your workload or where you plan to send confidential information. Trustee includes components deployed on a trusted side and used to verify whether the remote workload is running in a Trusted Execution Environment (TEE). Trustee is flexible and can be deployed in several different configurations to support a wide variety of applications and hardware platforms.

Confidential compute attestation Operator
The Confidential compute attestation Operator manages the installation, lifecycle, and configuration of Confidential Containers.

1.5. OpenShift sandboxed containers Operator
Copy link

The OpenShift sandboxed containers Operator encapsulates all of the components from Kata containers. It manages installation, lifecycle, and configuration tasks.

The OpenShift sandboxed containers Operator is packaged in the Operator bundle format as two container images:

  • The bundle image contains metadata and is required to make the operator OLM-ready.
  • The second container image contains the actual controller that monitors and manages the KataConfig resource.

The OpenShift sandboxed containers Operator is based on the Red Hat Enterprise Linux CoreOS (RHCOS) extensions concept. RHCOS extensions are a mechanism to install optional OpenShift Container Platform software. The OpenShift sandboxed containers Operator uses this mechanism to deploy sandboxed containers on a cluster.

The sandboxed containers RHCOS extension contains RPMs for Kata, QEMU, and its dependencies. You can enable them by using the MachineConfig resources that the Machine Config Operator provides.

Additional resources

1.6. About Confidential Containers
Copy link

Confidential Containers provides a confidential computing environment to protect containers and data by leveraging Trusted Execution Environments.

Important

Confidential Containers on Microsoft Azure Cloud Computing Services, IBM Z®, and IBM® LinuxONE is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

You can sign container images by using a tool such as Red Hat Trusted Artifact Signer. Then, you create a container image signature verification policy.

The Trustee Operator verifies the signatures, ensuring that only trusted and authenticated container images are deployed in your environment.

For more information, see Exploring the OpenShift Confidential Containers solution.

1.7. OpenShift Virtualization
Copy link

You can deploy OpenShift sandboxed containers on clusters with OpenShift Virtualization.

To run OpenShift Virtualization and OpenShift sandboxed containers at the same time, your virtual machines must be live migratable so that they do not block node reboots. See About live migration in the OpenShift Virtualization documentation for details.

1.8. Block volume support
Copy link

OpenShift Container Platform can statically provision raw block volumes. These volumes do not have a file system, and can provide performance benefits for applications that either write to the disk directly or implement their own storage service.

You can use a local block device as persistent volume (PV) storage with OpenShift sandboxed containers. This block device can be provisioned by using the Local Storage Operator (LSO).

The Local Storage Operator is not installed in OpenShift Container Platform by default. See Installing the Local Storage Operator for installation instructions.

You can provision raw block volumes for OpenShift sandboxed containers by specifying volumeMode: Block in the PV specification.

Block volume example

apiVersion: "local.storage.openshift.io/v1"
kind: "LocalVolume"
metadata:
  name: "local-disks"
  namespace: "openshift-local-storage"
spec:
  nodeSelector:
    nodeSelectorTerms:
    - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - worker-0
  storageClassDevices:
    - storageClassName: "local-sc"
      forceWipeDevicesAndDestroyAllData: false
      volumeMode: Block
1 

      devicePaths:
        - /path/to/device
2

1
Set volumeMode to Block to indicate that this PV is a raw block volume.
2
Replace this value with the filepath to your LocalVolume resource by-id. PVs are created for these local disks when the provisioner is deployed successfully. You must also use this path to label the node that uses the block device when deploying OpenShift sandboxed containers.

1.9. FIPS compliance
Copy link

OpenShift Container Platform is designed for Federal Information Processing Standards (FIPS) 140-2 and 140-3. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of RHEL cryptographic libraries that have been submitted for validation, see Compliance Activities and Government Standards.

OpenShift sandboxed containers can be used on FIPS enabled clusters.

When running in FIPS mode, OpenShift sandboxed containers components, VMs, and VM images are adapted to comply with FIPS.

Note

FIPS compliance for OpenShift sandboxed containers only applies to the kata runtime class. The peer pod runtime class, kata-remote, is not yet fully supported and has not been tested for FIPS compliance.

FIPS compliance is one of the most critical components required in highly secure environments, to ensure that only supported cryptographic technologies are allowed on nodes.

Important

The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the x86_64 architecture.

To understand Red Hat’s view of OpenShift Container Platform compliance frameworks, refer to the Risk Management and Regulatory Readiness chapter of the OpenShift Security Guide Book.

You can deploy OpenShift sandboxed containers on an on-premise bare-metal cluster with Red Hat Enterprise Linux CoreOS (RHCOS) installed on the worker nodes.

Note
  • RHEL nodes are not supported.
  • Nested virtualization is not supported.

You can use any installation method including user-provisioned, installer-provisioned, or Assisted Installer to deploy your cluster.

You can also install OpenShift sandboxed containers on Amazon Web Services (AWS) bare-metal instances. Bare-metal instances offered by other cloud providers are not supported.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.14 or later on the cluster where you are installing the OpenShift sandboxed containers Operator.
  • Your cluster has at least one worker node.

For details on installing OpenShift Container Platform on bare metal see Installing on bare metal.

You must ensure that your cluster has sufficient resources.

OpenShift sandboxed containers lets users run workloads on their OpenShift Container Platform clusters inside a sandboxed runtime (Kata). Each pod is represented by a virtual machine (VM). Each VM runs in a QEMU process and hosts a kata-agent process that acts as a supervisor for managing container workloads, and the processes running in those containers. Two additional processes add more overhead:

  • containerd-shim-kata-v2 is used to communicate with the pod.
  • virtiofsd handles host file system access on behalf of the guest.

Each VM is configured with a default amount of memory. Additional memory is hot-plugged into the VM for containers that explicitly request memory.

A container running without a memory resource consumes free memory until the total memory used by the VM reaches the default allocation. The guest and its I/O buffers also consume memory.

If a container is given a specific amount of memory, then that memory is hot-plugged into the VM before the container starts.

When a memory limit is specified, the workload is terminated if it consumes more memory than the limit. If no memory limit is specified, the kernel running on the VM might run out of memory. If the kernel runs out of memory, it might terminate other processes on the VM.

Default memory sizes

The following table lists some the default values for resource allocation.

Expand
ResourceValue

Memory allocated by default to a virtual machine

2Gi

Guest Linux kernel memory usage at boot

~110Mi

Memory used by the QEMU process (excluding VM memory)

~30Mi

Memory used by the virtiofsd process (excluding VM I/O buffers)

~10Mi

Memory used by the containerd-shim-kata-v2 process

~20Mi

File buffer cache data after running dnf install on Fedora

~300Mi* [1]

File buffers appear and are accounted for in multiple locations:

  • In the guest where it appears as file buffer cache.
  • In the virtiofsd daemon that maps allowed user-space file I/O operations.
  • In the QEMU process as guest memory.
Note

Total memory usage is properly accounted for by the memory utilization metrics, which only count that memory once.

Pod overhead describes the amount of system resources that a pod on a node uses. You can get the current pod overhead for the Kata runtime by using oc describe runtimeclass kata as shown below.

Example

$ oc describe runtimeclass kata

Example output

kind: RuntimeClass
apiVersion: node.k8s.io/v1
metadata:
  name: kata
overhead:
  podFixed:
    memory: "500Mi"
    cpu: "500m"

You can change the pod overhead by changing the spec.overhead field for a RuntimeClass. For example, if the configuration that you run for your containers consumes more than 350Mi of memory for the QEMU process and guest kernel data, you can alter the RuntimeClass overhead to suit your needs.

Note

The specified default overhead values are supported by Red Hat. Changing default overhead values is not supported and can result in technical issues.

When performing any kind of file system I/O in the guest, file buffers are allocated in the guest kernel. The file buffers are also mapped in the QEMU process on the host, as well as in the virtiofsd process.

For example, if you use 300Mi of file buffer cache in the guest, both QEMU and virtiofsd appear to use 300Mi additional memory. However, the same memory is used in all three cases. Therefore, the total memory usage is only 300Mi, mapped in three different places. This is correctly accounted for when reporting the memory utilization metrics.

You can deploy OpenShift sandboxed containers on bare metal by using the OpenShift Container Platform web console to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Install the Node Feature Discovery (NFD) Operator to configure node eligibility checks. For more information, see node eligibility checks and the NFD Operator documentation.
  3. Create the KataConfig custom resource.
  4. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. In the web console, navigate to OperatorsOperatorHub.
  2. In the Filter by keyword field, type OpenShift sandboxed containers.
  3. Select the OpenShift sandboxed containers Operator tile and click Install.
  4. On the Install Operator page, select stable from the list of available Update Channel options.

  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

    Note

    Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  6. Verify that Automatic is selected for Approval Strategy. Automatic is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.
  7. Click Install.
  8. Navigate to OperatorsInstalled Operators to verify that the Operator is installed.

2.2.2. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata as a RuntimeClass on your worker nodes.

The kata runtime class is installed on all worker nodes by default. If you want to install kata on specific nodes, you can add labels to those nodes and then define the label in the KataConfig CR.

OpenShift sandboxed containers installs kata as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors might increase the reboot time:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Optional: You have installed the Node Feature Discovery Operator if you want to enable node eligibility checks.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator.
  3. On the KataConfig tab, click Create KataConfig.

  4. Enter the following details:

    • Name: Optional: The default name is example-kataconfig.
    • Labels: Optional: Enter any relevant, identifying attributes to the KataConfig resource. Each label represents a key-value pair.
    • checkNodeEligibility: Optional: Select to use the Node Feature Discovery Operator (NFD) to detect node eligibility.

    • kataConfigPoolSelector. Optional: To install kata on selected nodes, add a match expression for the labels on the selected nodes:

      1. Expand the kataConfigPoolSelector area.
      2. In the kataConfigPoolSelector area, expand matchExpressions. This is a list of label selector requirements.
      3. Click Add matchExpressions.
      4. In the Key field, enter the label key the selector applies to.
      5. In the Operator field, enter the key’s relationship to the label values. Valid operators are In, NotIn, Exists, and DoesNotExist.
      6. Expand the Values area and then click Add value.
      7. In the Value field, enter true or false for key label value.
    • logLevel: Define the level of log data retrieved for nodes with the kata runtime class.

  5. Click Create. The KataConfig CR is created and installs the kata runtime class on the worker nodes.

    Wait for the kata installation to complete and the worker nodes to reboot before verifying the installation.

Verification

  1. On the KataConfig tab, click the KataConfig CR to view its details.

  2. Click the YAML tab to view the status stanza.

    The status stanza contains the conditions and kataNodes keys. The value of status.kataNodes is an array of nodes, each of which lists nodes in a particular state of kata installation. A message appears each time there is an update.

  3. Click Reload to refresh the YAML.

    When all workers in the status.kataNodes array display the values installed and conditions.InProgress: False with no specified reason, the kata is installed on the cluster.

Additional resources

2.2.3. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. In the OpenShift Container Platform web console, navigate to Workloads → workload type, for example, Pods.
  2. On the workload type page, click an object to view its details.
  3. Click the YAML tab.

  4. Add spec.runtimeClassName: kata to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata
# ...

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on bare metal by using the command line interface (CLI) to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.

  2. After installing the Operator, you can configure the following options:

    • Configure a block storage device.

    • Install the Node Feature Discovery (NFD) Operator to configure node eligibility checks. For more information, see node eligibility checks and the NFD Operator documentation.

      • Create a NodeFeatureDiscovery custom resource.
  3. Create the KataConfig custom resource.
  4. Optional: Modify the number of virtual machines running on each worker node.
  5. Optional: Modify the pod overhead.
  6. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.9.0

  6. Create the subscription by running the following command: 

    $ oc apply -f osc-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.9.0    1.8.1        Succeeded

2.3.2. Optional configurations
Copy link

You can configure the following options after you install the OpenShift sandboxed containers Operator.

2.3.2.1. Provisioning local block volumes
Copy link

You can use local block volumes with OpenShift sandboxed containers. You must first provision the local block volumes by using the Local Storage Operator (LSO). Then you must enable the nodes with the local block volumes to run OpenShift sandboxed containers workloads.

You can provision local block volumes for OpenShift sandboxed containers by using the Local Storage Operator (LSO). The local volume provisioner looks for any block volume devices at the paths specified in the defined resource.

Prerequisites

  • You have installed the Local Storage Operator.

  • You have a local disk that meets the following conditions:

    • It is attached to a node.
    • It is not mounted.
    • It does not contain partitions.

Procedure

  1. Create the local volume resource. This resource must define the nodes and paths to the local volumes.

    Note

    Do not use different storage class names for the same device. Doing so creates multiple persistent volumes (PVs).

    Example: Block

    apiVersion: "local.storage.openshift.io/v1"
kind: "LocalVolume"
metadata:
  name: "local-disks"
  namespace: "openshift-local-storage"
    1 
    
spec:
  nodeSelector:
    2 
    
    nodeSelectorTerms:
    - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - ip-10-0-136-143
          - ip-10-0-140-255
          - ip-10-0-144-180
  storageClassDevices:
    - storageClassName: "local-sc"
    3 
    
      forceWipeDevicesAndDestroyAllData: false
    4 
    
      volumeMode: Block
      devicePaths:
    5 
    
        - /path/to/device
    6

    1
    The namespace where the Local Storage Operator is installed.
    2
    Optional: A node selector containing a list of nodes where the local storage volumes are attached. This example uses the node hostnames, obtained from oc get node. If a value is not defined, then the Local Storage Operator will attempt to find matching disks on all available nodes.
    3
    The name of the storage class to use when creating persistent volume objects.
    4
    This setting defines whether or not to call wipefs, which removes partition table signatures (magic strings) making the disk ready to use for Local Storage Operator provisioning. No other data besides signatures is erased. The default is "false" (wipefs is not invoked). Setting forceWipeDevicesAndDestroyAllData to "true" can be useful in scenarios where previous data can remain on disks that need to be re-used. In these scenarios, setting this field to true eliminates the need for administrators to erase the disks manually.
    5
    The path containing a list of local storage devices to choose from. You must use this path when enabling a node with a local block device to run OpenShift sandboxed containers workloads.
    6
    Replace this value with the filepath to your LocalVolume resource by-id, such as /dev/disk/by-id/wwn. PVs are created for these local disks when the provisioner is deployed successfully.

  2. Create the local volume resource in your OpenShift Container Platform cluster. Specify the file you just created: 

    $ oc apply -f <local-volume>.yaml

  3. Verify that the provisioner was created and that the corresponding daemon sets were created: 

    $ oc get all -n openshift-local-storage

    Example output

    NAME                                          READY   STATUS    RESTARTS   AGE
pod/diskmaker-manager-9wzms                   1/1     Running   0          5m43s
pod/diskmaker-manager-jgvjp                   1/1     Running   0          5m43s
pod/diskmaker-manager-tbdsj                   1/1     Running   0          5m43s
pod/local-storage-operator-7db4bd9f79-t6k87   1/1     Running   0          14m

NAME                                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
service/local-storage-operator-metrics   ClusterIP   172.30.135.36   <none>        8383/TCP,8686/TCP   14m

NAME                               DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/diskmaker-manager   3         3         3       3            3           <none>          5m43s

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/local-storage-operator   1/1     1            1           14m

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/local-storage-operator-7db4bd9f79   1         1         1       14m

    Note the desired and current number of daemon set processes. A desired count of 0 indicates that the label selectors were invalid.

  4. Verify that the persistent volumes were created: 

    $ oc get pv

    Example output

    NAME                CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS   REASON   AGE
local-pv-1cec77cf   100Gi      RWO            Delete           Available           local-sc                88m
local-pv-2ef7cd2a   100Gi      RWO            Delete           Available           local-sc                82m
local-pv-3fa1c73    100Gi      RWO            Delete           Available           local-sc                48m

Important

Editing the LocalVolume object does not change existing persistent volumes because doing so might result in a destructive operation.

You can configure nodes with a local block device to run OpenShift sandboxed containers workloads at the paths specified in the defined volume resource.

Prerequisites

  • You provisioned a block device using the Local Storage Operator (LSO).

Procedure

  • Enable each node with a local block device to run OpenShift sandboxed containers workloads by running the following command: 

    $ oc debug node/worker-0 -- chcon -vt container_file_t /host/path/to/device

    The /path/to/device must be the same path you defined when creating the local storage resource.

    Example output

    system_u:object_r:container_file_t:s0 /host/path/to/device

You create a NodeFeatureDiscovery custom resource (CR) to define the configuration parameters that the Node Feature Discovery (NFD) Operator checks to determine that the worker nodes can support OpenShift sandboxed containers.

Note

To install the kata runtime on only selected worker nodes that you know are eligible, apply the feature.node.kubernetes.io/runtime.kata=true label to the selected nodes and set checkNodeEligibility: true in the KataConfig CR.

To install the kata runtime on all worker nodes, set checkNodeEligibility: false in the KataConfig CR.

In both these scenarios, you do not need to create the NodeFeatureDiscovery CR. You should only apply the feature.node.kubernetes.io/runtime.kata=true label manually if you are sure that the node is eligible to run OpenShift sandboxed containers.

The following procedure applies the feature.node.kubernetes.io/runtime.kata=true label to all eligible nodes and configures the KataConfig resource to check for node eligibility.

Prerequisites

  • You have installed the NFD Operator.

Procedure

  1. Create an nfd.yaml manifest file according to the following example: 

    apiVersion: nfd.openshift.io/v1
kind: NodeFeatureDiscovery
metadata:
  name: nfd-kata
  namespace: openshift-nfd
spec:
  workerConfig:
    configData: |
      sources:
        custom:
          - name: "feature.node.kubernetes.io/runtime.kata"
            matchOn:
              - cpuId: ["SSE4", "VMX"]
                loadedKMod: ["kvm", "kvm_intel"]
              - cpuId: ["SSE4", "SVM"]
                loadedKMod: ["kvm", "kvm_amd"]
# ...

  2. Create the NodeFeatureDiscovery CR: 

    $ oc create -f nfd.yaml

    The NodeFeatureDiscovery CR applies the feature.node.kubernetes.io/runtime.kata=true label to all qualifying worker nodes.

  1. Create a kata-config.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  checkNodeEligibility: true

  2. Create the KataConfig CR: 

    $ oc create -f kata-config.yaml

Verification

  • Verify that qualifying nodes in the cluster have the correct label applied: 

    $ oc get nodes --selector='feature.node.kubernetes.io/runtime.kata=true'

    Example output

    NAME                           STATUS                     ROLES    AGE     VERSION
compute-3.example.com          Ready                      worker   4h38m   v1.25.0
compute-2.example.com          Ready                      worker   4h35m   v1.25.0

2.3.3. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Install the needed RHCOS extensions, such as QEMU and kata-containers, on your RHCOS node.
  • Ensure that the CRI-O runtime is configured with the correct runtime handlers.
  • Create a RuntimeClass CR named kata with a default configuration. This enables users to configure workloads to use kata as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Optional: You have installed the Node Feature Discovery Operator if you want to enable node eligibility checks.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  checkNodeEligibility: false
    1 
    
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    2
    1
    Optional: Set`checkNodeEligibility` to true to run node eligibility checks.
    2
    Optional: If you have applied node labels to install OpenShift sandboxed containers on specific nodes, specify the key and value.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata as a runtime class on the worker nodes.

    Wait for the kata installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata is installed on the cluster.

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
-o jsonpath='{.spec.limit}{"\n"}'

  2. Modify the limit attribute of the peerpodConfig CR by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
--type merge --patch '{"spec":{"limit":"<value>"}}'
    1
    1
    Replace <value> with the limit you want to define.

2.3.5. Modifying pod overhead
Copy link

Pod overhead describes the amount of system resources that a pod on a node uses. You can modify the pod overhead by changing the spec.overhead field for a RuntimeClass custom resource. For example, if the configuration that you run for your containers consumes more than 350Mi of memory for the QEMU process and guest kernel data, you can alter the RuntimeClass overhead to suit your needs.

When performing any kind of file system I/O in the guest, file buffers are allocated in the guest kernel. The file buffers are also mapped in the QEMU process on the host, as well as in the virtiofsd process.

For example, if you use 300Mi of file buffer cache in the guest, both QEMU and virtiofsd appear to use 300Mi additional memory. However, the same memory is being used in all three cases. Therefore, the total memory usage is only 300Mi, mapped in three different places. This is correctly accounted for when reporting the memory utilization metrics.

Note

The default values are supported by Red Hat. Changing default overhead values is not supported and can result in technical issues.

Procedure

  1. Obtain the RuntimeClass object by running the following command: 

    $ oc describe runtimeclass kata

  2. Update the overhead.podFixed.memory and cpu values and save as the file as runtimeclass.yaml: 

    kind: RuntimeClass
apiVersion: node.k8s.io/v1
metadata:
  name: kata
overhead:
  podFixed:
    memory: "500Mi"
    cpu: "500m"

  3. Apply the changes by running the following command: 

    $ oc apply -f runtimeclass.yaml

2.3.6. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata
# ...

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on AWS Cloud Computing Services by using the OpenShift Container Platform web console or the command line interface (CLI).

OpenShift sandboxed containers deploys peer pods. The peer pod design circumvents the need for nested virtualization. For more information, see peer pod and Peer pods technical deep dive.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.14 or later on the cluster where you are installing the OpenShift sandboxed containers Operator.
  • Your cluster has at least one worker node.

For details on installing OpenShift Container Platform on AWS Cloud Computing Services see Installing on AWS.

3.1. Peer pod resource requirements
Copy link

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIME_CLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIME_CLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

You can deploy OpenShift sandboxed containers on AWS by using the OpenShift Container Platform web console to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Enable ports 15150 and 9000 to allow internal communication with peer pods.
  3. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  4. Optional: Select a custom pod VM image.
  5. Optional: Customize the Kata agent policy.
  6. Create the peer pods config map.
  7. Create the KataConfig custom resource.
  8. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. In the web console, navigate to OperatorsOperatorHub.
  2. In the Filter by keyword field, type OpenShift sandboxed containers.
  3. Select the OpenShift sandboxed containers Operator tile and click Install.
  4. On the Install Operator page, select stable from the list of available Update Channel options.

  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

    Note

    Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  6. Verify that Automatic is selected for Approval Strategy. Automatic is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.
  7. Click Install.
  8. Navigate to OperatorsInstalled Operators to verify that the Operator is installed.

