Red Hat SummitChapter 2. New features and enhancements
This section describes new features and enhancements introduced in OpenShift sandboxed containers 1.9.
Google Cloud support for OpenShift sandboxed containers
You can now run OpenShift sandboxed containers workloads on Google Cloud. OpenShift sandboxed containers provides enhanced isolation for workloads, such as CI, that require elevated privileges.
Jira:KATA-2414
initdata for Confidential Containers
Confidential Containers now support the initdata specification for configuring a peer pod at runtime, avoiding the need to embed sensitive data in the peer pod virtual machine image. This feature enhances security by reducing exposure of confidential information and improves flexibility by eliminating custom image builds. You can apply an initdata configuration globally or to a specific pod.
Custom peer pod VM image support
OpenShift sandboxed containers and Confidential Containers now support custom virtual machine images for peer pods. This feature enables you to select an image that is tailored to your workload requirements. The custom image is referenced by adding an annotation to the pod manifest and it overrides the default image specified in the peer