3.2.2. Enabling ports for AWS
Copy link

You must enable ports 15150 and 9000 to allow internal communication with peer pods running on AWS.

Prerequisites

  • You have installed the OpenShift sandboxed containers Operator.
  • You have installed the AWS command line tool.
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Log in to your OpenShift Container Platform cluster and retrieve the instance ID: 

    $ INSTANCE_ID=$(oc get nodes -l 'node-role.kubernetes.io/worker' \
  -o jsonpath='{.items[0].spec.providerID}' | sed 's#[^ ]*/##g')

  2. Retrieve the AWS region: 

    $ AWS_REGION=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.aws.region}')

  3. Retrieve the security group IDs and store them in an array: 

    $ AWS_SG_IDS=($(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} \
  --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' \
  --output text --region $AWS_REGION))

  4. For each security group ID, authorize the peer pods shim to access kata-agent communication, and set up the peer pods tunnel: 

    $ for AWS_SG_ID in "${AWS_SG_IDS[@]}"; do \
  aws ec2 authorize-security-group-ingress --group-id $AWS_SG_ID --protocol tcp --port 15150 --source-group $AWS_SG_ID --region $AWS_REGION \
  aws ec2 authorize-security-group-ingress --group-id $AWS_SG_ID --protocol tcp --port 9000 --source-group $AWS_SG_ID --region $AWS_REGION \
done

The ports are now enabled.

3.2.3. Creating the peer pods secret
Copy link

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have the following values generated by using the AWS console:

    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Click the OpenShift sandboxed containers Operator tile.
  3. Click the Import icon (+) on the top right corner.

  4. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: "<aws_access_key>"
    1 
    
  AWS_SECRET_ACCESS_KEY: "<aws_secret_access_key>"
    2
    1
    Specify the AWS_ACCESS_KEY_ID value.
    2
    Specify the AWS_SECRET_ACCESS_KEY value.
  5. Click Save to apply the changes.
  6. Navigate to WorkloadsSecrets to verify the peer pods secret.

3.2.4. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Prerequisites

  • You have your Amazon Machine Image (AMI) ID if you are not using the default AMI ID based on your cluster credentials.

Procedure

  1. Obtain the following values from your AWS instance:

    1. Retrieve and record the instance ID: 

      $ INSTANCE_ID=$(oc get nodes -l 'node-role.kubernetes.io/worker' -o jsonpath='{.items[0].spec.providerID}' | sed 's#[^ ]*/##g')

      This is used to retrieve other values for the secret object.

    2. Retrieve and record the AWS region: 

      $ AWS_REGION=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.aws.region}') && echo "AWS_REGION: \"$AWS_REGION\""

    3. Retrieve and record the AWS subnet ID: 

      $ AWS_SUBNET_ID=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[*].Instances[*].SubnetId' --region ${AWS_REGION} --output text) && echo "AWS_SUBNET_ID: \"$AWS_SUBNET_ID\""

    4. Retrieve and record the AWS VPC ID: 

      $ AWS_VPC_ID=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[*].Instances[*].VpcId' --region ${AWS_REGION} --output text) && echo "AWS_VPC_ID: \"$AWS_VPC_ID\""

    5. Retrieve and record the AWS security group IDs: 

      $ AWS_SG_IDS=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --region  $AWS_REGION --output json | jq -r '.[][][]' | paste -sd ",") && echo "AWS_SG_IDS: \"$AWS_SG_IDS\""
  2. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  3. Select the OpenShift sandboxed containers Operator from the list of operators.
  4. Click the Import icon (+) in the top right corner.

  5. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "aws"
  VXLAN_PORT: "9000"
  PODVM_INSTANCE_TYPE: "t3.medium"
    1 
    
  PODVM_INSTANCE_TYPES: "t2.small,t2.medium,t3.large"
    2 
    
  PROXY_TIMEOUT: "5m"
  PODVM_AMI_ID: "<podvm_ami_id>"
    3 
    
  AWS_REGION: "<aws_region>"
    4 
    
  AWS_SUBNET_ID: "<aws_subnet_id>"
    5 
    
  AWS_VPC_ID: "<aws_vpc_id>"
    6 
    
  AWS_SG_IDS: "<aws_sg_ids>"
    7 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    8 
    
  TAGS: "key1=value1,key2=value2"
    9 
    
  DISABLECVM: "true"
    1
    Defines the default instance type that is used when a type is not defined in the workload.
    2
    Specify the instance types, without spaces, for creating the pod. This allows you to define smaller instance types for workloads that need less memory and fewer CPUs or larger instance types for larger workloads.
    3
    Optional: By default, this value is populated when you run the KataConfig CR, using an AMI ID based on your cluster credentials. If you create your own AMI, specify the correct AMI ID.
    4
    Specify the AWS_REGION value you retrieved.
    5
    Specify the AWS_SUBNET_ID value you retrieved.
    6
    Specify the AWS_VPC_ID value you retrieved.
    7
    Specify the AWS_SG_IDS value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
  6. Click Save to apply the changes.
  7. Navigate to WorkloadsConfigMaps to view the new config map.

3.2.5. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator from the list of operators.
  3. Click the Import icon (+) in the top right corner.

  4. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
  5. Click Save to apply the changes.

3.2.6. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  4. Select the OpenShift sandboxed containers Operator from the list of operators.
  5. Click the Import icon (+) in the top right corner.

  6. In the Import YAML window, paste the following YAML manifest and add the Base64-encoded policy to it: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault
  7. Click Save to apply the changes.

3.2.7. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a RuntimeClass on your worker nodes.

The kata-remote runtime class is installed on all worker nodes by default. If you want to install kata-remote on specific nodes, you can add labels to those nodes and then define the label in the KataConfig CR.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors might increase the reboot time:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Optional: You have installed the Node Feature Discovery Operator if you want to enable node eligibility checks.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator.
  3. On the KataConfig tab, click Create KataConfig.

  4. Enter the following details:

    • Name: Optional: The default name is example-kataconfig.
    • Labels: Optional: Enter any relevant, identifying attributes to the KataConfig resource. Each label represents a key-value pair.
    • enablePeerPods: Select for public cloud, IBM Z®, and IBM® LinuxONE deployments.

    • kataConfigPoolSelector. Optional: To install kata-remote on selected nodes, add a match expression for the labels on the selected nodes:

      1. Expand the kataConfigPoolSelector area.
      2. In the kataConfigPoolSelector area, expand matchExpressions. This is a list of label selector requirements.
      3. Click Add matchExpressions.
      4. In the Key field, enter the label key the selector applies to.
      5. In the Operator field, enter the key’s relationship to the label values. Valid operators are In, NotIn, Exists, and DoesNotExist.
      6. Expand the Values area and then click Add value.
      7. In the Value field, enter true or false for key label value.
    • logLevel: Define the level of log data retrieved for nodes with the kata-remote runtime class.

  5. Click Create. The KataConfig CR is created and installs the kata-remote runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

Verification

  1. On the KataConfig tab, click the KataConfig CR to view its details.

  2. Click the YAML tab to view the status stanza.

    The status stanza contains the conditions and kataNodes keys. The value of status.kataNodes is an array of nodes, each of which lists nodes in a particular state of kata-remote installation. A message appears each time there is an update.

  3. Click Reload to refresh the YAML.

    When all workers in the status.kataNodes array display the values installed and conditions.InProgress: False with no specified reason, the kata-remote is installed on the cluster.

Additional resources
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Navigate to WorkloadsConfigMaps.
  2. Click the provider config map to view its details.
  3. Click the YAML tab.

  4. Check the status stanza of the YAML file.

    If the PODVM_AMI_ID parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

3.2.8. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance type, which you defined in the config map, by adding an annotation to the YAML file.

If you do not want to define the instance type manually, you can add an annotation to use an automatic instance type, based on the memory available.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. In the OpenShift Container Platform web console, navigate to Workloads → workload type, for example, Pods.
  2. On the workload type page, click an object to view its details.
  3. Click the YAML tab.

  4. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

  5. Add an annotation to the pod-templated object to use a manually defined instance type or an automatic instance type:

    • To use a manually defined instance type, add the following annotation: 

      apiVersion: v1
kind: <object>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.machine_type: "t3.medium"
      1 
      
# ...
      1 1
      Specify the instance type that you defined in the config map.

    • To use an automatic instance type, add the following annotations: 

      apiVersion: v1
kind: <Pod>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
    io.katacontainers.config.hypervisor.default_memory: <memory>
# ...

      Define the amount of memory available for the workload to use. The workload will run on an automatic instance type based on the amount of memory available.

  6. Click Save to apply the changes.

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on AWS by using the command line interface (CLI) to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Enable ports 15150 and 9000 to allow internal communication with peer pods.
  3. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  4. Optional: Select a custom pod VM image.
  5. Create the peer pods config map.
  6. Optional: Customize the Kata agent policy.
  7. Create the KataConfig custom resource.
  8. Optional: Modify the number of virtual machines running on each worker node.
  9. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.9.0

  6. Create the subscription by running the following command: 

    $ oc apply -f osc-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.9.0    1.8.1        Succeeded

3.3.2. Enabling ports for AWS
Copy link

You must enable ports 15150 and 9000 to allow internal communication with peer pods running on AWS.

Prerequisites

  • You have installed the OpenShift sandboxed containers Operator.
  • You have installed the AWS command line tool.
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Log in to your OpenShift Container Platform cluster and retrieve the instance ID: 

    $ INSTANCE_ID=$(oc get nodes -l 'node-role.kubernetes.io/worker' \
  -o jsonpath='{.items[0].spec.providerID}' | sed 's#[^ ]*/##g')

  2. Retrieve the AWS region: 

    $ AWS_REGION=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.aws.region}')

  3. Retrieve the security group IDs and store them in an array: 

    $ AWS_SG_IDS=($(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} \
  --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' \
  --output text --region $AWS_REGION))

  4. For each security group ID, authorize the peer pods shim to access kata-agent communication, and set up the peer pods tunnel: 

    $ for AWS_SG_ID in "${AWS_SG_IDS[@]}"; do \
  aws ec2 authorize-security-group-ingress --group-id $AWS_SG_ID --protocol tcp --port 15150 --source-group $AWS_SG_ID --region $AWS_REGION \
  aws ec2 authorize-security-group-ingress --group-id $AWS_SG_ID --protocol tcp --port 9000 --source-group $AWS_SG_ID --region $AWS_REGION \
done

The ports are now enabled.

3.3.3. Creating the peer pods secret
Copy link

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have the following values generated by using the AWS console:

    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY

Procedure

  1. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: "<aws_access_key>"
    1 
    
  AWS_SECRET_ACCESS_KEY: "<aws_secret_access_key>"
    2
    1
    Specify the AWS_ACCESS_KEY_ID value.
    2
    Specify the AWS_SECRET_ACCESS_KEY value.

  2. Create the secret by running the following command: 

    $ oc apply -f peer-pods-secret.yaml

3.3.4. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Prerequisites

  • You have your Amazon Machine Image (AMI) ID if you are not using the default AMI ID based on your cluster credentials.

Procedure

  1. Obtain the following values from your AWS instance:

    1. Retrieve and record the instance ID: 

      $ INSTANCE_ID=$(oc get nodes -l 'node-role.kubernetes.io/worker' -o jsonpath='{.items[0].spec.providerID}' | sed 's#[^ ]*/##g')

      This is used to retrieve other values for the secret object.

    2. Retrieve and record the AWS region: 

      $ AWS_REGION=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.aws.region}') && echo "AWS_REGION: \"$AWS_REGION\""

    3. Retrieve and record the AWS subnet ID: 

      $ AWS_SUBNET_ID=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[*].Instances[*].SubnetId' --region ${AWS_REGION} --output text) && echo "AWS_SUBNET_ID: \"$AWS_SUBNET_ID\""

    4. Retrieve and record the AWS VPC ID: 

      $ AWS_VPC_ID=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[*].Instances[*].VpcId' --region ${AWS_REGION} --output text) && echo "AWS_VPC_ID: \"$AWS_VPC_ID\""

    5. Retrieve and record the AWS security group IDs: 

      $ AWS_SG_IDS=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --region  $AWS_REGION --output json | jq -r '.[][][]' | paste -sd ",") && echo "AWS_SG_IDS: \"$AWS_SG_IDS\""

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "aws"
  VXLAN_PORT: "9000"
  PODVM_INSTANCE_TYPE: "t3.medium"
    1 
    
  PODVM_INSTANCE_TYPES: "t2.small,t2.medium,t3.large"
    2 
    
  PROXY_TIMEOUT: "5m"
  PODVM_AMI_ID: "<podvm_ami_id>"
    3 
    
  AWS_REGION: "<aws_region>"
    4 
    
  AWS_SUBNET_ID: "<aws_subnet_id>"
    5 
    
  AWS_VPC_ID: "<aws_vpc_id>"
    6 
    
  AWS_SG_IDS: "<aws_sg_ids>"
    7 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    8 
    
  TAGS: "key1=value1,key2=value2"
    9 
    
  DISABLECVM: "true"
    1
    Defines the default instance type that is used when a type is not defined in the workload.
    2
    Specify the instance types, without spaces, for creating the pod. This allows you to define smaller instance types for workloads that need less memory and fewer CPUs or larger instance types for larger workloads.
    3
    Optional: By default, this value is populated when you run the KataConfig CR, using an AMI ID based on your cluster credentials. If you create your own AMI, specify the correct AMI ID.
    4
    Specify the AWS_REGION value you retrieved.
    5
    Specify the AWS_SUBNET_ID value you retrieved.
    6
    Specify the AWS_VPC_ID value you retrieved.
    7
    Specify the AWS_SG_IDS value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.

  3. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml

3.3.5. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. Edit the pod manifest by adding the io.katacontainers.config.hypervisor.image annotation and save it in a pod-manifest.yaml file: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    1
    Specify the custom peer pod image ID.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.

  2. Create the pod by running the following command: 

    $ oc apply -f pod-manifest.yaml

3.3.6. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

  4. Apply the pod manifest by running the following command: 

    $ oc apply -f my-pod.yaml

3.3.7. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
-o jsonpath='{.spec.limit}{"\n"}'

  2. Modify the limit attribute of the peerpodConfig CR by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
--type merge --patch '{"spec":{"limit":"<value>"}}'
    1
    1
    Replace <value> with the limit you want to define.
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Obtain the config map you created for the peer pods: 

    $ oc get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o yaml

  2. Check the status stanza of the YAML file.

    If the PODVM_AMI_ID parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

3.3.9. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance type, which you defined in the config map, by adding an annotation to the YAML file.

If you do not want to define the instance type manually, you can add an annotation to use an automatic instance type, based on the memory available.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

  2. Add an annotation to the pod-templated object to use a manually defined instance type or an automatic instance type:

    • To use a manually defined instance type, add the following annotation: 

      apiVersion: v1
kind: <object>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.machine_type: "t3.medium"
      1 
      
# ...
      1
      Specify the instance type that you defined in the config map.

    • To use an automatic instance type, add the following annotations: 

      apiVersion: v1
kind: <Pod>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
    io.katacontainers.config.hypervisor.default_memory: <memory>
# ...

      Define the amount of memory available for the workload to use. The workload will run on an automatic instance type based on the amount of memory available.

  3. Apply the changes to the workload object by running the following command: 

    $ oc apply -f <object.yaml>

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on Microsoft Azure Cloud Computing Services.

OpenShift sandboxed containers deploys peer pods. The peer pod design circumvents the need for nested virtualization. For more information, see peer pod and Peer pods technical deep dive.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.14 or later on the cluster where you are installing the OpenShift sandboxed containers Operator.
  • Your cluster has at least one worker node.

For details on installing OpenShift Container Platform on Microsoft Azure Cloud Computing Services see Installing on Azure.

4.1. Peer pod resource requirements
Copy link

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIME_CLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIME_CLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

4.2. Configuring outbound connections
Copy link

To enable peer pods to communicate with external networks, such as the public internet, you must configure outbound connectivity for the pod virtual machine (VM) subnet. This involves setting up a NAT gateway and, optionally, defining how the subnet integrates with your cluster’s virtual network (VNet) in Azure.

Peer pods and subnets
Peer pods operate in a dedicated Azure subnet that requires explicit configuration for outbound access. This subnet can either be the default worker subnet used by OpenShift Container Platform nodes or a separate, custom subnet created specifically for peer pods.
VNet peering
When using a separate subnet, VNet peering connects the peer pod VNet to the cluster’s VNet, ensuring internal communication while maintaining isolation. This requires non-overlapping CIDR ranges between the VNets.

You can configure outbound connectivity in two ways:

  • Default worker subnet: Modify the existing worker subnet to include a NAT gateway. This is simpler and reuses cluster resources, but it offers less isolation.
  • Peer pod VNet: Set up a dedicated VNet and subnet for peer pods, attach a NAT gateway, and peer it with the cluster VNet. This provides greater isolation and flexibility at the cost of additional complexity.

You can configure the default worker subnet with a NAT gateway.

Prerequisites

  • The Azure CLI (az) is installed and authenticated.
  • You have administrator access to the Azure resource group and the VNet.

Procedure

  1. Set the AZURE_RESOURCE_GROUP environment variable by running the following command: 

    $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
    -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')

  2. Set the AZURE_REGION environment variable by running the following command: 

    $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
    --query "{Location:location}" --output tsv) && \
    echo "AZURE_REGION: \"$AZURE_REGION\""

  3. Set the AZURE_VNET_NAME environment variable by running the following command: 

    $ AZURE_VNET_NAME=$(az network vnet list \
    -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)

  4. Set the AZURE_SUBNET_ID environment variable by running the following command: 

    $ AZURE_SUBNET_ID=$(az network vnet subnet list \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${AZURE_VNET_NAME}" --query "[].{Id:id} \
    | [? contains(Id, 'worker')]" --output tsv)

  5. Set the NAT gateway environment variables for the peer pod subnet by running the following commands: 

    $ export PEERPOD_NAT_GW=peerpod-nat-gw
     
    $ export PEERPOD_NAT_GW_IP=peerpod-nat-gw-ip

  6. Create a public IP address for the NAT gateway by running the following command: 

    $ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
    -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}" --sku Standard

  7. Create the NAT gateway and associate it with the public IP address by running the following command: 

    $ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
    -l "${AZURE_REGION}" --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
    -n "${PEERPOD_NAT_GW}"

  8. Update the VNet subnet to use the NAT gateway by running the following command: 

    $ az network vnet subnet update --nat-gateway "${PEERPOD_NAT_GW}" \
    --ids "${AZURE_SUBNET_ID}"

Verification

  • Confirm the NAT gateway is attached to the VNet subnet by running the following command: 

    $ az network vnet subnet show --ids "${AZURE_SUBNET_ID}" \
    --query "natGateway.id" -o tsv

    The output contains the NAT gateway resource ID. If no NAT gateway is attached, the output is empty.

    Example output

    /subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/myResourceGroup/providers/Microsoft.Network/natGateways/myNatGateway

To enable public internet access, you can create a dedicated virtual network (VNet) for peer pods, attach a network address translation (NAT) gateway, create a subnet, and enable VNet peering with non-overlapping address spaces.

Prerequisites

  • The Azure CLI (az) is installed
  • You have signed in to Azure. See Authenticate to Azure using Azure CLI.
  • You have administrator access to the Azure resource group and VNet hosting the cluster.
  • You have verified the cluster VNet classless inter-domain routing (CIDR) address. The default value is 10.0.0.0/14. If you overrode the default value, you have ensured that you chose a non-overlapping CIDR address for the peer pod VNet. For example, 192.168.0.0/16.

Procedure

  1. Set the environmental variables for the peer pod network:

    1. Set the peer pod VNet environment variables by running the following commands: 

      $ export PEERPOD_VNET_NAME="${PEERPOD_VNET_NAME:-peerpod-vnet}"
       
      $ export PEERPOD_VNET_CIDR="${PEERPOD_VNET_CIDR:-192.168.0.0/16}"

    2. Set the peer pod subnet environment variables by running the following commands: 

      $ export PEERPOD_SUBNET_NAME="${PEERPOD_SUBNET_NAME:-peerpod-subnet}"
       
      $ export PEERPOD_SUBNET_CIDR="${PEERPOD_SUBNET_CIDR:-192.168.0.0/16}"

  2. Set the environmental variables for Azure: 

    $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
    -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
     
    $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
    --query "{Location:location}" --output tsv) && \
    echo "AZURE_REGION: \"$AZURE_REGION\""
     
    $ AZURE_VNET_NAME=$(az network vnet list \
    -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)

  3. Set the peer pod NAT gateway environment variables by running the following commands: 

    $ export PEERPOD_NAT_GW="${PEERPOD_NAT_GW:-peerpod-nat-gw}"
     
    $ export PEERPOD_NAT_GW_IP="${PEERPOD_NAT_PUBLIC_IP:-peerpod-nat-gw-ip}"

  4. Configure the VNET:

    1. Create the peer pod VNet by running the following command: 

      $ az network vnet create --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${PEERPOD_VNET_NAME}" \
    --address-prefixes "${PEERPOD_VNET_CIDR}"

    2. Create a public IP address for the peer pod VNet by running the following command: 

      $ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
    -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}"

    3. Create a NAT gateway for the peer pod VNet by running the following command: 

      $ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
    -l "${AZURE_REGION}" \
    --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
    -n "${PEERPOD_NAT_GW}"

    4. Create a subnet in the peer pod VNet and attach the NAT gateway by running the following command: 

      $ az network vnet subnet create \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${PEERPOD_VNET_NAME}" \
    --name "${PEERPOD_SUBNET_NAME}" \
    --address-prefixes "${PEERPOD_SUBNET_CIDR}" \
    --nat-gateway "${PEERPOD_NAT_GW}"

  5. Configure the virtual network peering connection:

    1. Create the peering connection by running the following command: 

      $ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}" \
    --remote-vnet "${PEERPOD_VNET_NAME}" --allow-vnet-access \
    --allow-forwarded-traffic

    2. Sync the peering connection by running the following command: 

      $ az network vnet peering sync -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}"

    3. Complete the peering connection by running the following command: 

      $ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-peerpod-vnet-to-azure-vnet \
    --vnet-name "${PEERPOD_VNET_NAME}" \
    --remote-vnet "${AZURE_VNET_NAME}" --allow-vnet-access \
    --allow-forwarded-traffic

Verification

  1. Check the peering connection status from the cluster VNet by running the following command: 

    $ az network vnet peering show -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}" \
    --query "peeringState" -o tsv

    This should return Connected.

  2. Verify that the NAT gateway is attached to the peer pod subnet by running the following command: 

    $ az network vnet subnet show --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${PEERPOD_VNET_NAME}" --name "${PEERPOD_SUBNET_NAME}" \
    --query "natGateway.id" -o tsv

You can deploy OpenShift sandboxed containers on Azure by using the OpenShift Container Platform web console to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  3. Optional: Select a custom pod VM image.
  4. Optional: Create the Azure secret.
  5. Optional: Customize the Kata agent policy.
  6. Create the peer pods config map.
  7. Create the KataConfig custom resource.
  8. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. In the web console, navigate to OperatorsOperatorHub.
  2. In the Filter by keyword field, type OpenShift sandboxed containers.
  3. Select the OpenShift sandboxed containers Operator tile and click Install.
  4. On the Install Operator page, select stable from the list of available Update Channel options.

  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

    Note

    Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  6. Verify that Automatic is selected for Approval Strategy. Automatic is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.
  7. Click Install.
  8. Navigate to OperatorsInstalled Operators to verify that the Operator is installed.

4.3.2. Creating the peer pods secret
Copy link

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have installed and configured the Azure CLI tool.

Procedure

  1. Retrieve the Azure subscription ID by running the following command: 

    $ AZURE_SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" \
  -o tsv) && echo "AZURE_SUBSCRIPTION_ID: \"$AZURE_SUBSCRIPTION_ID\""

  2. Generate the RBAC content by running the following command: 

    $ az ad sp create-for-rbac --role Contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID \
  --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"

    Example output

    {
  "client_id": `AZURE_CLIENT_ID`,
  "client_secret": `AZURE_CLIENT_SECRET`,
  "tenant_id": `AZURE_TENANT_ID`
}

  3. Record the RBAC output to use in the secret object.
  4. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  5. Click the OpenShift sandboxed containers Operator tile.
  6. Click the Import icon (+) on the top right corner.

  7. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  AZURE_CLIENT_ID: "<azure_client_id>"
    1 
    
  AZURE_CLIENT_SECRET: "<azure_client_secret>"
    2 
    
  AZURE_TENANT_ID: "<azure_tenant_id>"
    3 
    
  AZURE_SUBSCRIPTION_ID: "<azure_subscription_id>"
    4
    1
    Specify the AZURE_CLIENT_ID value.
    2
    Specify the AZURE_CLIENT_SECRET value.
    3
    Specify the AZURE_TENANT_ID value.
    4
    Specify the AZURE_SUBSCRIPTION_ID value.
  8. Click Save to apply the changes.
  9. Navigate to WorkloadsSecrets to verify the peer pods secret.

4.3.3. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group: 

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""

    2. Retrieve and record the Azure VNet name: 

      $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID: 

      $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""

    4. Retrieve and record the Azure network security group (NSG) ID: 

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""

    5. Retrieve and record the Azure region: 

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""
  2. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  3. Select the OpenShift sandboxed containers Operator from the list of operators.
  4. Click the Import icon (+) in the top right corner.

  5. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "azure"
  VXLAN_PORT: "9000"
  AZURE_INSTANCE_SIZE: "Standard_B2als_v2"
    1 
    
  AZURE_INSTANCE_SIZES: "Standard_B2als_v2,Standard_D2as_v5,Standard_D4as_v5,Standard_D2ads_v5"
    2 
    
  AZURE_SUBNET_ID: "<azure_subnet_id>"
    3 
    
  AZURE_NSG_ID: "<azure_nsg_id>"
    4 
    
  PROXY_TIMEOUT: "5m"
  AZURE_IMAGE_ID: "<azure_image_id>"
    5 
    
  AZURE_REGION: "<azure_region>"
    6 
    
  AZURE_RESOURCE_GROUP: "<azure_resource_group>"
    7 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    8 
    
  TAGS: "key1=value1,key2=value2"
    9 
    
  DISABLECVM: "true"
    1
    The "Standard_B2als_v2" instance size is the default value if an instance size is not defined in the workload.
    2
    Specify the instance sizes, without spaces, for creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.
    3
    Specify the AZURE_SUBNET_ID value that you retrieved.
    4
    Specify the AZURE_NSG_ID value that you retrieved.
    5
    Optional: By default, this value is populated when you run the KataConfig CR, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.
    6
    Specify the AZURE_REGION value you retrieved.
    7
    Specify the AZURE_RESOURCE_GROUP value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
  6. Click Save to apply the changes.
  7. Navigate to WorkloadsConfigMaps to view the new config map.

4.3.4. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator from the list of operators.
  3. Click the Import icon (+) in the top right corner.

  4. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    1
    Specify the custom peer pod image ID.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.
  5. Click Save to apply the changes.

4.3.5. Creating the Azure secret
Copy link

You must create the SSH key secret, which is required by the Azure virtual machine (VM) creation API. Azure only requires the SSH public key. Confidential Containers disables SSH in VMs, so the keys have no effect in the VMs.

Procedure

  1. Generate an SSH key pair by running the following command: 

    $ ssh-keygen -f ./id_rsa -N ""
  2. In the OpenShift Container Platform web console, navigate to WorkloadsSecrets.
  3. On the Secrets page, verify that you are in the openshift-sandboxed-containers-operator project.
  4. Click Create and select Key/value secret.
  5. In the Secret name field, enter ssh-key-secret.
  6. In the Key field, enter id_rsa.pub.
  7. In the Value field, paste your public SSH key.
  8. Click Create.

  9. Delete the SSH keys you created: 

    $ shred --remove id_rsa.pub id_rsa

4.3.6. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  4. Select the OpenShift sandboxed containers Operator from the list of operators.
  5. Click the Import icon (+) in the top right corner.

  6. In the Import YAML window, paste the following YAML manifest and add the Base64-encoded policy to it: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault
  7. Click Save to apply the changes.

4.3.7. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a RuntimeClass on your worker nodes.

The kata-remote runtime class is installed on all worker nodes by default. If you want to install kata-remote on specific nodes, you can add labels to those nodes and then define the label in the KataConfig CR.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors might increase the reboot time:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Optional: You have installed the Node Feature Discovery Operator if you want to enable node eligibility checks.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator.
  3. On the KataConfig tab, click Create KataConfig.

  4. Enter the following details:

    • Name: Optional: The default name is example-kataconfig.
    • Labels: Optional: Enter any relevant, identifying attributes to the KataConfig resource. Each label represents a key-value pair.
    • enablePeerPods: Select for public cloud, IBM Z®, and IBM® LinuxONE deployments.

    • kataConfigPoolSelector. Optional: To install kata-remote on selected nodes, add a match expression for the labels on the selected nodes:

      1. Expand the kataConfigPoolSelector area.
      2. In the kataConfigPoolSelector area, expand matchExpressions. This is a list of label selector requirements.
      3. Click Add matchExpressions.
      4. In the Key field, enter the label key the selector applies to.
      5. In the Operator field, enter the key’s relationship to the label values. Valid operators are In, NotIn, Exists, and DoesNotExist.
      6. Expand the Values area and then click Add value.
      7. In the Value field, enter true or false for key label value.
    • logLevel: Define the level of log data retrieved for nodes with the kata-remote runtime class.

  5. Click Create. The KataConfig CR is created and installs the kata-remote runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

Verification

  1. On the KataConfig tab, click the KataConfig CR to view its details.

  2. Click the YAML tab to view the status stanza.

    The status stanza contains the conditions and kataNodes keys. The value of status.kataNodes is an array of nodes, each of which lists nodes in a particular state of kata-remote installation. A message appears each time there is an update.

  3. Click Reload to refresh the YAML.

    When all workers in the status.kataNodes array display the values installed and conditions.InProgress: False with no specified reason, the kata-remote is installed on the cluster.

Additional resources
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Navigate to WorkloadsConfigMaps.
  2. Click the provider config map to view its details.
  3. Click the YAML tab.

  4. Check the status stanza of the YAML file.

    If the AZURE_IMAGE_ID parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

4.3.8. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance size, which you defined in the config map, by adding an annotation to the YAML file.

If you do not want to define the instance size manually, you can add an annotation to use an automatic instance size, based on the memory available.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. In the OpenShift Container Platform web console, navigate to Workloads → workload type, for example, Pods.
  2. On the workload type page, click an object to view its details.
  3. Click the YAML tab.

  4. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

  5. Add an annotation to the pod-templated object to use a manually defined instance size or an automatic instance size:

    • To use a manually defined instance size, add the following annotation: 

      apiVersion: v1
kind: <object>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.machine_type: "Standard_B2als_v2"
      1 
      
# ...
      1
      Specify the instance size that you defined in the config map.

    • To use an automatic instance size, add the following annotations: 

      apiVersion: v1
kind: <Pod>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
    io.katacontainers.config.hypervisor.default_memory: <memory>
# ...

      Define the amount of memory available for the workload to use. The workload will run on an automatic instance size based on the amount of memory available.

  6. Click Save to apply the changes.

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on Azure by using the command line interface (CLI) to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  3. Optional: Select a custom pod VM image.
  4. Create the peer pods config map.
  5. Optional: Create the Azure secret.
  6. Optional: Customize the Kata agent policy.
  7. Create the KataConfig custom resource.
  8. Optional: Modify the number of virtual machines running on each worker node.
  9. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.9.0

  6. Create the subscription by running the following command: 

    $ oc apply -f osc-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.9.0    1.8.1        Succeeded

4.4.2. Creating the peer pods secret
Copy link

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have installed and configured the Azure CLI tool.

Procedure

  1. Retrieve the Azure subscription ID by running the following command: 

    $ AZURE_SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" \
  -o tsv) && echo "AZURE_SUBSCRIPTION_ID: \"$AZURE_SUBSCRIPTION_ID\""

  2. Generate the RBAC content by running the following command: 

    $ az ad sp create-for-rbac --role Contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID \
  --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"

    Example output

    {
  "client_id": `AZURE_CLIENT_ID`,
  "client_secret": `AZURE_CLIENT_SECRET`,
  "tenant_id": `AZURE_TENANT_ID`
}

  3. Record the RBAC output to use in the secret object.

  4. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  AZURE_CLIENT_ID: "<azure_client_id>"
    1 
    
  AZURE_CLIENT_SECRET: "<azure_client_secret>"
    2 
    
  AZURE_TENANT_ID: "<azure_tenant_id>"
    3 
    
  AZURE_SUBSCRIPTION_ID: "<azure_subscription_id>"
    4
    1
    Specify the AZURE_CLIENT_ID value.
    2
    Specify the AZURE_CLIENT_SECRET value.
    3
    Specify the AZURE_TENANT_ID value.
    4
    Specify the AZURE_SUBSCRIPTION_ID value.

  5. Create the secret by running the following command: 

    $ oc apply -f peer-pods-secret.yaml

4.4.3. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group: 

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""

    2. Retrieve and record the Azure VNet name: 

      $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID: 

      $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""

    4. Retrieve and record the Azure network security group (NSG) ID: 

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""

    5. Retrieve and record the Azure region: 

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "azure"
  VXLAN_PORT: "9000"
  AZURE_INSTANCE_SIZE: "Standard_B2als_v2"
    1 
    
  AZURE_INSTANCE_SIZES: "Standard_B2als_v2,Standard_D2as_v5,Standard_D4as_v5,Standard_D2ads_v5"
    2 
    
  AZURE_SUBNET_ID: "<azure_subnet_id>"
    3 
    
  AZURE_NSG_ID: "<azure_nsg_id>"
    4 
    
  PROXY_TIMEOUT: "5m"
  AZURE_IMAGE_ID: "<azure_image_id>"
    5 
    
  AZURE_REGION: "<azure_region>"
    6 
    
  AZURE_RESOURCE_GROUP: "<azure_resource_group>"
    7 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    8 
    
  TAGS: "key1=value1,key2=value2"
    9 
    
  DISABLECVM: "true"
    1
    The "Standard_B2als_v2" instance size is the default value if an instance size is not defined in the workload.
    2
    Specify the instance sizes, without spaces, for creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.
    3
    Specify the AZURE_SUBNET_ID value that you retrieved.
    4
    Specify the AZURE_NSG_ID value that you retrieved.
    5
    Optional: By default, this value is populated when you run the KataConfig CR, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.
    6
    Specify the AZURE_REGION value you retrieved.
    7
    Specify the AZURE_RESOURCE_GROUP value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.

  3. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml

4.4.4. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. Edit the pod manifest by adding the io.katacontainers.config.hypervisor.image annotation and save it in a pod-manifest.yaml file: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    1
    Specify the custom peer pod image ID.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.

  2. Create the pod by running the following command: 

    $ oc apply -f pod-manifest.yaml

4.4.5. Creating the Azure secret
Copy link

You must create the SSH key secret, which is required by the Azure virtual machine (VM) creation API. Azure only requires the SSH public key. Confidential Containers disables SSH in VMs, so the keys have no effect in the VMs.

Procedure

  1. Generate an SSH key pair by running the following command: 

    $ ssh-keygen -f ./id_rsa -N ""

  2. Create the Secret object by running the following command: 

    $ oc create secret generic ssh-key-secret \
  -n openshift-sandboxed-containers-operator \
  --from-file=id_rsa.pub=./id_rsa.pub \
  --from-file=id_rsa=./id_rsa

  3. Delete the SSH keys you created: 

    $ shred --remove id_rsa.pub id_rsa

4.4.6. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

  4. Apply the pod manifest by running the following command: 

    $ oc apply -f my-pod.yaml

4.4.7. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
-o jsonpath='{.spec.limit}{"\n"}'

  2. Modify the limit attribute of the peerpodConfig CR by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
--type merge --patch '{"spec":{"limit":"<value>"}}'
    1
    1
    Replace <value> with the limit you want to define.
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Obtain the config map you created for the peer pods: 

    $ oc get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o yaml

  2. Check the status stanza of the YAML file.

    If the AZURE_IMAGE_ID parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

4.4.9. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance size, which you defined in the config map, by adding an annotation to the YAML file.

If you do not want to define the instance size manually, you can add an annotation to use an automatic instance size, based on the memory available.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

  2. Add an annotation to the pod-templated object to use a manually defined instance size or an automatic instance size:

    • To use a manually defined instance size, add the following annotation: 

      apiVersion: v1
kind: <object>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.machine_type: "Standard_B2als_v2"
      1 
      
# ...
      1
      Specify the instance size that you defined in the config map.

    • To use an automatic instance size, add the following annotations: 

      apiVersion: v1
kind: <Pod>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
    io.katacontainers.config.hypervisor.default_memory: <memory>
# ...

      Define the amount of memory available for the workload to use. The workload will run on an automatic instance size based on the amount of memory available.

  3. Apply the changes to the workload object by running the following command: 

    $ oc apply -f <object.yaml>

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on Google Cloud.

OpenShift sandboxed containers deploys peer pods. The peer pod design circumvents the need for nested virtualization. For more information, see peer pod and Peer pods technical deep dive.

Cluster requirements

  • You have installed OpenShift Container Platform 4.17 or later on the cluster where you are installing the OpenShift sandboxed containers Operator for Google Cloud.
  • Your cluster has at least one worker node.

For more information, see Installing on Google Cloud in the OpenShift Container Platform documentation.

5.1. Peer pod resource requirements
Copy link

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIME_CLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIME_CLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

You can deploy OpenShift sandboxed containers on Google Cloud by using the OpenShift Container Platform web console to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Enable port 15150 to allow internal communication with peer pods.
  3. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  4. Optional: Customize the Kata agent policy.
  5. Create the peer pods config map.
  6. Optional: Create the peer pod virtual machine (VM) image and VM image config map.
  7. Create the KataConfig custom resource.
  8. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. In the web console, navigate to OperatorsOperatorHub.
  2. In the Filter by keyword field, type OpenShift sandboxed containers.
  3. Select the OpenShift sandboxed containers Operator tile and click Install.
  4. On the Install Operator page, select stable from the list of available Update Channel options.

  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

    Note

    Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  6. Verify that Automatic is selected for Approval Strategy. Automatic is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.
  7. Click Install.
  8. Navigate to OperatorsInstalled Operators to verify that the Operator is installed.

5.2.2. Enabling port 15150 for Google Cloud
Copy link

You must enable port 15150 on the OpenShift Container Platform to allow internal communication with peer pods running on Compute Engine.

Prerequisites

  • You have installed the Google Cloud command line interface (CLI) tool.
  • You have access to the OpenShift Container Platform cluster as a user with the roles/container.admin role.

Procedure

  1. Set the project ID variable by running the following command: 

    $ export GCP_PROJECT_ID="<project_id>"

  2. Log in to Google Cloud by running the following command: 

    $ gcloud auth login

  3. Set the Google Cloud project ID by running the following command: 

    $ gcloud config set project ${GCP_PROJECT_ID}

  4. Open port 15150 by running the following command: 

    $ gcloud compute firewall-rules create allow-port-15150-restricted \
   --project=${GCP_PROJECT_ID} \
   --network=default \
   --allow=tcp:15150 \
   --source-ranges=<external_ip_cidr-1>[,<external_ip_cidr-2>,...]
    1
    1
    Specify one or more IP addresses or ranges in CIDR format, separated by commas. For example, 203.0.113.5/32,198.51.100.0/24.

Verification

  • Verify that port 15150 is open by running the following command: 

    $ gcloud compute firewall-rule list

5.2.3. Creating the peer pods secret
Copy link

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have created a Google Cloud service account with permissions such as roles/compute.instanceAdmin.v1 to manage Compute Engine resources.

Procedure

  1. In the Google Cloud console, navigate to IAM & AdminService AccountsKeys and save your key as a JSON file.

  2. Convert the JSON file to a single line string by running the following command: 

    $ cat <key_file>.json | jq -c .
  3. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  4. Click the OpenShift sandboxed containers Operator tile.
  5. Click the Import icon (+) on the top right corner.

  6. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  GCP_CREDENTIALS: "<gc_service_account_key_json>"
    1
    1
    Replace <gc_service_account_key_json> with the single-line string you created from the Google Cloud service account key JSON file.
  7. Click Save to apply the changes.
  8. Navigate to WorkloadsSecrets to verify the peer pods secret.

5.2.4. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Log in to your Compute Engine instance to set the following environmental variables:

    1. Get the project ID by running the following command: 

      $ GCP_PROJECT_ID=$(gcloud config get-value project)

    2. Get the zone by running the following command: 

      $ GCP_ZONE=$(gcloud config get-value compute/zone)

    3. Retrieve a list of network names by running the following command: 

      $ gcloud compute networks list --format="value(name)"

    4. Specify the network by running the following command: 

      $ GCP_NETWORK=<network_name>
      1
      1
      Replace <network_name> with the name of the network.
  2. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  3. Select the OpenShift sandboxed containers Operator from the list of operators.
  4. Click the Import icon (+) in the top right corner.

  5. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "gcp"
  PROXY_TIMEOUT: "5m"
  GCP_PROJECT_ID: "<gcp_project_id>"
    1 
    
  GCP_ZONE: "<gcp_zone>"
    2 
    
  GCP_MACHINE_TYPE: "e2-medium"
    3 
    
  GCP_NETWORK: "<gcp_network>"
    4 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    5 
    
  TAGS: "key1=value1,key2=value2"
    6 
    
  DISABLECVM: "true"
    1
    Specify the project ID you want to use.
    2
    Specify the GCP_ZONE value that you retrieved. This zone will run the workload.
    3
    Specify the machine type that matches the requirements of your workload.
    4
    Specify the GCP_NETWORK value you retrieved.
    5
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    6
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
  6. Click Save to apply the changes.
  7. Navigate to WorkloadsConfigMaps to view the new config map.

5.2.5. Creating the peer pod VM image
Copy link

You must create a QCOW2 peer pod virtual machine (VM) image.

Prerequisites

  • You have installed podman.
  • You have access to a container registry.

Procedure

  1. Clone the OpenShift sandboxed containers repository by running the following command: 

    $ git clone https://github.com/openshift/sandboxed-containers-operator.git

  2. Navigate to sandboxed-containers-operator/config/peerpods/podvm/bootc by running the following command: 

    $ cd sandboxed-containers-operator/config/peerpods/podvm/bootc

  3. Log in to registry.redhat.io by running the following command: 

    $ podman login registry.redhat.io

    You must log in to registry.redhat.io, because the podman build process must access the Containerfile.rhel container image hosted on the registry.

  4. Set the image path for your container registry by running the following command: 

    $ IMG="<container_registry_url>/<username>/podvm-bootc:latest"

  5. Build the pod VM bootc image by running the following command: 

    $ podman build -t ${IMG} -f Containerfile.rhel .

  6. Log in to your container registry by running the following command: 

    $ podman login <container_registry_url>

  7. Push the image to your container registry by running the following command: 

    $ podman push ${IMG}

    For testing and development, you can make the image public.

  8. Verify the podvm-bootc image by running the following command: 

    $ podman images

    Example output

    REPOSITORY                               TAG     IMAGE ID      CREATED         SIZE
example.com/example_user/podvm-bootc     latest  88ddab975a07  2 seconds ago   1.82 GB

5.2.6. Creating the peer pod VM image config map
Copy link

Create a config map for the pod virtual machine (VM) image.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator from the list of operators.
  3. Click the Import icon (+) in the top right corner.

  4. In the Import YAML window, paste the following YAML manifest: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: gc-podvm-image-cm
  namespace: openshift-sandboxed-containers-operator
data:
  IMAGE_TYPE: pre-built
  PODVM_IMAGE_URI: <container_registry_url>/<username>/podvm-bootc:latest
  IMAGE_BASE_NAME: "podvm-image"
  IMAGE_VERSION: "0-0-0"

  INSTALL_PACKAGES: "no"
  DISABLE_CLOUD_CONFIG: "true"
  UPDATE_PEERPODS_CM: "yes"
  BOOT_FIPS: "no"

  BOOTC_BUILD_CONFIG: |
    [[customizations.user]]
    name = "peerpod"
    password = "peerpod"
    groups = ["wheel", "root"]

    [[customizations.filesystem]]
    mountpoint = "/"
    minsize = "5 GiB"

    [[customizations.filesystem]]
    mountpoint = "/var/kata-containers"
    minsize = "15 GiB"
  5. Click Save to apply the changes.
  6. Navigate to WorkloadsConfigMaps to view the new config map.

5.2.7. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  4. Select the OpenShift sandboxed containers Operator from the list of operators.
  5. Click the Import icon (+) in the top right corner.

  6. In the Import YAML window, paste the following YAML manifest and add the Base64-encoded policy to it: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault
  7. Click Save to apply the changes.

5.2.8. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a RuntimeClass on your worker nodes.

The kata-remote runtime class is installed on all worker nodes by default. If you want to install kata-remote on specific nodes, you can add labels to those nodes and then define the label in the KataConfig CR.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors might increase the reboot time:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Optional: You have installed the Node Feature Discovery Operator if you want to enable node eligibility checks.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Select the OpenShift sandboxed containers Operator.
  3. On the KataConfig tab, click Create KataConfig.

  4. Enter the following details:

    • Name: Optional: The default name is example-kataconfig.
    • Labels: Optional: Enter any relevant, identifying attributes to the KataConfig resource. Each label represents a key-value pair.
    • enablePeerPods: Select for public cloud, IBM Z®, and IBM® LinuxONE deployments.

    • kataConfigPoolSelector. Optional: To install kata-remote on selected nodes, add a match expression for the labels on the selected nodes:

      1. Expand the kataConfigPoolSelector area.
      2. In the kataConfigPoolSelector area, expand matchExpressions. This is a list of label selector requirements.
      3. Click Add matchExpressions.
      4. In the Key field, enter the label key the selector applies to.
      5. In the Operator field, enter the key’s relationship to the label values. Valid operators are In, NotIn, Exists, and DoesNotExist.
      6. Expand the Values area and then click Add value.
      7. In the Value field, enter true or false for key label value.
    • logLevel: Define the level of log data retrieved for nodes with the kata-remote runtime class.

  5. Click Create. The KataConfig CR is created and installs the kata-remote runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

Verification

  1. On the KataConfig tab, click the KataConfig CR to view its details.

  2. Click the YAML tab to view the status stanza.

    The status stanza contains the conditions and kataNodes keys. The value of status.kataNodes is an array of nodes, each of which lists nodes in a particular state of kata-remote installation. A message appears each time there is an update.

  3. Click Reload to refresh the YAML.

    When all workers in the status.kataNodes array display the values installed and conditions.InProgress: False with no specified reason, the kata-remote is installed on the cluster.

Additional resources
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Navigate to WorkloadsConfigMaps.
  2. Click the provider config map to view its details.
  3. Click the YAML tab.

  4. Check the status stanza of the YAML file.

    If the PODVM_IMAGE_NAME parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

5.2.9. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on Google Cloud by using the command line interface (CLI) to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Enable port 15150 to allow internal communication with peer pods.
  3. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  4. Create the peer pods config map.
  5. Create the pod VM image config map.
  6. Optional: Customize the Kata agent policy.
  7. Create the KataConfig custom resource.
  8. Optional: Modify the number of virtual machines running on each worker node.
  9. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.9.0

  6. Create the subscription by running the following command: 

    $ oc apply -f osc-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.9.0    1.8.1        Succeeded

5.3.2. Enabling port 15150 for Google Cloud
Copy link

You must enable port 15150 on the OpenShift Container Platform to allow internal communication with peer pods running on Compute Engine.

Prerequisites

  • You have installed the Google Cloud command line interface (CLI) tool.
  • You have access to the OpenShift Container Platform cluster as a user with the roles/container.admin role.

Procedure

  1. Set the project ID variable by running the following command: 

    $ export GCP_PROJECT_ID="<project_id>"

  2. Log in to Google Cloud by running the following command: 

    $ gcloud auth login

  3. Set the Google Cloud project ID by running the following command: 

    $ gcloud config set project ${GCP_PROJECT_ID}

  4. Open port 15150 by running the following command: 

    $ gcloud compute firewall-rules create allow-port-15150-restricted \
   --project=${GCP_PROJECT_ID} \
   --network=default \
   --allow=tcp:15150 \
   --source-ranges=<external_ip_cidr-1>[,<external_ip_cidr-2>,...]
    1
    1
    Specify one or more IP addresses or ranges in CIDR format, separated by commas. For example, 203.0.113.5/32,198.51.100.0/24.

Verification

  • Verify that port 15150 is open by running the following command: 

    $ gcloud compute firewall-rule list

5.3.3. Creating the peer pods secret
Copy link

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have created a Google Cloud service account with permissions such as roles/compute.instanceAdmin.v1 to manage Compute Engine resources.
  • You have installed the Google Cloud SDK (gcloud) and authenticated it with your service account.

Procedure

  1. Create a Google Cloud service account key and save it as a JSON file by running the following command: 

    $ gcloud iam service-accounts keys create <key_filename>.json \
  --iam-account=<service_account_email_address>

  2. Convert the JSON file to a single line string by running the following command: 

    $ cat <key_file>.json | jq -c .

  3. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  GCP_CREDENTIALS: "<gc_service_account_key_json>"
    1
    1
    Replace <gc_service_account_key_json> with the single-line string you created from the Google Cloud service account key JSON file.

  4. Create the secret by running the following command: 

    $ oc apply -f peer-pods-secret.yaml

5.3.4. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Log in to your Compute Engine instance to set the following environmental variables:

    1. Get the project ID by running the following command: 

      $ GCP_PROJECT_ID=$(gcloud config get-value project)

    2. Get the zone by running the following command: 

      $ GCP_ZONE=$(gcloud config get-value compute/zone)

    3. Retrieve a list of network names by running the following command: 

      $ gcloud compute networks list --format="value(name)"

    4. Specify the network by running the following command: 

      $ GCP_NETWORK=<network_name>
      1
      1
      Replace <network_name> with the name of the network.

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "gcp"
  PROXY_TIMEOUT: "5m"
  GCP_PROJECT_ID: "<gcp_project_id>"
    1 
    
  GCP_ZONE: "<gcp_zone>"
    2 
    
  GCP_MACHINE_TYPE: "e2-medium"
    3 
    
  GCP_NETWORK: "<gcp_network>"
    4 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    5 
    
  TAGS: "key1=value1,key2=value2"
    6 
    
  DISABLECVM: "true"
    1
    Specify the project ID you want to use.
    2
    Specify the GCP_ZONE value that you retrieved. This zone will run the workload.
    3
    Specify the machine type that matches the requirements of your workload.
    4
    Specify the GCP_NETWORK value you retrieved.
    5
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    6
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.

  3. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml

5.3.5. Creating the peer pod VM image
Copy link

You must create a QCOW2 peer pod virtual machine (VM) image.

Prerequisites

  • You have installed podman.
  • You have access to a container registry.

Procedure

  1. Clone the OpenShift sandboxed containers repository by running the following command: 

    $ git clone https://github.com/openshift/sandboxed-containers-operator.git

  2. Navigate to sandboxed-containers-operator/config/peerpods/podvm/bootc by running the following command: 

    $ cd sandboxed-containers-operator/config/peerpods/podvm/bootc

  3. Log in to registry.redhat.io by running the following command: 

    $ podman login registry.redhat.io

    You must log in to registry.redhat.io, because the podman build process must access the Containerfile.rhel container image hosted on the registry.

  4. Set the image path for your container registry by running the following command: 

    $ IMG="<container_registry_url>/<username>/podvm-bootc:latest"

  5. Build the pod VM bootc image by running the following command: 

    $ podman build -t ${IMG} -f Containerfile.rhel .

  6. Log in to your container registry by running the following command: 

    $ podman login <container_registry_url>

  7. Push the image to your container registry by running the following command: 

    $ podman push ${IMG}

    For testing and development, you can make the image public.

  8. Verify the podvm-bootc image by running the following command: 

    $ podman images

    Example output

    REPOSITORY                               TAG     IMAGE ID      CREATED         SIZE
example.com/example_user/podvm-bootc     latest  88ddab975a07  2 seconds ago   1.82 GB

5.3.6. Creating the peer pod VM image config map
Copy link

Create a config map for the pod virtual machine (VM) image.

Procedure

  1. Create a config map manifest for the pod VM image named gc-podvm-image-cm.yaml with the following content: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: gc-podvm-image-cm
  namespace: openshift-sandboxed-containers-operator
data:
  IMAGE_TYPE: pre-built
  PODVM_IMAGE_URI: <container_registry_url>/<username>/podvm-bootc:latest
  IMAGE_BASE_NAME: "podvm-image"
  IMAGE_VERSION: "0-0-0"

  INSTALL_PACKAGES: "no"
  DISABLE_CLOUD_CONFIG: "true"
  UPDATE_PEERPODS_CM: "yes"
  BOOT_FIPS: "no"

  BOOTC_BUILD_CONFIG: |
    [[customizations.user]]
    name = "peerpod"
    password = "peerpod"
    groups = ["wheel", "root"]

    [[customizations.filesystem]]
    mountpoint = "/"
    minsize = "5 GiB"

    [[customizations.filesystem]]
    mountpoint = "/var/kata-containers"
    minsize = "15 GiB"

  2. Create the config map by running the following command: 

    $ oc apply -f gc-podvm-image-cm.yaml

5.3.7. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

  4. Apply the pod manifest by running the following command: 

    $ oc apply -f my-pod.yaml

5.3.8. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
-o jsonpath='{.spec.limit}{"\n"}'

  2. Modify the limit attribute of the peerpodConfig CR by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
--type merge --patch '{"spec":{"limit":"<value>"}}'
    1
    1
    Replace <value> with the limit you want to define.
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Obtain the config map you created for the peer pods: 

    $ oc get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o yaml

  2. Check the status stanza of the YAML file.

    If the PODVM_IMAGE_NAME parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

5.3.10. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on IBM Z® and IBM® LinuxONE.

OpenShift sandboxed containers deploys peer pods. The peer pod design circumvents the need for nested virtualization. For more information, see peer pod and Peer pods technical deep dive.

Important

OpenShift sandboxed containers on IBM Z® and IBM® LinuxONE is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.14 or later on the cluster where you are installing the OpenShift sandboxed containers Operator.
  • Your cluster has three control plane nodes and at least two worker nodes.
  • Your cluster nodes and peer pods are in the same IBM Z® KVM host logical partition (LPAR).
  • Your cluster nodes and peer pods are connected to the same subnet.

For details on installing OpenShift Container Platform on IBM Z® and IBM® LinuxONE see Installing on IBM Z® and IBM® LinuxONE.

6.1. Peer pod resource requirements
Copy link

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The libvirt virtual machine instance. This is the actual peer pod VM running in the LPAR (KVM host).

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIME_CLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIME_CLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

You can deploy OpenShift sandboxed containers on IBM Z® and IBM® LinuxONE by using the command line interface (CLI) to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Configure the libvirt volume.
  3. Optional: Create a custom peer pod VM image.
  4. Create the peer pods secret.
  5. Create the peer pods config map.
  6. Create the pod VM image config map.
  7. Create the KVM host secret.
  8. Optional: Select a custom peer pod VM image.
  9. Optional: Customize the Kata agent policy.
  10. Create the KataConfig custom resource.
  11. Optional: Modify the number of virtual machines running on each worker node.
  12. Configure the OpenShift sandboxed containers workload objects.

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.9.0

  6. Create the subscription by running the following command: 

    $ oc apply -f osc-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.9.0    1.8.1        Succeeded

6.2.2. Configuring the libvirt volume
Copy link

The OpenShift sandboxed containers Operator configures the libvirt volume and pool on your KVM host automatically during installation. If required, you can manually configure or create additional libvirt volumes and pools.

Prerequisites

  • You have installed the OpenShift sandboxed containers Operator on your OpenShift Container Platform cluster by using the OpenShift Container Platform web console or the command line.
  • You have administrator privileges for your KVM host.
  • You have installed podman on your KVM host.
  • You have installed virt-customize on your KVM host.
  • You have a /var/lib/libvirt/images/ directory for your images.

Procedure

  1. Log in to the KVM host.

  2. Set the name of the libvirt pool by running the following command: 

    $ export LIBVIRT_POOL=<libvirt_pool>

    You need the LIBVIRT_POOL value to create the secret for the libvirt provider.

  3. Set the name of the libvirt volume by running the following command: 

    $ export LIBVIRT_VOL_NAME=<libvirt_volume>

    You need the LIBVIRT_VOL_NAME value to create the secret for the libvirt provider.

  4. Set the path of the default storage pool location, by running the following command: 

    $ export LIBVIRT_POOL_DIRECTORY="/var/lib/libvirt/images/"

  5. Create a libvirt pool by running the following command: 

    $ virsh pool-define-as $LIBVIRT_POOL --type dir --target "$LIBVIRT_POOL_DIRECTORY"

  6. Start the libvirt pool by running the following command: 

    $ virsh pool-start $LIBVIRT_POOL

  7. Create a libvirt volume for the pool by running the following command: 

    $ virsh -c qemu:///system \
  vol-create-as --pool $LIBVIRT_POOL \
  --name $LIBVIRT_VOL_NAME \
  --capacity 20G \
  --allocation 2G \
  --prealloc-metadata \
  --format qcow2

6.2.3. Creating a custom peer pod VM image
Copy link

You can create a custom peer pod virtual machine (VM) image instead of using the default Operator-built image.

You build an Open Container Initiative (OCI) container with the peer pod QCOW2 image. Later, you add the container registry URL and the image path to the peer pod VM image config map.

Procedure

  1. Create a Dockerfile.podvm-oci file: 

    FROM scratch

ARG PODVM_IMAGE_SRC
ENV PODVM_IMAGE_PATH="/image/podvm.qcow2"

COPY $PODVM_IMAGE_SRC $PODVM_IMAGE_PATH

  2. Build a container with the pod VM QCOW2 image by running the following command: 

    $ docker build -t podvm-libvirt \
  --build-arg PODVM_IMAGE_SRC=<podvm_image_source> \
    1 
    
  --build-arg PODVM_IMAGE_PATH=<podvm_image_path> \
    2 
    
  -f Dockerfile.podvm-oci .
    1
    Specify the QCOW2 image source on the host.
    2
    Optional: Specify the path of the QCOW2 image if you do not use the default, /image/podvm.qcow2.

6.2.4. Updating the peer pods secret
Copy link

You must update the peer pods secret.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • LIBVIRT_URI. This value is the default gateway IP address of the libvirt network. Check your libvirt network setup to obtain this value.

    Note

    If libvirt uses the default bridge virtual network, you can obtain the LIBVIRT_URI by running the following commands: 

    $ virtint=$(bridge_line=$(virsh net-info default | grep Bridge);  echo "${bridge_line//Bridge:/}" | tr -d [:blank:])

$ LIBVIRT_URI=$( ip -4 addr show $virtint | grep -oP '(?<=inet\s)\d+(\.\d+){3}')

$ LIBVIRT_GATEWAY_URI="qemu+ssh://root@${LIBVIRT_URI}/system?no_verify=1"
  • REDHAT_OFFLINE_TOKEN. You have generated this token to download the RHEL image at Red Hat API Tokens.

Procedure

  1. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  CLOUD_PROVIDER: "libvirt"
  LIBVIRT_URI: "<libvirt_gateway_uri>"
    1 
    
  REDHAT_OFFLINE_TOKEN: "<rh_offline_token>"
    2
    1
    Specify the libvirt URI.
    2
    Specify the Red Hat offline token, which is required for the Operator-built image.

  2. Create the secret by running the following command: 

    $ oc apply -f peer-pods-secret.yaml

6.2.5. Creating the peer pods config map
Copy link

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "libvirt"
  PEERPODS_LIMIT_PER_NODE: "10"
    1 
    
  LIBVIRT_POOL: "<libvirt_pool>"
    2 
    
  LIBVIRT_VOL_NAME: "<libvirt_volume>"
    3 
    
  LIBVIRT_DIR_NAME: "/var/lib/libvirt/images/<directory_name>"
    4 
    
  LIBVIRT_NET: "default"
    5 
    
  DISABLECVM: "true"
    1
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    2
    Specify the libvirt pool. If you have manually configured the libvirt pool, use the same name as in your KVM host configuration.
    3
    Specify the libvirt volume name. If you have manually configured the libvirt volume, use the same name as in your KVM host configuration.
    4
    Specify the libvirt directory for storing virtual machine disk images, such as .qcow2, or .raw files. To ensure libvirt has read and write access permissions, use a subdirectory of the libvirt storage directory. The default is /var/lib/libvirt/images/.
    5
    Optional: Specify a libvirt network if you do not want to use the default network.

  2. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml

6.2.6. Creating the peer pod VM image config map
Copy link

You must create a config map for the peer pod virtual machine (VM) image.

Prerequisites

  • You must create an activation key by using the Red Hat Hybrid Cloud Console.
  • Optional: If you want to use a Cloud API Adaptor custom image, you must have the name, URL, and the branch or tag of the image.

Procedure

  1. Create a libvirt-podvm-image-cm.yaml manifest according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: libvirt-podvm-image-cm
  namespace: openshift-sandboxed-containers-operator
data:
  PODVM_DISTRO: "rhel"
  DOWNLOAD_SOURCES: "no"
    1 
    
  CAA_SRC: "https://github.com/confidential-containers/cloud-api-adaptor"
    2 
    
  CAA_REF: "main"
    3 
    
  CONFIDENTIAL_COMPUTE_ENABLED: "yes"
  UPDATE_PEERPODS_CM: "yes"
  ORG_ID: "<rhel_organization_id>"
  ACTIVATION_KEY: "<rhel_activation_key>"
    4 
    
  IMAGE_NAME: "<podvm_libvirt_image>"
    5 
    
  PODVM_IMAGE_URI: "oci::<image_repo_url>:<image_tag>::<image_path>"
    6 
    
  SE_BOOT: "true"
    7 
    
  BASE_OS_VERSION: "<rhel_image_os_version>"
    8
    1
    Specify yes if you want to use the custom Cloud API Adaptor source to build the pod VM image.
    2
    Optional: Specify the URL of the Cloud API Adaptor custom image.
    3
    Optional: Specify the branch or tag of the Cloud API Adaptor custom image.
    4
    Specify your RHEL activation key.
    5
    Specify the custom peer pod VM image name.
    6
    Optional: If you created a custom peer pod VM image, specify the container registry URL, the image tag, and the image path (default: /image/podvm.qcow2). Otherwise, set the value to "".
    7
    The default value, true, enables IBM Secure Execution for the default Operator-built image. If you use a custom peer pod VM image, set it to false .
    8
    Specify the RHEL image operating system version. IBM Z® Secure Execution supports RHEL 9.5 and later versions.

  2. Create the config map by running the following command: 

    $ oc apply -f libvirt-podvm-image-cm.yaml

    The libvirt pod VM image config map is created for your libvirt provider.

6.2.7. Creating the KVM host secret
Copy link

You must create the secret for your KVM host.

Procedure

  1. Generate an SSH key pair by running the following command: 

    $ ssh-keygen -f ./id_rsa -N ""

  2. Copy the public SSH key to your KVM host: 

    $ ssh-copy-id -i ./id_rsa.pub <KVM_HOST_IP>
    1
    1
    Specify the IP address of your KVM host or the LPAR where the peer pod VM is running. For example, 192.168.122.1.

  3. Create the Secret object by running the following command: 

    $ oc create secret generic ssh-key-secret \
  -n openshift-sandboxed-containers-operator \
  --from-file=id_rsa.pub=./id_rsa.pub \
  --from-file=id_rsa=./id_rsa

  4. Delete the SSH keys you created: 

    $ shred --remove id_rsa.pub id_rsa

6.2.8. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map. You create a new libvirt volume in your libvirt pool and upload the custom peer pod VM image to the new volume. Then, you update the pod manifest to use the custom peer pod VM image.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. Set the name of the libvirt pool by running the following command: 

    $ export LIBVIRT_POOL=<libvirt_pool>
    1
    1
    Specify the existing libvirt pool name.

  2. Set the name of the new libvirt volume by running the following command: 

    $ export LIBVIRT_VOL_NAME=<new_libvirt_volume>

  3. Create a libvirt volume for the pool by running the following command: 

    $ virsh -c qemu:///system \
  vol-create-as --pool $LIBVIRT_POOL \
  --name $LIBVIRT_VOL_NAME \
  --capacity 20G \
  --allocation 2G \
  --prealloc-metadata \
  --format qcow2

  4. Upload the custom peer pod VM image to the libvirt volume: 

    $ virsh -c qemu:///system vol-upload \
  --vol $LIBVIRT_VOL_NAME <custom_podvm_image.qcow2> \
    1 
    
  --pool $LIBVIRT_POOL --sparse
    1
    Specify the custom peer pod VM image name.

  5. Create a pod-manifest.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<new_libvirt_volume>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    1
    Specify the libvirt volume name where you have uploaded the custom peer pod VM image.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.

  6. Create the pod by running the following command: 

    $ oc apply -f pod-manifest.yaml

6.2.9. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

  4. Apply the pod manifest by running the following command: 

    $ oc apply -f my-pod.yaml

6.2.10. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify that you have built the peer pod image and uploaded it to the libvirt volume by running the following command: 

    $ oc describe configmap peer-pods-cm -n openshift-sandboxed-containers-operator

    Example output

    Name: peer-pods-cm
Namespace: openshift-sandboxed-containers-operator
Labels: <none>
Annotations: <none>

Data
====
CLOUD_PROVIDER: libvirt

BinaryData
====
Events: <none>

  5. Monitor the kata-oc machine config pool progress to ensure that it is in the UPDATED state, when UPDATEDMACHINECOUNT equals MACHINECOUNT, by running the following command: 

    $ watch oc get mcp/kata-oc

  6. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  7. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
-o jsonpath='{.spec.limit}{"\n"}'

  2. Modify the limit attribute of the peerpodConfig CR by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
--type merge --patch '{"spec":{"limit":"<value>"}}'
    1
    1
    Replace <value> with the limit you want to define.

6.2.12. Configuring workload objects
Copy link

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy Confidential Containers on Microsoft Azure Cloud Computing Services after you deploy OpenShift sandboxed containers.

Important

Confidential Containers on Azure is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Cluster requirements

  • You have configured outbound connectivity for the pod VM subnet.
  • You have installed Red Hat OpenShift Container Platform 4.15 or later on the cluster where you are installing the Confidential compute attestation Operator.

You deploy Confidential Containers by performing the following steps:

  1. Install the Confidential compute attestation Operator.
  2. Create the route for Trustee.
  3. Enable the Confidential Containers feature gate.
  4. Create initdata.
  5. Update the peer pods config map.
  6. Optional: Customize the Kata agent policy.
  7. Delete the KataConfig custom resource (CR).
  8. Re-create the KataConfig CR.
  9. Create the Trustee authentication secret.
  10. Create the Trustee config map.
  11. Configure Trustee values, policies, and secrets.
  12. Create the KbsConfig CR.
  13. Verify the Trustee configuration.
  14. Verify the attestation process.

You can install the Confidential compute attestation Operator on Azure by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a trustee-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: trustee-operator-system

  2. Create the trustee-operator-system namespace by running the following command: 

    $ oc apply -f trustee-namespace.yaml

  3. Create a trustee-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: trustee-operator-group
  namespace: trustee-operator-system
spec:
  targetNamespaces:
  - trustee-operator-system

  4. Create the operator group by running the following command: 

    $ oc apply -f trustee-operatorgroup.yaml

  5. Create a trustee-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: trustee-operator-system
  namespace: trustee-operator-system
spec:
  channel: stable
  installPlanApproval: Automatic
  name: trustee-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace

  6. Create the subscription by running the following command: 

    $ oc apply -f trustee-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n trustee-operator-system

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n trustee-operator-system

    Example output

    NAME                      DISPLAY                        PHASE
trustee-operator.v0.3.0   Trustee Operator  0.3.0        Succeeded

You must enable the Confidential Containers feature gate.

Prerequisites

  • You have subscribed to the OpenShift sandboxed containers Operator.

Procedure

  1. Create a cc-feature-gate.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: osc-feature-gates
  namespace: openshift-sandboxed-containers-operator
data:
  confidential: "true"

  2. Create the config map by running the following command: 

    $ oc apply -f cc-feature-gate.yaml

7.3. Creating the route for Trustee
Copy link

You can create a secure route with edge TLS termination for Trustee. External ingress traffic reaches the router pods as HTTPS and passes on to the Trustee pods as HTTP.

Prerequisites

  • You have installed the Confidential compute attestation Operator.

Procedure

  1. Create an edge route by running the following command: 

    $ oc create route edge --service=kbs-service --port kbs-port \
  -n trustee-operator-system
    Note

    Note: Currently, only a route with a valid CA-signed certificate is supported. You cannot use a route with self-signed certificate.

  2. Set the TRUSTEE_HOST variable by running the following command: 

    $ TRUSTEE_HOST=$(oc get route -n trustee-operator-system kbs-service \
  -o jsonpath={.spec.host})

  3. Verify the route by running the following command: 

    $ echo $TRUSTEE_HOST

    Example output

    kbs-service-trustee-operator-system.apps.memvjias.eastus.aroapp.io

    Record this value for the peer pods config map.

7.4. About initdata
Copy link

The initdata specification provides a flexible way to initialize a peer pod with sensitive or workload-specific data at runtime, avoiding the need to embed such data in the virtual machine (VM) image. This enhances security by reducing exposure of confidential information and improves flexibility by eliminating custom image builds. For example, initdata can include three configuration settings:

  • An X.509 certificate for secure communication.
  • A cryptographic key for authentication.
  • An optional Kata Agent policy.rego file to enforce runtime behavior when overriding the default Kata Agent policy.

You can apply an initdata configuration by using one of the following methods:

  • Globally by including it in the peer pods config map, setting a cluster-wide default for all pods.

  • For a specific pod when configuring a pod workload object, allowing customization for individual workloads.

    The io.katacontainers.config.runtime.cc_init_data annotation you specify when configuring a pod workload object overrides the global INITDATA setting in the peer pods config map for that specific pod. The Kata runtime handles this precedence automatically at pod creation time.

The initdata content configures the following components:

  • Attestation Agent (AA), which verifies the trustworthiness of the peer pod by sending evidence to the Trustee for attestation.
  • Confidential Data Hub (CDH), which manages secrets and secure data access within the peer pod VM.
  • Kata Agent, which enforces runtime policies and manages the lifecycle of the containers inside the pod VM.

7.5. Creating initdata
Copy link

Create a TOML file with initdata and convert it to a Base64-encoded string. Use this string to specify the value in the peer pods config map, in the peer pod manifest, or in the verification-pod.yaml file.

Important

You must delete the kbs_cert setting if you configure insecure_http = true in the Trustee config map.

Procedure

  1. Create the initdata.toml configuration file: 

    ```toml
algorithm = "sha384"
version = "0.1.0"

[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]
url = '<url>:<port>'
    1 
    


[token_configs.kbs]
url = '<url>:<port>'
cert = """
-----BEGIN CERTIFICATE-----
<kbs_certificate>
    2 
    
-----END CERTIFICATE-----
"""
'''

"cdh.toml"  = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []

[kbc]
name = 'cc_kbc'
url = '<url>:<port>'
kbs_cert = """
    3 
    
-----BEGIN CERTIFICATE-----
<kbs_certificate>
    4 
    
-----END CERTIFICATE-----
"""
'''

"policy.rego" = '''
    5 
    
package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := true
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SetPolicyRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true
'''
```
    1
    Specify the URL and port of the Trustee instance. If you configure the Trustee with insecure_http for testing purposes, use HTTP. Otherwise, use HTTPS. For production systems, avoid using insecure_http unless you configure your environment to handle TLS externally, for example, with a proxy.
    2
    Specify the Base64-encoded TLS certificate for the attestation agent. This is not required for testing purposes, but it is recommended for production systems.
    3
    Delete the kbs_cert setting if you configure insecure_http = true in the Trustee config map.
    4
    Specify the Base64-encoded TLS certificate for the Trustee instance.
    5
    Optional: You can specify a custom Kata Agent policy.

  2. Convert the initdata.toml file to a Base64-encoded string in a text file by running the following command: 

    $ base64 -w0 initdata.toml > initdata.txt

7.6. Updating the peer pods config map
Copy link

You must update the peer pods config map for Confidential Containers.

Note

Set Secure Boot to true to enable it by default. The default value is false, which presents a security risk.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group: 

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""

    2. Retrieve and record the Azure VNet name: 

      $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID: 

      $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""

    4. Retrieve and record the Azure network security group (NSG) ID: 

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""

    5. Retrieve and record the Azure region: 

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "azure"
  VXLAN_PORT: "9000"
  AZURE_INSTANCE_SIZE: "Standard_DC2as_v5"
    1 
    
  AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5"
    2 
    
  AZURE_SUBNET_ID: "<azure_subnet_id>"
    3 
    
  AZURE_NSG_ID: "<azure_nsg_id>"
    4 
    
  PROXY_TIMEOUT: "5m"
  AZURE_IMAGE_ID: "<azure_image_id>"
    5 
    
  AZURE_REGION: "<azure_region>"
    6 
    
  AZURE_RESOURCE_GROUP: "<azure_resource_group>"
    7 
    
  PEERPODS_LIMIT_PER_NODE: "10"
    8 
    
  TAGS: "key1=value1,key2=value2"
    9 
    
  INITDATA: "<base64_encoded_initdata>"
    10 
    
  ENABLE_SECURE_BOOT: "true"
    11 
    
  DISABLECVM: "false"
    1
    The "Standard_DC2as_v5" value is the default if an instance size is not defined in the workload. Ensure the instance type supports the trusted environment. The default "Standard_DC2as_v5" value is for AMD SEV-SNP. If your TEE is Intel TDX, specify Standard_EC4eds_v5.
    2
    Specify the instance sizes, without spaces, for creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads. For Intel TDX, specify "Standard_EC4eds_v5,Standard_EC8eds_v5,Standard_EC16eds_v5".
    3
    Specify the AZURE_SUBNET_ID value that you retrieved.
    4
    Specify the AZURE_NSG_ID value that you retrieved.
    5
    Optional: By default, this value is populated when you run the KataConfig CR, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.
    6
    Specify the AZURE_REGION value you retrieved.
    7
    Specify the AZURE_RESOURCE_GROUP value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
    10
    Specify the Base64-encoded string you created in the initdata.txt file.
    11
    Specify true to enable Secure Boot by default.

  3. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml

  4. Restart the ds/osc-caa-ds daemon set by running the following command: 

    $ oc set env ds/osc-caa-ds \
  -n openshift-sandboxed-containers-operator REBOOT="$(date)"

7.7. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

By default, the Kata agent policy disables the exec and log APIs, as they might transmit or receive unencrypted data through the control plane, which is insecure.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Important

Enabling the exec or log APIs in Confidential Containers workloads might expose sensitive information. Do not enable these APIs in production environments.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

  4. Apply the pod manifest by running the following command: 

    $ oc apply -f my-pod.yaml

7.8. Deleting the KataConfig custom resource
Copy link

You can delete the KataConfig custom resource (CR) by using the command line.

Deleting the KataConfig CR removes the runtime and its related resources from your cluster.

Important

Deleting the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Delete the KataConfig CR by running the following command: 

    $ oc delete kataconfig example-kataconfig

    The OpenShift sandboxed containers Operator removes all resources that were initially created to enable the runtime on your cluster.

    Important

    When you delete the KataConfig CR, the CLI stops responding until all worker nodes reboot. You must wait for the deletion process to complete before performing the verification.

  2. Verify that the custom resource was deleted by running the following command: 

    $ oc get kataconfig example-kataconfig

    Example output

    No example-kataconfig instances exist

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

7.9. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. Edit the pod manifest by adding the io.katacontainers.config.hypervisor.image annotation and save it in a pod-manifest.yaml file: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    1
    Specify the custom peer pod image ID.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.

  2. Create the pod by running the following command: 

    $ oc apply -f pod-manifest.yaml

7.10. Re-creating the KataConfig custom resource
Copy link

You must re-create the KataConfig custom resource (CR) for Confidential Containers.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, cc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

7.11. Creating the Trustee authentication secret
Copy link

You must create the authentication secret for Trustee.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a private key by running the following command: 

    $ openssl genpkey -algorithm ed25519 > privateKey

  2. Create a public key by running the following command: 

    $ openssl pkey -in privateKey -pubout -out publicKey

  3. Create a secret by running the following command: 

    $ oc create secret generic kbs-auth-public-key --from-file=publicKey -n trustee-operator-system

  4. Verify the secret by running the following command: 

    $ oc get secret -n trustee-operator-system

7.12. Creating the Trustee config map
Copy link

You must create the config map to configure the Trustee server.

Note

The following configuration example turns off security features to enable demonstration of Technology Preview features. It is not meant for a production environment.

Prerequisites

  • You have created a route for Trustee.

Procedure

  1. Create a kbs-config-cm.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: kbs-config-cm
  namespace: trustee-operator-system
data:
  kbs-config.toml: |
    [http_server]
    sockets = ["0.0.0.0:8080"]
    insecure_http = true

    [admin]
    insecure_api = true
    auth_public_key = "/etc/auth-secret/publicKey"

    [attestation_token]
    insecure_key = true
    attestation_token_type = "CoCo"

    [attestation_service]
    type = "coco_as_builtin"
    work_dir = "/opt/confidential-containers/attestation-service"
    policy_engine = "opa"

      [attestation_service.attestation_token_broker]
      type = "Ear"
      policy_dir = "/opt/confidential-containers/attestation-service/policies"

      [attestation_service.attestation_token_config]
      duration_min = 5

      [attestation_service.rvps_config]
      type = "BuiltIn"

        [attestation_service.rvps_config.storage]
        type = "LocalJson"
        file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"

    [[plugins]]
    name = "resource"
    type = "LocalFs"
    dir_path = "/opt/confidential-containers/kbs/repository"

    [policy_engine]
    policy_path = "/opt/confidential-containers/opa/policy.rego"

  2. Create the config map by running the following command: 

    $ oc apply -f kbs-config-cm.yaml

You can configure the following values, policies, and secrets for Trustee:

  • Optional: Reference values for the Reference Value Provider Service.
  • Optional: Attestation policy.
  • Provisioning Certificate Caching Service for Intel Trust Domain Extensions (TDX).
  • Optional: Secret for custom keys for Trustee clients.
  • Optional: Secret for container image signature verification.
  • Container image signature verification policy. This policy is mandatory. If you do not use container image signature verification, you must create a policy that does not verify signatures.
  • Resource access policy.

7.13.1. Configuring reference values
Copy link

You can configure reference values for the Reference Value Provider Service (RVPS) by specifying the trusted digests of your hardware platform.

The client collects measurements from the running software, the Trusted Execution Environment (TEE) hardware and firmware and it submits a quote with the claims to the Attestation Server. These measurements must match the trusted digests registered to the Trustee. This process ensures that the confidential VM (CVM) is running the expected software stack and has not been tampered with.

Procedure

  1. Create an rvps-configmap.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: rvps-reference-values
  namespace: trustee-operator-system
data:
  reference-values.json: |
    [
    1 
    
    ]
    1
    Specify the trusted digests for your hardware platform if required. Otherwise, leave it empty.

  2. Create the RVPS config map by running the following command: 

    $ oc apply -f rvps-configmap.yaml

7.13.2. Creating an attestation policy
Copy link

You can create an attestation policy that overrides the default attestation policy.

Procedure

  1. Create an attestation-policy.yaml manifest file according to the following example: 

    # attestation-policy.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: attestation-policy
  namespace: trustee-operator-system
data:
  default.rego: |
    package policy

    import rego.v1

    # This policy validates multiple TEE platforms
    # The policy is meant to capture the TCB requirements
    # for confidential containers.

    # This policy is used to generate an EAR Appraisal.
    # More information can be found at
    # <https://datatracker.ietf.org/doc/draft-ietf-rats-ar4si/>

    default executables := 33

    default hardware := 97

    default configuration := 36

    executables := 3 if {
      input.sample.launch_digest in data.reference.launch_digest
    }

    hardware := 2 if {
      input.sample.svn in data.reference.svn
    }

    executables := 3 if {
      input.snp.measurement in data.reference.snp_launch_measurement
    }

    hardware := 2 if {
      input.snp.reported_tcb_bootloader in data.reference.snp_bootloader
      input.snp.reported_tcb_microcode in data.reference.snp_microcode
      input.snp.reported_tcb_snp in data.reference.snp_snp_svn
      input.snp.reported_tcb_tee in data.reference.snp_tee_svn
    }

    configuration := 2 if {
      input.snp.policy_debug_allowed == "0"
      input.snp.policy_migrate_ma == "0"
      input.snp.platform_smt_enabled in data.reference.snp_smt_enabled
      input.snp.platform_tsme_enabled in data.reference.snp_tsme_enabled
      input.snp.policy_abi_major in data.reference.snp_guest_abi_major
      input.snp.policy_abi_minor in data.reference.snp_guest_abi_minor
      input.snp.policy_single_socket in data.reference.snp_single_socket
      input.snp.policy_smt_allowed in data.reference.snp_smt_allowed
    }

    else := 3 if {
      input.snp.policy_debug_allowed == "0"
      input.snp.policy_migrate_ma == "0"
    }

    executables := 3 if {
      input.tdx.quote.body.rtmr_1 in data.reference.rtmr_1
      input.tdx.quote.body.rtmr_2 in data.reference.rtmr_2
    }

    hardware := 2 if {
      # Check that this is a TDX quote signed by the Intel SGX Quoting Enclave.
      input.tdx.quote.header.tee_type == "81000000"
      input.tdx.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"

      # Check TDX Module version and its hash. Also check OVMF code hash.
      input.tdx.quote.body.mr_seam in data.reference.mr_seam
      input.tdx.quote.body.tcb_svn in data.reference.tcb_svn
      input.tdx.quote.body.mr_td in data.reference.mr_td
      # Check TCB status
      # input.tdx.tcb_status == "OK"

      # Check collateral expiration status
      # input.tdx.collateral_expiration_status == "0"

      # Check against allowed advisory ids
      # allowed_advisory_ids := {"INTEL-SA-00837"}
      # attester_advisory_ids := {id | id := input.attester_advisory_ids[_]}
      # object.subset(allowed_advisory_ids, attester_advisory_ids)

      # Check against disallowed advisory ids
      # disallowed_advisory_ids := {"INTEL-SA-00837"}
      # attester_advisory_ids := {id | id := input.tdx.advisory_ids[_]} # convert array to set
      # intersection := attester_advisory_ids & disallowed_advisory_ids
      # count(intersection) == 0
    }

    configuration := 2 if {
      input.tdx.td_attributes.debug == false
      input.tdx.quote.body.xfam in data.reference.xfam
    }

    executables := 3 if {
      input.azsnpvtpm.measurement in data.reference.measurement
      input.azsnpvtpm.tpm.pcr11 in data.reference.snp_pcr11
    }

    hardware := 2 if {
      input.azsnpvtpm.reported_tcb_bootloader in data.reference.tcb_bootloader
      input.azsnpvtpm.reported_tcb_microcode in data.reference.tcb_microcode
      input.azsnpvtpm.reported_tcb_snp in data.reference.tcb_snp
      input.azsnpvtpm.reported_tcb_tee in data.reference.tcb_tee
    }

    configuration := 2 if {
      input.azsnpvtpm.platform_smt_enabled in data.reference.smt_enabled
      input.azsnpvtpm.platform_tsme_enabled in data.reference.tsme_enabled
      input.azsnpvtpm.policy_abi_major in data.reference.abi_major
      input.azsnpvtpm.policy_abi_minor in data.reference.abi_minor
      input.azsnpvtpm.policy_single_socket in data.reference.single_socket
      input.azsnpvtpm.policy_smt_allowed in data.reference.smt_allowed
    }

    ##### Azure vTPM TDX
    executables := 3 if {
      input.aztdxvtpm.tpm.pcr11 in data.reference.tdx_pcr11
    }

    hardware := 2 if {
      # Check that the quote is a TDX quote signed by the Intel SGX Quoting Enclave.
      input.aztdxvtpm.quote.header.tee_type == "81000000"
      input.aztdxvtpm.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"

      # Check TDX Module version and its hash. Also check OVMF code hash.
      input.aztdxvtpm.quote.body.mr_seam in data.reference.mr_seam
      input.aztdxvtpm.quote.body.tcb_svn in data.reference.tcb_svn
      input.aztdxvtpm.quote.body.mr_td in data.reference.mr_td
    }

    configuration := 2 if {
      input.aztdxvtpm.quote.body.xfam in data.reference.xfam
    }

    The attestation policy follows the Open Policy Agent specification. In this example, the attestation policy compares the claims provided in the attestation report to the reference values registered in the RVPS database. The attestation process is successful only if all the values match.

  2. Create the attestation policy config map by running the following command: 

    $ oc apply -f attestation-policy.yaml

7.13.3. Configuring PCCS for TDX
Copy link

If you use Intel Trust Domain Extensions (TDX), you must configure Trustee to use the Provisioning Certificate Caching Service (PCCS).

The PCCS retrieves the Provisioning Certification Key (PCK) certificates and caches them in a local database.

Important

Do not use the public Intel PCCS service. Use a local caching service on-premise or on the public cloud.

Procedure

  1. Create a tdx-config.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: tdx-config
  namespace: trustee-operator-system
data:
  sgx_default_qcnl.conf: | \
      {
        "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
        "pccs_url": "<pccs_url>"
    1 
    
      }
    1
    Specify the PCCS URL, for example, https://localhost:8081/sgx/certification/v4/.

  2. Create the TDX config map by running the following command: 

    $ oc apply -f tdx-config.yaml

You can create a secret that contains one or more custom keys for Trustee clients.

In this example, the kbsres1 secret has two entries (key1, key2), which the clients retrieve. You can add additional secrets according to your requirements by using the same format.

Prerequisites

  • You have created one or more custom keys.

Procedure

  • Create a secret for the custom keys according to the following example: 

    $ oc apply secret generic kbsres1 \
  --from-literal key1=<custom_key1> \
    1 
    
  --from-literal key2=<custom_key2> \
  -n trustee-operator-system
    1
    Specify a custom key.

    The kbsres1 secret is specified in the spec.kbsSecretResources key of the KbsConfig custom resource.

If you use container image signature verification, you must create a secret that contains the public container image signing key.

The Confidential compute attestation Operator uses the secret to verify the signature, ensuring that only trusted and authenticated container images are deployed in your environment.

You can use Red Hat Trusted Artifact Signer or other tools to sign container images.

Procedure

  1. Create a secret for container image signature verification by running the following command: 

    $ oc apply secret generic <type> \
    1 
    
  --from-file=<tag>=./<public_key_file> \
    2 
    
  -n trustee-operator-system
    1
    Specify the KBS secret type, for example, img-sig.
    2
    Specify the secret tag, for example, pub-key, and the public container image signing key.
  2. Record the <type> value. You must add this value to the spec.kbsSecretResources key when you create the KbsConfig custom resource.

You create the container image signature verification policy because signature verification is always enabled. If this policy is missing, the pods will not start.

If you are not using container image signature verification, you create the policy without signature verification.

For more information, see containers-policy.json 5.

Procedure

  1. Create a security-policy-config.json file according to the following examples:

    • Without signature verification: 

      {
  "default": [
  {
    "type": "insecureAcceptAnything"
  }],
  "transports": {}
}

    • With signature verification: 

      {
  "default": [
      {
      "type": "insecureAcceptAnything"
      }
  ],
  "transports": {
      "<transport>": {
      1 
      
          "<registry>/<image>":
      2 
      
          [
              {
                  "type": "sigstoreSigned",
                  "keyPath": "kbs:///default/<type>/<tag>"
      3 
      
              }
          ]
      }
  }
}
      1
      Specify the image repository for transport, for example, "docker":. For more information, see containers-transports 5.
      2
      Specify the container registry and image, for example, "quay.io/my-image".
      3
      Specify the type and tag of the container image signature verification secret that you created, for example, img-sig/pub-key.

  2. Create the security policy by running the following command: 

    $ oc apply secret generic security-policy \
  --from-file=osc=./<security-policy-config.json> \
  -n trustee-operator-system

    Do not alter the secret type, security-policy, or the key, osc.

    The security-policy secret is specified in the spec.kbsSecretResources key of the KbsConfig custom resource.

7.13.7. Creating the resource access policy
Copy link

You configure the resource access policy for the Trustee policy engine. This policy determines which resources Trustee can access.

Note

The Trustee policy engine is different from the Attestation Service policy engine, which determines the validity of TEE evidence.

Procedure

  1. Create a resourcepolicy-configmap.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: resource-policy
  namespace: trustee-operator-system
data:
  policy.rego:
    package policy
    default allow = true
    allow {
      input["tee"] != "sample"
    }
    policy.rego
    The name of the resource policy, policy.rego, must match the resource policy defined in the Trustee config map.
    package policy
    The resource policy follows the Open Policy Agent specification.

  2. Create the resource policy config map by running the following command: 

    $ oc apply -f resourcepolicy-configmap.yaml

7.14. Creating the KbsConfig custom resource
Copy link

You create the KbsConfig custom resource (CR) to launch Trustee.

Then, you check the Trustee pods and pod logs to verify the configuration.

Procedure

  1. Create a kbsconfig-cr.yaml manifest file: 

    apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
  labels:
    app.kubernetes.io/name: kbsconfig
    app.kubernetes.io/instance: kbsconfig
    app.kubernetes.io/part-of: trustee-operator
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/created-by: trustee-operator
  name: kbsconfig
  namespace: trustee-operator-system
spec:
  kbsConfigMapName: kbs-config-cm
  kbsAuthSecretName: kbs-auth-public-key
  kbsDeploymentType: AllInOneDeployment
  kbsRvpsRefValuesConfigMapName: rvps-reference-values
  kbsSecretResources: ["kbsres1", "security-policy", "<type>"]
    1 
    
  kbsResourcePolicyConfigMapName: resource-policy
# tdxConfigSpec:
#   kbsTdxConfigMapName: tdx-config
    2 
    
# kbsAttestationPolicyConfigMapName: attestation-policy
    3 
    
# kbsServiceType: <service_type>
    4
    1
    Optional: Specify the type value of the container image signature verification secret if you created the secret, for example, img-sig. If you did not create the secret, set the kbsSecretResources value to ["kbsres1", "security-policy"].
    2
    Uncomment tdxConfigSpec.kbsTdxConfigMapName: tdx-config for Intel Trust Domain Extensions.
    3
    Uncomment kbsAttestationPolicyConfigMapName: attestation-policy if you create a customized attestation policy.
    4
    Uncomment kbsServiceType: <service_type> if you create a service type, other than the default ClusterIP service, to expose applications within the cluster external traffic. You can specify NodePort, LoadBalancer, or ExternalName.

  2. Create the KbsConfig CR by running the following command: 

    $ oc apply -f kbsconfig-cr.yaml

7.15. Verifying the Trustee configuration
Copy link

You verify the Trustee configuration by checking the Trustee pods and logs.

Procedure

  1. Set the default project by running the following command: 

    $ oc project trustee-operator-system

  2. Check the Trustee pods by running the following command: 

    $ oc get pods -n trustee-operator-system

    Example output

    NAME                                                   READY   STATUS    RESTARTS   AGE
trustee-deployment-8585f98449-9bbgl                    1/1     Running   0          22m
trustee-operator-controller-manager-5fbd44cd97-55dlh   2/2     Running   0          59m

  3. Set the POD_NAME environmental variable by running the following command: 

    $ POD_NAME=$(oc get pods -l app=kbs -o jsonpath='{.items[0].metadata.name}' -n trustee-operator-system)

  4. Check the pod logs by running the following command: 

    $ oc logs -n trustee-operator-system $POD_NAME

    Example output

    [2024-05-30T13:44:24Z INFO  kbs] Using config file /etc/kbs-config/kbs-config.json
[2024-05-30T13:44:24Z WARN  attestation_service::rvps] No RVPS address provided and will launch a built-in rvps
[2024-05-30T13:44:24Z INFO  attestation_service::token::simple] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert
[2024-05-30T13:44:24Z INFO  api_server] Starting HTTPS server at [0.0.0.0:8080]
[2024-05-30T13:44:24Z INFO  actix_server::builder] starting 12 workers
[2024-05-30T13:44:24Z INFO  actix_server::server] Tokio runtime found; starting in existing Tokio runtime

7.16. Verifying the attestation process
Copy link

You can verify the attestation process by creating a test pod and retrieving its secret.

Important

This procedure is an example to verify that attestation is working. Do not write sensitive data to standard I/O because the data can be captured by using a memory dump. Only data written to memory is encrypted.

By default, the Kata agent policy, embedded in the pod virtual machine (VM) image, disables the exec and log APIs for a Confidential Containers pod. This policy prevents the cluster admin from executing processes inside the pod to exfiltrate sensitive data while also blocking accidental writes of sensitive data to standard I/O.

In a test scenario, you can override the restriction at runtime by adding a policy annotation to the pod. For Technology Preview, runtime policy annotations are not verified by remote attestation.

Prerequisites

  • You have created a route if the Trustee server and the test pod are not running in the same cluster.

Procedure

  1. Create a verification-pod.yaml manifest file: 

    apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
    1 
    
    io.katacontainers.config.runtime.cc_init_data: <base64_initdata>
    2 
    
spec:
  runtimeClassName: kata-remote
  containers:
    - name: skr-openshift
      image: registry.access.redhat.com/ubi9/ubi:9.3
      command:
        - sleep
        - "36000"
      securityContext:
        privileged: false
        seccompProfile:
          type: RuntimeDefault
    1
    This pod annotation overrides the default agent policy that prevents sensitive data from being written to standard I/O.
    2
    This pod annotation overrides the Base64-encoded string of the initdata.toml file set globally in the peer pods config map.

    If you specify both the io.katacontainers.config.agent.policy annotation and the io.katacontainers.config.runtime.cc_init_data annotation with an agent policy, the initdata annotation takes precedence over the agent policy annotation.

  2. Create the pod by running the following command: 

    $ oc create -f verification-pod.yaml

  3. Connect to the Bash shell of the ocp-cc-pod by running the following command: 

    $ oc exec -it ocp-cc-pod -- bash

  4. Fetch the pod secret by running the following command: 

    $ curl http://127.0.0.1:8006/cdh/resource/default/kbsres1/key1

    Example output

    res1val1

    The Trustee server returns the secret only if the attestation is successful.

You can deploy Confidential Containers on IBM Z® and IBM® LinuxONE after you deploy OpenShift sandboxed containers.

Important

Confidential Containers on IBM Z® and IBM® LinuxONE is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Note

IBM® Hyper Protect Confidential Container (HPCC) for Red Hat OpenShift Container Platform is now production-ready. HPCC enables Confidential Computing technology at the enterprise scale by providing a multiparty Hyper Protect Contract, deployment attestation, and validation of container runtime and OCI image integrity.

HPCC is supported by IBM Z17® and IBM® LinuxONE Emperor 5 and is compatible with OpenShift sandboxed containers 1.9 and later. For more information, see the IBM HPCC documentation.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.15 or later on the cluster where you are installing the Confidential compute attestation Operator.

LPAR requirements

You deploy Confidential Containers by performing the following steps:

  1. Install the Confidential compute attestation Operator.
  2. Create the route for Trustee.
  3. Enable the Confidential Containers feature gate.
  4. Create initdata.
  5. Update the peer pods config map.
  6. Optional: Customize the Kata agent policy.
  7. Delete the KataConfig custom resource (CR).
  8. Update the peer pods secret.
  9. Optional: Select a custom peer pod VM image.
  10. Re-create the KataConfig CR.
  11. Create the Trustee authentication secret.
  12. Create the Trustee config map.
  13. Obtain the IBM Secure Execution (SE) header.
  14. Configure the SE certificates and keys.
  15. Create the persistent storage components.
  16. Configure Trustee values, policies, and secrets.
  17. Create the KbsConfig CR.
  18. Verify the Trustee configuration.
  19. Verify the attestation process.

You can install the Confidential compute attestation Operator on IBM Z® and IBM® LinuxONE by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a trustee-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: trustee-operator-system

  2. Create the trustee-operator-system namespace by running the following command: 

    $ oc apply -f trustee-namespace.yaml

  3. Create a trustee-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: trustee-operator-group
  namespace: trustee-operator-system
spec:
  targetNamespaces:
  - trustee-operator-system

  4. Create the operator group by running the following command: 

    $ oc apply -f trustee-operatorgroup.yaml

  5. Create a trustee-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: trustee-operator-system
  namespace: trustee-operator-system
spec:
  channel: stable
  installPlanApproval: Automatic
  name: trustee-operator
  source: trustee-operator-catalog
  sourceNamespace: openshift-marketplace

  6. Create the subscription by running the following command: 

    $ oc apply -f trustee-subscription.yaml

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n trustee-operator-system

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n trustee-operator-system

    Example output

    NAME                      DISPLAY                        PHASE
trustee-operator.v0.3.0   Trustee Operator  0.3.0        Succeeded

You must enable the Confidential Containers feature gate.

Prerequisites

  • You have subscribed to the OpenShift sandboxed containers Operator.

Procedure

  1. Create a cc-feature-gate.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: osc-feature-gates
  namespace: openshift-sandboxed-containers-operator
data:
  confidential: "true"

  2. Create the config map by running the following command: 

    $ oc apply -f cc-feature-gate.yaml

8.3. Creating the route for Trustee
Copy link

You can create a secure route with edge TLS termination for Trustee. External ingress traffic reaches the router pods as HTTPS and passes on to the Trustee pods as HTTP.

Prerequisites

  • You have installed the Confidential compute attestation Operator.

Procedure

  1. Create an edge route by running the following command: 

    $ oc create route edge --service=kbs-service --port kbs-port \
  -n trustee-operator-system
    Note

    Note: Currently, only a route with a valid CA-signed certificate is supported. You cannot use a route with self-signed certificate.

  2. Set the TRUSTEE_HOST variable by running the following command: 

    $ TRUSTEE_HOST=$(oc get route -n trustee-operator-system kbs-service \
  -o jsonpath={.spec.host})

  3. Verify the route by running the following command: 

    $ echo $TRUSTEE_HOST

    Example output

    kbs-service-trustee-operator-system.apps.memvjias.eastus.aroapp.io

8.4. About initdata
Copy link

The initdata specification provides a flexible way to initialize a peer pod with sensitive or workload-specific data at runtime, avoiding the need to embed such data in the virtual machine (VM) image. This enhances security by reducing exposure of confidential information and improves flexibility by eliminating custom image builds. For example, initdata can include three configuration settings:

  • An X.509 certificate for secure communication.
  • A cryptographic key for authentication.
  • An optional Kata Agent policy.rego file to enforce runtime behavior when overriding the default Kata Agent policy.

You can apply an initdata configuration by using one of the following methods:

  • Globally by including it in the peer pods config map, setting a cluster-wide default for all pods.

  • For a specific pod when configuring a pod workload object, allowing customization for individual workloads.

    The io.katacontainers.config.runtime.cc_init_data annotation you specify when configuring a pod workload object overrides the global INITDATA setting in the peer pods config map for that specific pod. The Kata runtime handles this precedence automatically at pod creation time.

The initdata content configures the following components:

  • Attestation Agent (AA), which verifies the trustworthiness of the peer pod by sending evidence to the Trustee for attestation.
  • Confidential Data Hub (CDH), which manages secrets and secure data access within the peer pod VM.
  • Kata Agent, which enforces runtime policies and manages the lifecycle of the containers inside the pod VM.

8.5. Creating initdata
Copy link

Create a TOML file with initdata and convert it to a Base64-encoded string. Use this string to specify the value in the peer pods config map, in the peer pod manifest, or in the busybox.yaml file.

Important

You must delete the kbs_cert setting if you configure insecure_http = true in the Trustee config map.

Procedure

  1. Obtain the Trustee IP address by running the following command: 

    $ oc get node $(oc get pod -n trustee-operator-system -o jsonpath='{.items[0].spec.nodeName}') -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'

    Example output

    192.168.122.22

  2. Obtain the Trustee port by running the following command: 

    $ oc get svc kbs-service -n trustee-operator-system

    Example output

    NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
kbs-service  NodePort    172.30.116.11   <none>        8080:32178/TCP   12d

  3. Create the initdata.toml configuration file: 

    ```toml
algorithm = "sha384"
version = "0.1.0"

[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]
url = 'https://<worker_node_ip>:<node_port>'
    1 
    


[token_configs.kbs]
url = 'https://<worker_node_ip>:<node_port>'
cert = """
-----BEGIN CERTIFICATE-----
<kbs_certificate>
    2 
    
-----END CERTIFICATE-----
"""
'''

"cdh.toml"  = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []

[kbc]
name = 'cc_kbc'
url = 'https://<worker_node_ip>:<node_port>'
kbs_cert = """
    3 
    
-----BEGIN CERTIFICATE-----
<kbs_certificate>
    4 
    
-----END CERTIFICATE-----
"""
'''

"policy.rego" = '''
    5 
    
package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := true
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SetPolicyRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true
'''
```
    1
    Specify the Trustee IP address and the port, for example, https://192.168.122.22:32178.
    2
    Specify the Base64-encoded TLS certificate for the attestation agent. This is not required for testing purposes, but it is recommended for production systems.
    3
    Delete the kbs_cert setting if you configure insecure_http = true in the Trustee config map.
    4
    Specify the Base64-encoded TLS certificate for the Trustee instance.
    5
    Optional: You can specify a custom Kata Agent policy.

  4. Convert the initdata.toml file to a Base64-encoded string in a text file by running the following command: 

    $ base64 -w0 initdata.toml > initdata.txt

8.6. Updating the peer pods config map
Copy link

You must update the peer pods config map for Confidential Containers.

Note

Set Secure Boot to true to enable it by default. The default value is false, which presents a security risk.

Procedure

  1. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "libvirt"
  PEERPODS_LIMIT_PER_NODE: "10"
    1 
    
  LIBVIRT_POOL: "<libvirt_pool>"
    2 
    
  LIBVIRT_VOL_NAME: "<libvirt_volume>"
    3 
    
  LIBVIRT_DIR_NAME: "/var/lib/libvirt/images/<directory_name>"
    4 
    
  LIBVIRT_NET: "default"
    5 
    
  INITDATA: "<base64_encoded_initdata>"
    6 
    
  DISABLECVM: "false"
    1
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    2
    Specify the libvirt pool. If you have manually configured the libvirt pool, use the same name as in your KVM host configuration.
    3
    Specify the libvirt volume name. If you have manually configured the libvirt volume, use the same name as in your KVM host configuration.
    4
    Specify the libvirt directory for storing virtual machine disk images, such as .qcow2, or .raw files. To ensure libvirt has read and write access permissions, use a subdirectory of the libvirt storage directory. The default is /var/lib/libvirt/images/.
    5
    Optional: Specify a libvirt network if you do not want to use the default network.
    6
    Specify the Base64-encoded string you created in the initdata.txt file.

  2. Create the config map by running the following command: 

    $ oc apply -f peer-pods-cm.yaml

  3. Restart the ds/osc-caa-ds daemon set by running the following command: 

    $ oc set env ds/osc-caa-ds \
  -n openshift-sandboxed-containers-operator REBOOT="$(date)"

8.7. Customizing the Kata agent policy
Copy link

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

By default, the Kata agent policy disables the exec and log APIs, as they might transmit or receive unencrypted data through the control plane, which is insecure.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Important

Enabling the exec or log APIs in Confidential Containers workloads might expose sensitive information. Do not enable these APIs in production environments.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration: 

    package agent_policy

import future.keywords.in
import input

default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true  # Enabled to allow exec API
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true   # Enabled to allow log API
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file: 

    apiVersion: v1
kind: Pod
metadata:
  name: <pod_name>
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

  4. Apply the pod manifest by running the following command: 

    $ oc apply -f my-pod.yaml

8.8. Deleting the KataConfig custom resource
Copy link

You can delete the KataConfig custom resource (CR) by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Delete the KataConfig CR by running the following command: 

    $ oc delete kataconfig example-kataconfig

  2. Verify that the custom resource was deleted by running the following command: 

    $ oc get kataconfig example-kataconfig

    Example output

    No example-kataconfig instances exist

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

8.9. Updating the peer pods secret
Copy link

You must update the peer pods secret.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

Procedure

  1. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  CLOUD_PROVIDER: "libvirt"
  LIBVIRT_URI: "<libvirt_gateway_uri>"
    1 
    
  REDHAT_OFFLINE_TOKEN: "<rh_offline_token>"
    2 
    
  HOST_KEY_CERTS: "<host_key_crt_value>"
    3
    1
    Specify the libvirt URI.
    2
    Specify the Red Hat offline token, which is required for the Operator-built image.
    3
    Specify the HKD certificate value to enable IBM Secure Execution for the Operator-built image.

  2. Create the secret by running the following command: 

    $ oc apply -f peer-pods-secret.yaml

8.10. Selecting a custom peer pod VM image
Copy link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map. You create a new libvirt volume in your libvirt pool and upload the custom peer pod VM image to the new volume. Then, you update the pod manifest to use the custom peer pod VM image.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. Set the name of the libvirt pool by running the following command: 

    $ export LIBVIRT_POOL=<libvirt_pool>
    1
    1
    Specify the existing libvirt pool name.

  2. Set the name of the new libvirt volume by running the following command: 

    $ export LIBVIRT_VOL_NAME=<new_libvirt_volume>

  3. Create a libvirt volume for the pool by running the following command: 

    $ virsh -c qemu:///system \
  vol-create-as --pool $LIBVIRT_POOL \
  --name $LIBVIRT_VOL_NAME \
  --capacity 20G \
  --allocation 2G \
  --prealloc-metadata \
  --format qcow2

  4. Upload the custom peer pod VM image to the libvirt volume: 

    $ virsh -c qemu:///system vol-upload \
  --vol $LIBVIRT_VOL_NAME <custom_podvm_image.qcow2> \
    1 
    
  --pool $LIBVIRT_POOL --sparse
    1
    Specify the custom peer pod VM image name.

  5. Create a pod-manifest.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Pod
metadata:
  name: pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<new_libvirt_volume>"
    1 
    
spec:
  runtimeClassName: kata-remote
    2 
    
  containers:
  - name: <example_container>
    3 
    
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    1
    Specify the libvirt volume name where you have uploaded the custom peer pod VM image.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.

  6. Create the pod by running the following command: 

    $ oc apply -f pod-manifest.yaml

8.11. Re-creating the KataConfig custom resource
Copy link

You must re-create the KataConfig custom resource (CR) for Confidential Containers.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, cc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify that you have built the peer pod image and uploaded it to the libvirt volume by running the following command: 

    $ oc describe configmap peer-pods-cm -n openshift-sandboxed-containers-operator

    Example output

    Name: peer-pods-cm
Namespace: openshift-sandboxed-containers-operator
Labels: <none>
Annotations: <none>

Data
====
CLOUD_PROVIDER: libvirt
DISABLECVM: false
    1 
    
LIBVIRT_IMAGE_ID: fa-pp-vol
    2 
    

BinaryData
====
Events: <none>

    1
    Enables the Confidential VM during IBM Secure Execution for the Operator-built image.
    2
    Contains a value if you have built the peer pod image and uploaded it to the libvirt volume.

  5. Monitor the kata-oc machine config pool progress to ensure that it is in the UPDATED state, when UPDATEDMACHINECOUNT equals MACHINECOUNT, by running the following command: 

    $ watch oc get mcp/kata-oc

  6. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  7. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

8.12. Creating the Trustee authentication secret
Copy link

You must create the authentication secret for Trustee.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a private key by running the following command: 

    $ openssl genpkey -algorithm ed25519 > privateKey

  2. Create a public key by running the following command: 

    $ openssl pkey -in privateKey -pubout -out publicKey

  3. Create a secret by running the following command: 

    $ oc create secret generic kbs-auth-public-key --from-file=publicKey -n trustee-operator-system

  4. Verify the secret by running the following command: 

    $ oc get secret -n trustee-operator-system

8.13. Creating the Trustee config map
Copy link

You must create the config map to configure the Trustee server.

Note

The following configuration example turns off security features to enable demonstration of Technology Preview features. It is not meant for a production environment.

Prerequisites

  • You have created a route for Trustee.

Procedure

  1. Create a kbs-config-cm.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: kbs-config-cm
  namespace: trustee-operator-system
data:









  kbs-config.toml: |
    [http_server]
    sockets = ["0.0.0.0:8080"]
    insecure_http = false
    private_key = "/etc/https-key/https.key"
    certificate = "/etc/https-cert/https.crt"

    [admin]
    insecure_api = false
    auth_public_key = "/etc/auth-secret/publicKey"

    [attestation_token]
    insecure_key = true
    attestation_token_type = "CoCo"

    [attestation_service]
    type = "coco_as_builtin"
    work_dir = "/opt/confidential-containers/attestation-service"
    policy_engine = "opa"

    [attestation_service.attestation_token_broker]
    type = "Simple"
    policy_dir = "/opt/confidential-containers/attestation-service/policies"

    [attestation_service.attestation_token_config]
    duration_min = 5

    [attestation_service.rvps_config]
    type = "BuiltIn"

    [attestation_service.rvps_config.storage]
    type = "LocalJson"
    file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"

    [[plugins]]
    name = "resource"
    type = "LocalFs"
    dir_path = "/opt/confidential-containers/kbs/repository"

    [policy_engine]
    policy_path = "/opt/confidential-containers/opa/policy.rego"

  2. Create the config map by running the following command: 

    $ oc apply -f kbs-config-cm.yaml

You must configure the IBM Secure Execution (SE) certificates and keys for your worker nodes.

Prerequisites

  • You have the IP address of the bastion node.
  • You have the internal IP addresses of the worker nodes.

Procedure

  1. Generate the Key Broker Service (KBS) certificate and key by performing the following steps:

    1. Create the kbs.conf configuration file according to the following example: 

      [req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca

[req_distinguished_name]
countryName = Country Name (2-letter code)
countryName_default = <country_name>
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = <state_name>
localityName = Locality Name (eg, city)
localityName_default = <locality_name>
organizationName = Organization Name (eg, company)
organizationName_default = Red Hat
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or
YOUR name)
commonName_default = kbs-service
commonName_max = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
IP.1  = <trustee_ip>
DNS.1  = localhost
DNS.2  = 127.0.0.1

    2. Generate the KBS key and self-signed certificate by running the following command: 

      openssl req -x509 -nodes -days 365 \
   -newkey rsa:2048 \
   -keyout kbs.key \
   -out kbs.crt \
   -config kbs.conf \
   -passin pass:

    3. Copy the KBS key to the ibmse directory by running the following command: 

      $ cp kbs.key /tmp/ibmse/kbs.key

    4. Copy the KBS certificate to the ibmse directory by running the following command: 

      $ cp kbs.crt /tmp/ibmse/kbs.crt

  2. Obtain the attestation policy fields by performing the following steps:

    1. Create a directory to download the GetRvps.sh script by running the following command: 

      $ mkdir -p Rvps-Extraction/

    2. Download the script by running the following command: 

      $ wget https://github.com/openshift/sandboxed-containers-operator/raw/devel/scripts/rvps-extraction/GetRvps.sh -O $PWD/GetRvps.sh

    3. Create a subdirectory by running the following command: 

      $ mkdir -p Rvps-Extraction/static-files

    4. Go to the static-files directory by running the following command: 

      $ cd Rvps-Extraction/static-files

    5. Download the pvextract-hdr tool by running the following command: 

      $ wget https://github.com/openshift/sandboxed-containers-operator/raw/devel/scripts/rvps-extraction/static-files/pvextract-hdr -O $PWD/pvextract-hdr

    6. Make the tool executable by running the following command: 

      $ chmod +x pvextract-hdr

    7. Download the se_parse_hdr.py script by running the following command: 

      $ wget https://github.com/openshift/sandboxed-containers-operator/raw/devel/scripts/rvps-extraction/static-files/se_parse_hdr.py -O $PWD/se_parse_hdr.py

    8. Copy your Host Key Document (HKD) certificate to the static-files directory by running the following command: 

      $ cp ~/path/to/<hkd_cert.crt> .

      The static-files directory contains the following files:

      • HKD.crt
      • pvextract-hdr
      • se_parse_hdr.py

    9. Go to the Rvps-Extraction directory by running the following command: 

      $ cd ..

    10. Make the GetRvps.sh script executable by running the following command: 

      $ chmod +x GetRvps.sh

    11. Run the script: 

      $ ./GetRvps.sh

      Example output

      ***Installing necessary packages for RVPS values extraction ***
Updating Subscription Management repositories.
Last metadata expiration check: 0:37:12 ago on Mon Nov 18 09:20:29 2024.
Package python3-3.9.19-8.el9_5.1.s390x is already installed.
Package python3-cryptography-36.0.1-4.el9.s390x is already installed.
Package kmod-28-10.el9.s390x is already installed.
Dependencies resolved.
Nothing to do.
Complete!
***Installation Finished ***
1) Generate the RVPS From Local Image from User pc
2) Generate RVPS from Volume
3) Quit
Please enter your choice:

      1. Enter 2 to generate the Reference Value Provider Service from the volume: 

        Please enter your choice: 2

      2. Enter fa-pp for the libvirt pool name: 

        Enter the Libvirt Pool Name: fa-pp

      3. Enter the libvirt gateway URI: 

        Enter the Libvirt URI Name: <libvirt-uri>
        1
        1
        Specify the LIBVIRT_URI value that you used to create the peer pods secret.

      4. Enter fa-pp-vol for the libvirt volume name: 

        Enter the Libvirt Volume Name: fa-pp-vol

        Example output

        Downloading from PODVM Volume...

mount: /mnt/myvm: special device /dev/nbd3p1 does not exist.
Error: Failed to mount the image. Retrying...
Mounting on second attempt passed
/dev/nbd3 disconnected
SE header found at offset 0x014000
SE header written to '/root/Rvps-Extraction/output-files/hdr.bin' (640 bytes)
se.tag:  42f3fe61e8a7e859cab3bb033fd11c61
se.image_phkh:  92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508
provenance = ewogICAgInNlLmF0dGVzdGF0aW9uX3Boa2giOiBbCiAgICAgICAgIjkyZDBhZmY2ZWI4NjcxOWI2YjFlYTBjYjk4ZDJjOTlmZjJlYzY5M2RmM2VmZmYyMTU4ZjU0MTEyZjY5NjE1MDgiCiAgICBdLAogICAgInNlLnRhZyI6IFsKICAgICAgICAiNDJmM2ZlNjFlOGE3ZTg1OWNhYjNiYjAzM2ZkMTFjNjEiCiAgICBdLAogICAgInNlLmltYWdlX3Boa2giOiBbCiAgICAgICAgIjkyZDBhZmY2ZWI4NjcxOWI2YjFlYTBjYjk4ZDJjOTlmZjJlYzY5M2RmM2VmZmYyMTU4ZjU0MTEyZjY5NjE1MDgiCiAgICBdLAogICAgInNlLnVzZXJfZGF0YSI6IFsKICAgICAgICAiMDAiCiAgICBdLAogICAgInNlLnZlcnNpb24iOiBbCiAgICAgICAgIjI1NiIKICAgIF0KfQo=
-rw-r--r--. 1 root root 640 Dec 16 10:57 /root/Rvps-Extraction/output-files/hdr.bin
-rw-r--r--. 1 root root 446 Dec 16 10:57 /root/Rvps-Extraction/output-files/ibmse-policy.rego
-rw-r--r--. 1 root root 561 Dec 16 10:57 /root/Rvps-Extraction/output-files/se-message

  3. Obtain the certificates and certificate revocation lists (CRLs) by performing the following steps:

    1. Create a temporary directory for certificates by running the following command: 

      $ mkdir /tmp/ibmse/certs

    2. Download the ibm-z-host-key-signing-gen2.crt certificate by running the following command: 

      $ wget https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt -O /tmp/ibmse/certs/ibm-z-host-key-signing-gen2.crt

    3. Download the DigiCertCA.crt certificate by running the following command: 

      $ wget https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt -O /tmp/ibmse/certs/DigiCertCA.crt

    4. Create a temporary directory for the CRLs by running the following command: 

      $ mkdir /tmp/ibmse/crls

    5. Download the ibm-z-host-key-gen2.crl file by running the following command: 

      $ wget https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl -O /tmp/ibmse/crls/ibm-z-host-key-gen2.crl

    6. Download the DigiCertTrustedRootG4.crl file by running the following command: 

      $ wget http://crl3.digicert.com/DigiCertTrustedRootG4.crl -O /tmp/ibmse/crls/DigiCertTrustedRootG4.crl

    7. Download the DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl file by running the following command: 

      $ wget http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl -O /tmp/ibmse/crls/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl

    8. Create a temporary directory for the hdr.bin file by running the following command: 

      $ mkdir -p /tmp/ibmse/hdr/

    9. Copy the hdr.bin file to the hdr directory by running the following command: 

      $ cp /root/Rvps-Extraction/output-files/hdr.bin /tmp/ibmse/hdr/

    10. Create a temporary directory for Host Key Document (HKD) certificate by running the following command: 

      $ mkdir -p /tmp/ibmse/hkds

    11. Copy your HKD certificate to the hkds directory by running the following command: 

      $ cp ~/path/to/<hkd_cert.crt> /tmp/ibmse/hkds/

  4. Generate the RSA keys:

    1. Generate an RSA key pair by running the following command: 

      $ openssl genrsa -aes256 -passout pass:<password> -out /tmp/encrypt_key-psw.pem 4096
      1
      1
      Specify the RSA key password.

    2. Create a temporary directory for the RSA keys by running the following command: 

      $ mkdir -p /tmp/ibmse/rsa

    3. Create an encrypt_key.pub key by running the following command: 

      $ openssl rsa -in /tmp/encrypt_key-psw.pem -passin pass:<password> -pubout -out /tmp/ibmse/rsa/encrypt_key.pub

    4. Create an encrypt_key.pem key by running the following command: 

      $ openssl rsa -in /tmp/encrypt_key-psw.pem -passin pass:<password> -out /tmp/ibmse/rsa/encrypt_key.pem

  5. Verify the structure of the /tmp/ibmse directory by running the following command: 

    $ tree /tmp/ibmse

    Example output

    /tmp/ibmse
├──kbs.key
├──kbs.crt
|
├── certs
│ ├── ibm-z-host-key-signing-gen2.crt
| └── DigiCertCA.crt
├── crls
│ └── ibm-z-host-key-gen2.crl
│ └── DigiCertTrustedRootG4.crl
│ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
├── hdr
│ └── hdr.bin
├── hkds
│ └── <hkd_cert.crt>
└── rsa
├── encrypt_key.pem
└── encrypt_key.pub

  6. Copy these files to the OpenShift Container Platform worker nodes by performing the following steps:

    1. Create a compressed file from the /tmp/ibmse directory by running the following command: 

      $ tar -czf ibmse.tar.gz -C /tmp/ ibmse

    2. Copy the .tar.gz file to the bastion node in your cluster by running the following command: 

      $ scp /tmp/ibmse.tar.gz root@<ocp_bastion_ip>:/tmp
      1
      1
      Specify the IP address of the bastion node.

    3. Connect to the bastion node over SSH by running the following command: 

      $ ssh root@<ocp_bastion_ip>

    4. Copy the .tar.gz file to each worker node by running the following command: 

      $ scp /tmp/ibmse.tar.gz core@<worker_node_ip>:/tmp
      1
      1
      Specify the IP address of the worker node.

    5. Extract the .tar.gz on each worker node by running the following command: 

      $ ssh core@<worker_node_ip> 'sudo mkdir -p /opt/confidential-containers/ && sudo tar -xzf /tmp/ibmse.tar.gz -C /opt/confidential-containers/'

    6. Update the ibmse folder permissions by running the following command: 

      $ ssh core@<worker_node_ip> 'sudo chmod -R 755 /opt/confidential-containers/ibmse/'

  7. Create the secrets in the cluster with the KBS key and certificate by performing the following steps:

    1. Create a kbs-https-certificate.yaml manifest file according to the following example: 

      apiVersion: v1
kind: Secret
metadata:
 name: kbs-https-certificate
 namespace: trustee-operator-system
data:
 https.crt: $(cat /tmp/ibmse/kbs.crt | base64 -w 0)

    2. Create the secret with the KBS certificate by running the following command: 

      $ oc apply -f kbs-https-certificate.yaml

    3. Create a kbs-https-key.yaml manifest file according to the following example: 

      apiVersion: v1
kind: Secret
metadata:
  name: kbs-https-key
  namespace: trustee-operator-system
data:
 https.key: $(cat /tmp/ibmse/kbs.key | base64 -w 0)

    4. Create the secret with the KBS key by running the following command: 

      $ oc apply -f kbs-https-key.yaml

8.15. Creating the persistent storage components
Copy link

You must create persistent storage components, persistent volume (PV) and persistent volume claim (PVC) to mount the ibmse folder to the Trustee pod.

Procedure

  1. Create a persistent-volume.yaml manifest file: 

    apiVersion: v1
kind: PersistentVolume
metadata:
  name: ibmse-pv
  namespace: trustee-operator-system
spec:
  capacity:
    storage: 100Mi
  accessModes:
    - ReadOnlyMany
  storageClassName: ""
  local:
    path: /opt/confidential-containers/ibmse
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: node-role.kubernetes.io/worker
              operator: Exists

  2. Create the persistent volume by running the following command: 

    $ oc apply -f persistent-volume.yaml

  3. Create a persistent-volume-claim.yaml manifest file: 

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ibmse-pvc
  namespace: trustee-operator-system
spec:
  accessModes:
    - ReadOnlyMany
  storageClassName: ""
  resources:
    requests:
      storage: 100Mi

  4. Create the persistent volume claim by running the following command: 

    $ oc apply -f persistent-volume-claim.yaml

You can configure the following values, policies, and secrets for Trustee:

  • Reference values for the Reference Value Provider Service.
  • Attestation policy for IBM Secure Execution.
  • Secret for custom keys for Trustee clients.
  • Secret for container image signature verification.
  • Container image signature verification policy. This policy is mandatory. If you do not use container image signature verification, you must create a policy that does not verify signatures.
  • Resource access policy.

8.16.1. Configuring reference values
Copy link

You can configure reference values for the Reference Value Provider Service (RVPS) by specifying the trusted digests of your hardware platform.

The client collects measurements from the running software, the Trusted Execution Environment (TEE) hardware and firmware and it submits a quote with the claims to the Attestation Server. These measurements must match the trusted digests registered to the Trustee. This process ensures that the confidential VM (CVM) is running the expected software stack and has not been tampered with.

Procedure

  1. Create an rvps-configmap.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: rvps-reference-values
  namespace: trustee-operator-system
data:
  reference-values.json: |
    [
    1 
    
    ]
    1
    Leave this value empty.

  2. Create the RVPS config map by running the following command: 

    $ oc apply -f rvps-configmap.yaml

You must create the attestation policy for IBM Secure Execution.

Procedure

  1. Create an attestation-policy.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: attestation-policy
  namespace: trustee-operator-system
data:
  default.rego: |
    package policy
    import rego.v1
    default allow = false
    converted_version := sprintf("%v", [input["se.version"]])
    allow if {
        input["se.attestation_phkh"] == "<se.attestation_phkh>"
        input["se.image_phkh"] == "<se.image_phkh>"
        input["se.tag"] == "<se.tag>"
        converted_version == "256"
    }
    default.rego
    Do not modify the policy name.
    <se.attestation_phkh>
    Replace this with the attestation policy fields you obtained by running the se_parse_hdr.py script.

  2. Create the attestation policy config map by running the following command: 

    $ oc apply -f attestation-policy.yaml

You can create a secret that contains one or more custom keys for Trustee clients.

In this example, the kbsres1 secret has two entries (key1, key2), which the clients retrieve. You can add additional secrets according to your requirements by using the same format.

Prerequisites

  • You have created one or more custom keys.

Procedure

  • Create a secret for the custom keys according to the following example: 

    $ oc apply secret generic kbsres1 \
  --from-literal key1=<custom_key1> \
    1 
    
  --from-literal key2=<custom_key2> \
  -n trustee-operator-system
    1
    Specify a custom key.

    The kbsres1 secret is specified in the spec.kbsSecretResources key of the KbsConfig custom resource.

If you use container image signature verification, you must create a secret that contains the public container image signing key.

The Confidential compute attestation Operator uses the secret to verify the signature, ensuring that only trusted and authenticated container images are deployed in your environment.

You can use Red Hat Trusted Artifact Signer or other tools to sign container images.

Procedure

  1. Create a secret for container image signature verification by running the following command: 

    $ oc apply secret generic <type> \
    1 
    
  --from-file=<tag>=./<public_key_file> \
    2 
    
  -n trustee-operator-system
    1
    Specify the KBS secret type, for example, img-sig.
    2
    Specify the secret tag, for example, pub-key, and the public container image signing key.
  2. Record the <type> value. You must add this value to the spec.kbsSecretResources key when you create the KbsConfig custom resource.

You create the container image signature verification policy because signature verification is always enabled. If this policy is missing, the pods will not start.

If you are not using container image signature verification, you create the policy without signature verification.

For more information, see containers-policy.json 5.

Procedure

  1. Create a security-policy-config.json file according to the following examples:

    • Without signature verification: 

      {
  "default": [
  {
    "type": "insecureAcceptAnything"
  }],
  "transports": {}
}

    • With signature verification: 

      {
    "default": [
    ],
    "transports": {
        "docker": {
            "<container_registry_url>/<username>/busybox:latest":
      1 
      
            [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "kbs:///default/img-sig/pub-key"
      2 
      
                }
            ]
        }
    }
}
      1
      Specify the container registry URL, for example, "quay.io".
      2
      Specify the type and tag of the container image signature verification secret that you created, for example, img-sig/pub-key.

  2. Create the security policy by running the following command: 

    $ oc apply secret generic security-policy \
  --from-file=osc=./<security-policy-config.json> \
  -n trustee-operator-system

    Do not alter the secret type, security-policy, or the key, osc.

    The security-policy secret is specified in the spec.kbsSecretResources key of the KbsConfig custom resource.

8.16.6. Creating the resource access policy
Copy link

You configure the resource access policy for the Trustee policy engine. This policy determines which resources Trustee can access.

Note

The Trustee policy engine is different from the Attestation Service policy engine, which determines the validity of TEE evidence.

Procedure

  1. Create a resourcepolicy-configmap.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: resource-policy
  namespace: trustee-operator-system
data:
  policy.rego:
    package policy
    default allow = true
    allow {
      input["tee"] == "se"
    }
    policy.rego
    The name of the resource policy, policy.rego, must match the resource policy defined in the Trustee config map.
    package policy
    The resource policy follows the Open Policy Agent specification.

  2. Create the resource policy config map by running the following command: 

    $ oc apply -f resourcepolicy-configmap.yaml

8.17. Creating the KbsConfig custom resource
Copy link

You create the KbsConfig custom resource (CR) to launch Trustee.

Then, you check the Trustee pods and pod logs to verify the configuration.

Procedure

  1. Create a kbsconfig-cr.yaml manifest file: 

    apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
  labels:
    app.kubernetes.io/name: kbsconfig
    app.kubernetes.io/instance: kbsconfig
    app.kubernetes.io/part-of: trustee-operator
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/created-by: trustee-operator
  name: kbsconfig
  namespace: trustee-operator-system
spec:
  kbsConfigMapName: kbs-config-cm
  kbsAuthSecretName: kbs-auth-public-key
  kbsDeploymentType: AllInOneDeployment
  kbsRvpsRefValuesConfigMapName: rvps-reference-values
  kbsSecretResources: ["kbsres1", "security-policy", "<type>"]
    1 
    
  kbsResourcePolicyConfigMapName: resource-policy
  kbsAttestationPolicyConfigMapName: attestation-policy
  kbsHttpsKeySecretName: kbs-https-key
  kbsHttpsCertSecretName: kbs-https-certificate
  kbsServiceType: NodePort
  ibmSEConfigSpec:
    certStorePvc: ibmse-pvc
  KbsEnvVars:
    SE_SKIP_CERTS_VERIFICATION: "false"
    2
    1
    Optional: Specify the type value of the container image signature verification secret if you created the secret, for example, img-sig. If you did not create the secret, set the kbsSecretResources value to ["kbsres1", "security-policy"].
    2
    Specify true only for testing purposes.

  2. Create the KbsConfig CR by running the following command: 

    $ oc apply -f kbsconfig-cr.yaml

8.18. Verifying the Trustee configuration
Copy link

You verify the Trustee configuration by checking the Trustee pods and logs.

Procedure

  1. Set the default project by running the following command: 

    $ oc project trustee-operator-system

  2. Check the Trustee pods by running the following command: 

    $ oc get pods -n trustee-operator-system

    Example output

    NAME                                                   READY   STATUS    RESTARTS   AGE
trustee-deployment-8585f98449-9bbgl                    1/1     Running   0          22m
trustee-operator-controller-manager-5fbd44cd97-55dlh   2/2     Running   0          59m

  3. Set the POD_NAME environmental variable by running the following command: 

    $ POD_NAME=$(oc get pods -l app=kbs -o jsonpath='{.items[0].metadata.name}' -n trustee-operator-system)

  4. Check the pod logs by running the following command: 

    $ oc logs -n trustee-operator-system $POD_NAME

    Example output

    [2024-05-30T13:44:24Z INFO  kbs] Using config file /etc/kbs-config/kbs-config.json
[2024-05-30T13:44:24Z WARN  attestation_service::rvps] No RVPS address provided and will launch a built-in rvps
[2024-05-30T13:44:24Z INFO  attestation_service::token::simple] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert
[2024-05-30T13:44:24Z INFO  api_server] Starting HTTPS server at [0.0.0.0:8080]
[2024-05-30T13:44:24Z INFO  actix_server::builder] starting 12 workers
[2024-05-30T13:44:24Z INFO  actix_server::server] Tokio runtime found; starting in existing Tokio runtime

  5. Verify that the kbs-service is exposed on a node port by running the following command: 

    $ oc get svc kbs-service -n trustee-operator-system

    Example output

    NAME          TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
kbs-service   NodePort   198.51.100.54   <none>        8080:31862/TCP   23h

  6. Obtain the Trustee deployment pod name by running the following command: 

    $ oc get pods -n trustee-operator-system | grep -i trustee-deployment

    Example output

    NAME                                                   READY   STATUS    RESTARTS   AGE
trustee-deployment-d746679cd-plq82                     1/1     Running   0          2m32s

8.19. Verifying the attestation process
Copy link

You can verify the attestation process by creating a BusyBox pod. The pod image deploys the confidential workload where you can retrieve the key.

Important

This procedure is an example to verify that attestation is working. Do not write sensitive data to standard I/O because the data can be captured by using a memory dump. Only data written to memory is encrypted.

Procedure

  1. Create a busybox.yaml manifest file: 

    apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
  labels:
    run: busybox
spec:
  runtimeClassName: kata-remote
  restartPolicy: Never
  containers:
  - name: busybox
    image: quay.io/prometheus/busybox:latest
    imagePullPolicy: Always
    command:
      - "sleep"
      - "3600"

  2. Create the pod by running the following command: 

    $ oc create -f busybox.yaml

  3. Log in to the pod by running the following command: 

    $ oc exec -it busybox -n default -- /bin/sh

  4. Get the secret key by running the following command: 

    $ wget http://127.0.0.1:8006/cdh/resource/default/kbsres1/key1

    Example output

    Connecting to 127.0.0.1:8006 (127.0.0.1:8006)
saving to 'key1'
key1                 100% |*******************************************|     8  0:00:00 ETA
'key1' saved

  5. Display the key1 value by running the following command: 

    $ cat key1

    Example output

    res1val1/ #

Chapter 9. Monitoring
Copy link

You can use the OpenShift Container Platform web console to monitor metrics related to the health status of your sandboxed workloads and nodes.

OpenShift sandboxed containers has a pre-configured dashboard available in the OpenShift Container Platform web console. Administrators can also access and query raw metrics through Prometheus.

9.1. About metrics
Copy link

OpenShift sandboxed containers metrics enable administrators to monitor how their sandboxed containers are running. You can query for these metrics in Metrics UI In the OpenShift Container Platform web console.

OpenShift sandboxed containers metrics are collected for the following categories:

Kata agent metrics
Kata agent metrics display information about the kata agent process running in the VM embedded in your sandboxed containers. These metrics include data from /proc/<pid>/[io, stat, status].
Kata guest operating system metrics
Kata guest operating system metrics display data from the guest operating system running in your sandboxed containers. These metrics include data from /proc/[stats, diskstats, meminfo, vmstats] and /proc/net/dev.
Hypervisor metrics
Hypervisor metrics display data regarding the hypervisor running the VM embedded in your sandboxed containers. These metrics mainly include data from /proc/<pid>/[io, stat, status].
Kata monitor metrics
Kata monitor is the process that gathers metric data and makes it available to Prometheus. The kata monitor metrics display detailed information about the resource usage of the kata-monitor process itself. These metrics also include counters from Prometheus data collection.
Kata containerd shim v2 metrics
Kata containerd shim v2 metrics display detailed information about the kata shim process. These metrics include data from /proc/<pid>/[io, stat, status] and detailed resource usage metrics.

9.2. Viewing metrics
Copy link

You can access the metrics for OpenShift sandboxed containers in the Metrics page In the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role or with view permissions for all projects.

Procedure

  1. In the OpenShift Container Platform web console, navigate to ObserveMetrics.

  2. In the input field, enter the query for the metric you want to observe.

    All kata-related metrics begin with kata. Typing kata displays a list of all available kata metrics.

The metrics from your query are visualized on the page.

Chapter 10. Uninstalling
Copy link

You can uninstall OpenShift sandboxed containers and remove the Confidential Containers environment.

10.1. Uninstalling OpenShift sandboxed containers
Copy link

You can uninstall OpenShift sandboxed containers by using the OpenShift Container Platform web console or the command line.

You uninstall OpenShift sandboxed containers by performing the following tasks:

  1. Delete the workload pods.
  2. Delete the KataConfig custom resource (CR).
  3. Uninstall the OpenShift sandboxed containers Operator.
  4. Delete the KataConfig custom resource definition (CRD).
Important

You must delete the workload pods before deleting the KataConfig CR. The pod names usually have the prefix podvm and custom tags, if provided. If you deployed OpenShift sandboxed containers or Confidential Containers on a cloud provider and any resources remain after following these procedures, you might receive an unexpected bill for those resources from your cloud provider. Once you complete uninstalling OpenShift sandboxed containers on a cloud provider, check the cloud provider console to ensure that the procedures deleted all of the resources.

You can uninstall OpenShift sandboxed containers by using the OpenShift Container Platform web console.

10.1.1.1. Deleting workload pods
Copy link

You can delete the OpenShift sandboxed containers workload pods by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have a list of pods that use the OpenShift sandboxed containers runtime class.

Procedure

  1. In the OpenShift Container Platform web console, navigate to WorkloadsPods.
  2. Enter the name of the pod that you want to delete in the Search by name field.
  3. Click the pod name to open it.
  4. On the Details page, check that kata or kata-remote is displayed for Runtime class.
  5. Click the Options menu kebab and select Delete Pod.
  6. Click Delete.

Repeat this procedure for each pod.

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

10.1.1.2. Deleting the KataConfig custom resource
Copy link

You can delete the KataConfig custom resource (CR) by using the web console.

Deleting the KataConfig CR removes and uninstalls the kata or kata-remote runtime and its related resources from your cluster.

Important

Deleting the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Enter OpenShift sandboxed containers Operator in the Search by name field.
  3. Click the Operator to open it and then click the KataConfig tab.
  4. Click the Options menu kebab and select Delete KataConfig.
  5. Click Delete in the confirmation window.

Wait for the kata or kata-remote runtime and resources to uninstall and for the worker nodes to reboot before continuing to the next step.

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

You can uninstall the OpenShift sandboxed containers Operator by using OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KataConfig custom resource.

Procedure

  1. Navigate to OperatorsInstalled Operators.
  2. Enter OpenShift sandboxed containers Operator in the Search by name field.

  3. On the right side of the Operator Details page, select Uninstall Operator from the Actions list.

    An Uninstall Operator? dialog box is displayed.

  4. Click Uninstall to remove the Operator, Operator deployments, and pods.
  5. Navigate to AdministrationNamespaces.
  6. Enter openshift-sandboxed-containers-operator in the Search by name field.
  7. Click the Options menu kebab and select Delete Namespace.
  8. In the confirmation dialog, enter openshift-sandboxed-containers-operator and click Delete.
10.1.1.4. Deleting the KataConfig CRD
Copy link

You can delete the KataConfig custom resource definition (CRD) by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KataConfig custom resource.
  • You have uninstalled the OpenShift sandboxed containers Operator.

Procedure

  1. In the web console, navigate to AdministrationCustomResourceDefinitions.
  2. Enter the KataConfig name in the Search by name field.
  3. Click the Options menu and select Delete CustomResourceDefinition.
  4. Click Delete in the confirmation window.

You can uninstall OpenShift sandboxed containers by using the command-line interface (CLI).

10.1.2.1. Deleting workload pods
Copy link

You can delete the OpenShift sandboxed containers workload pods by using the CLI.

Prerequisites

  • You have the JSON processor (jq) utility installed.

Procedure

  1. Search for the pods by running the following command: 

    $ oc get pods -A -o json | jq -r '.items[] | \
  select(.spec.runtimeClassName == "<runtime>").metadata.name'
    1
    1
    Replace <runtime> with kata for bare metal deployments, or with kata-remote for AWS, Azure, IBM Z®, and IBM® LinuxONE deployments.

  2. Delete each pod by running the following command: 

    $ oc delete pod <pod>
Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

10.1.2.2. Deleting the KataConfig custom resource
Copy link

You can delete the KataConfig custom resource (CR) by using the command line.

Deleting the KataConfig CR removes the runtime and its related resources from your cluster.

Important

Deleting the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.

Procedure

  1. Delete the KataConfig CR by running the following command: 

    $ oc delete kataconfig example-kataconfig

    The OpenShift sandboxed containers Operator removes all resources that were initially created to enable the runtime on your cluster.

    Important

    When you delete the KataConfig CR, the CLI stops responding until all worker nodes reboot. You must wait for the deletion process to complete before performing the verification.

  2. Verify that the custom resource was deleted by running the following command: 

    $ oc get kataconfig example-kataconfig

    Example output

    No example-kataconfig instances exist

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

You can uninstall the OpenShift sandboxed containers Operator by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KataConfig custom resource.

Procedure

  1. Delete the subscription by running the following command: 

    $ oc delete subscription sandboxed-containers-operator -n openshift-sandboxed-containers-operator

  2. Delete the namespace by running the following command: 

    $ oc delete namespace openshift-sandboxed-containers-operator
10.1.2.4. Deleting the KataConfig CRD
Copy link

You can delete the KataConfig custom resource definition (CRD) by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KataConfig custom resource.
  • You have uninstalled the OpenShift sandboxed containers Operator.

Procedure

  1. Delete the KataConfig CRD by running the following command: 

    $ oc delete crd kataconfigs.kataconfiguration.openshift.io

  2. Verify that the CRD was deleted by running the following command: 

    $ oc get crd kataconfigs.kataconfiguration.openshift.io

    Example output

    Unknown CRD kataconfigs.kataconfiguration.openshift.io

You can remove the Confidential Containers environment by using the OpenShift Container Platform web console or the command line.

You remove the Confidential Containers environment by performing the following tasks:

  1. Delete the KbsConfig custom resource.
  2. Uninstall the Confidential compute attestation Operator.
  3. Delete the KbsConfig custom resource definition.

You can remove the Confidential Containers environment by using the OpenShift Container Platform web console.

10.2.1.1. Deleting the KbsConfig custom resource
Copy link

You can delete the KbsConfig custom resource (CR) by using the web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have uninstalled OpenShift sandboxed containers.

Procedure

  1. In the OpenShift Container Platform web console, navigate to OperatorsInstalled Operators.
  2. Enter Confidential compute attestation in the Search by name field.
  3. Click the Operator to open it and then click the KbsConfig tab.
  4. Click the Options menu kebab and select Delete KbsConfig.
  5. Click Delete in the confirmation window.
Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

You can uninstall the Confidential compute attestation Operator by using OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KbsConfig custom resource.

Procedure

  1. Navigate to OperatorsInstalled Operators.
  2. Enter Confidential compute attestation in the Search by name field.

  3. On the right side of the Operator Details page, select Uninstall Operator from the Actions list.

    An Uninstall Operator? dialog box is displayed.

  4. Click Uninstall to remove the Operator, Operator deployments, and pods.
  5. Navigate to AdministrationNamespaces.
  6. Enter trustee-operator-system in the Search by name field.
  7. Click the Options menu kebab and select Delete Namespace.
  8. In the confirmation dialog, enter trustee-operator-system and click Delete.
10.2.1.3. Deleting the KbsConfig CRD
Copy link

You can delete the KbsConfig custom resource definition (CRD) by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KbsConfig custom resource.
  • You have uninstalled the Confidential compute attestation Operator.

Procedure

  1. In the web console, navigate to AdministrationCustomResourceDefinitions.
  2. Enter the KbsConfig name in the Search by name field.
  3. Click the Options menu and select Delete CustomResourceDefinition.
  4. Click Delete in the confirmation window.

You can remove the Confidential Containers environment by using the command-line interface (CLI).

10.2.2.1. Deleting the KbsConfig custom resource
Copy link

You can delete the KbsConfig custom resource (CR) by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.
  • You have uninstalled OpenShift sandboxed containers.

Procedure

  1. Delete the KbsConfig CR by running the following command: 

    $ oc delete kbsconfig kbsconfig

  2. Verify that the custom resource was deleted by running the following command: 

    $ oc get kbsconfig kbsconfig

    Example output

    No kbsconfig instances exist

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

You can uninstall the Confidential compute attestation Operator by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted the KbsConfig custom resource.

Procedure

  1. Delete the subscription by running the following command: 

    $ oc delete subscription trustee-operator -n trustee-operator-system

  2. Delete the namespace by running the following command: 

    $ oc delete namespace trustee-operator-system
10.2.2.3. Deleting the KbsConfig CRD
Copy link

You can delete the KbsConfig custom resource definition (CRD) by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.
  • You have deleted all pods that use kata or kata-remote as the runtimeClass.
  • You have deleted the KbsConfig custom resource.
  • You have uninstalled the Confidential compute attestation Operator.

Procedure

  1. Delete the KbsConfig CRD by running the following command: 

    $ oc delete crd kbsconfigs.confidentialcontainers.org

  2. Verify that the CRD was deleted by running the following command: 

    $ oc get crd kbsconfigs.confidentialcontainers.org

    Example output

    Unknown CRD kbsconfigs.confidentialcontainers.org

Chapter 11. Upgrading
Copy link

The upgrade of the OpenShift sandboxed containers components consists of the following steps:

  1. Upgrade OpenShift Container Platform to update the Kata runtime and its dependencies.
  2. Upgrade the OpenShift sandboxed containers Operator to update the Operator subscription.

You can upgrade OpenShift Container Platform before or after the OpenShift sandboxed containers Operator upgrade, with the one exception noted below. Always apply the KataConfig patch immediately after upgrading the OpenShift sandboxed containers Operator.

11.1. Upgrading resources
Copy link

Red Hat Enterprise Linux CoreOS (RHCOS) extensions deploy the OpenShift sandboxed containers resources onto the cluster.

The RHCOS extension sandboxed containers contains the required components to run OpenShift sandboxed containers, such as the Kata containers runtime, the hypervisor QEMU, and other dependencies. You upgrade the extension by upgrading the cluster to a new release of OpenShift Container Platform.

For more information about upgrading OpenShift Container Platform, see Updating Clusters.

11.2. Upgrading the Operator
Copy link

Use Operator Lifecycle Manager (OLM) to upgrade the OpenShift sandboxed containers Operator either manually or automatically. Selecting between manual or automatic upgrade during the initial deployment determines the future upgrade mode. For manual upgrades, the OpenShift Container Platform web console shows the available updates that the cluster administrator can install.

For more information about upgrading the OpenShift sandboxed containers Operator in Operator Lifecycle Manager (OLM), see Updating installed Operators.

11.3. Updating the pod VM image
Copy link

For AWS, Azure, and IBM deployments, you must update the pod VM image. Upgrading the OpenShift sandboxed containers Operator when the enablePeerpods: paramter is true will not update the existing pod VM image automatically. To update the pod VM image after an upgrade you must delete and re-create the KataConfig CR.

Note

You can also check the peer pod config map for AWS and Azure deployments to ensure that the image ID is empty before re-creating the KataConfig CR.

11.3.1. Deleting the KataConfig custom resource
Copy link

You can delete the KataConfig custom resource (CR) by using the command line.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Delete the KataConfig CR by running the following command: 

    $ oc delete kataconfig example-kataconfig

  2. Verify that the custom resource was deleted by running the following command: 

    $ oc get kataconfig example-kataconfig

    Example output

    No example-kataconfig instances exist

Important

When uninstalling OpenShift sandboxed containers deployed using a cloud provider, you must delete all of the pods. Any remaining pod resources might result in an unexpected bill from your cloud provider.

11.3.2. Ensure peer pods CM image ID is empty
Copy link

When you delete the KataConfig CR, it should delete the peer pods CM image ID. For AWS and Azure deployments, check to ensure that the peer pods CM image ID is empty.

Procedure

  1. Obtain the config map you created for the peer pods: 

    $ oc get cm -n openshift-sandboxed-containers-operator peer-pods-cm -o jsonpath="{.data.AZURE_IMAGE_ID}"

    Use PODVM_AMI_ID for AWS. Use AZURE_IMAGE_ID for Azure.

  2. Check the status stanza of the YAML file.
  3. If the PODVM_AMI_ID parameter for AWS or the AZURE_IMAGE_ID parameter for Azure contains a value, set the value to "".

  4. If you have set the value to "", patch the peer pods config map: 

    $ oc patch configmap peer-pods-cm -n openshift-sandboxed-containers-operator -p '{"data":{"AZURE_IMAGE_ID":""}}'

    Use PODVM_AMI_ID for AWS. Use AZURE_IMAGE_ID for Azure.

11.3.3. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1

  2. Create the KataConfig CR by running the following command: 

    $ oc apply -f example-kataconfig.yaml

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass

    Example output

    NAME             HANDLER          AGE
kata             kata             152m
kata-remote      kata-remote      152m

Chapter 12. Troubleshooting
Copy link

When troubleshooting OpenShift sandboxed containers, you can open a support case and provide debugging information using the must-gather tool.

If you are a cluster administrator, you can also review logs on your own, enabling a more detailed level of logs.

12.1. Collecting data for Red Hat Support
Copy link

When opening a support case, it is helpful to provide debugging information about your cluster to Red Hat Support.

The must-gather tool enables you to collect diagnostic information about your OpenShift Container Platform cluster, including virtual machines and other data related to OpenShift sandboxed containers.

For prompt support, supply diagnostic information for both OpenShift Container Platform and OpenShift sandboxed containers.

Using the must-gather tool

The oc adm must-gather CLI command collects the information from your cluster that is most likely needed for debugging issues, including:

  • Resource definitions
  • Service logs

By default, the oc adm must-gather command uses the default plugin image and writes into ./must-gather.local.

Alternatively, you can collect specific information by running the command with the appropriate arguments as described in the following sections:

  • To collect data related to one or more specific features, use the --image argument with an image, as listed in a following section.

    For example: 

    $ oc adm must-gather --image=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:1.9.0

  • To collect the audit logs, use the -- /usr/bin/gather_audit_logs argument, as described in a following section.

    For example: 

    $ oc adm must-gather -- /usr/bin/gather_audit_logs
    Note

    Audit logs are not collected as part of the default set of information to reduce the size of the files.

When you run oc adm must-gather, a new pod with a random name is created in a new project on the cluster. The data is collected on that pod and saved in a new directory that starts with must-gather.local. This directory is created in the current working directory.

For example: 

NAMESPACE                      NAME                 READY   STATUS      RESTARTS      AGE
...
openshift-must-gather-5drcj    must-gather-bklx4    2/2     Running     0             72s
openshift-must-gather-5drcj    must-gather-s8sdh    2/2     Running     0             72s
...

Optionally, you can run the oc adm must-gather command in a specific namespace by using the --run-namespace option.

For example: 

$ oc adm must-gather --run-namespace <namespace> --image=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:1.9.0

12.2. Collecting log data
Copy link

The following features and objects are associated with OpenShift sandboxed containers:

  • All namespaces and their child objects that belong to OpenShift sandboxed containers resources
  • All OpenShift sandboxed containers custom resource definitions (CRDs)

You can collect the following component logs for each pod running with the kata runtime:

  • Kata agent logs
  • Kata runtime logs
  • QEMU logs
  • Audit logs
  • CRI-O logs

12.2.1. Enabling debug logs for CRI-O runtime
Copy link

You can enable debug logs by updating the logLevel field in the KataConfig CR. This changes the log level in the CRI-O runtime for the worker nodes running OpenShift sandboxed containers.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Change the logLevel field in your existing KataConfig CR to debug: 

    $ oc patch kataconfig <kataconfig> --type merge --patch '{"spec":{"logLevel":"debug"}}'

  2. Monitor the kata-oc machine config pool until the value of UPDATED is True, indicating that all worker nodes are updated: 

    $ oc get mcp kata-oc

    Example output

    NAME     CONFIG                 UPDATED  UPDATING  DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT  DEGRADEDMACHINECOUNT  AGE
kata-oc  rendered-kata-oc-169   False    True      False     3             1                  1                    0                     9h

Verification

  1. Start a debug session with a node in the machine config pool: 

    $ oc debug node/<node_name>

  2. Change the root directory to /host: 

    # chroot /host

  3. Verify the changes in the crio.conf file: 

    # crio config | egrep 'log_level

    Example output

    log_level = "debug"

12.2.2. Viewing debug logs for components
Copy link

Cluster administrators can use the debug logs to troubleshoot issues. The logs for each node are printed to the node journal.

You can review the logs for the following OpenShift sandboxed containers components:

  • Kata agent
  • Kata runtime (containerd-shim-kata-v2)
  • virtiofsd

QEMU only generates warning and error logs. These warnings and errors print to the node journal in both the Kata runtime logs and the CRI-O logs with an extra qemuPid field.

Example of QEMU logs

Mar 11 11:57:28 openshift-worker-0 kata[2241647]: time="2023-03-11T11:57:28.587116986Z" level=info msg="Start logging QEMU (qemuPid=2241693)" name=containerd-shim-v2 pid=2241647 sandbox=d1d4d68efc35e5ccb4331af73da459c13f46269b512774aa6bde7da34db48987 source=virtcontainers/hypervisor subsystem=qemu

Mar 11 11:57:28 openshift-worker-0 kata[2241647]: time="2023-03-11T11:57:28.607339014Z" level=error msg="qemu-kvm: -machine q35,accel=kvm,kernel_irqchip=split,foo: Expected '=' after parameter 'foo'" name=containerd-shim-v2 pid=2241647 qemuPid=2241693 sandbox=d1d4d68efc35e5ccb4331af73da459c13f46269b512774aa6bde7da34db48987 source=virtcontainers/hypervisor subsystem=qemu

Mar 11 11:57:28 openshift-worker-0 kata[2241647]: time="2023-03-11T11:57:28.60890737Z" level=info msg="Stop logging QEMU (qemuPid=2241693)" name=containerd-shim-v2 pid=2241647 sandbox=d1d4d68efc35e5ccb4331af73da459c13f46269b512774aa6bde7da34db48987 source=virtcontainers/hypervisor subsystem=qemu

The Kata runtime prints Start logging QEMU when QEMU starts, and Stop Logging QEMU when QEMU stops. The error appears in between these two log messages with the qemuPid field. The actual error message from QEMU appears in red.

The console of the QEMU guest is printed to the node journal as well. You can view the guest console logs together with the Kata agent logs.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  • To review the Kata agent logs and guest console logs, run the following command: 

    $ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t kata -g “reading guest console”

  • To review the Kata runtime logs, run the following command: 

    $ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t kata

  • To review the virtiofsd logs, run the following command: 

    $ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t virtiofsd

  • To review the QEMU logs, run the following command: 

    $ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t kata -g "qemuPid=\d+"

Additional resources

Appendix A. KataConfig status messages
Copy link

The following table displays the status messages for the KataConfig custom resource (CR) for a cluster with two worker nodes.

Expand
Table A.1. KataConfig status messages
StatusDescription

Initial installation

When a KataConfig CR is created and starts installing kata-remote on both workers, the following status is displayed for a few seconds. 

 conditions:
    message: Performing initial installation of kata-remote on cluster
    reason: Installing
    status: 'True'
    type: InProgress
 kataNodes:
   nodeCount: 0
   readyNodeCount: 0

Installing

Within a few seconds the status changes. 

 kataNodes:
   nodeCount: 2
   readyNodeCount: 0
   waitingToInstall:
   - worker-0
   - worker-1

Installing (Worker-1 installation starting)

For a short period of time, the status changes, signifying that one node has initiated the installation of kata-remote, while the other is in a waiting state. This is because only one node can be unavailable at any given time. The nodeCount remains at 2 because both nodes will eventually receive kata-remote, but the readyNodeCount is currently 0 as neither of them has reached that state yet. 

 kataNodes:
   installing:
   - worker-1
   nodeCount: 2
   readyNodeCount: 0
   waitingToInstall:
   - worker-0

Installing (Worker-1 installed, worker-0 installation started)

After some time, worker-1 will complete its installation, causing a change in the status. The readyNodeCount is updated to 1, indicating that worker-1 is now prepared to execute kata-remote workloads. You cannot schedule or run kata-remote workloads until the runtime class is created at the end of the installation process. 

 kataNodes:
   installed:
   - worker-1
   installing:
   - worker-0
   nodeCount: 2
   readyNodeCount: 1

Installed

When installed, both workers are listed as installed, and the InProgress condition transitions to False without specifying a reason, indicating the successful installation of kata-remote on the cluster. 

 conditions:
    message: ""
    reason: ""
    status: 'False'
    type: InProgress
 kataNodes:
   installed:
   - worker-0
   - worker-1
   nodeCount: 2
   readyNodeCount: 2
Expand
StatusDescription

Initial uninstall

If kata-remote is installed on both workers, and you delete the KataConfig to remove kata-remote from the cluster, both workers briefly enter a waiting state for a few seconds. 

 conditions:
    message: Removing kata-remote from cluster
    reason: Uninstalling
    status: 'True'
    type: InProgress
 kataNodes:
   nodeCount: 0
   readyNodeCount: 0
   waitingToUninstall:
   - worker-0
   - worker-1

Uninstalling

After a few seconds, one of the workers starts uninstalling. 

 kataNodes:
   nodeCount: 0
   readyNodeCount: 0
   uninstalling:
   - worker-1
   waitingToUninstall:
   - worker-0

Uninstalling

Worker-1 finishes and worker-0 starts uninstalling. 

 kataNodes:
   nodeCount: 0
   readyNodeCount: 0
   uninstalling:
   - worker-0
Note

The reason field can also report the following causes:

  • Failed: This is reported if the node cannot finish its transition. The status reports True and the message is Node <node_name> Degraded: <error_message_from_the_node>.
  • BlockedByExistingKataPods: This is reported if there are pods running on a cluster that use the kata-remote runtime while kata-remote is being uninstalled. The status field is False and the message is Existing pods using "kata-remote" RuntimeClass found. Please delete the pods manually for KataConfig deletion to proceed. There could also be a technical error message reported like Failed to list kata pods: <error_message> if communication with the cluster control plane fails.

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top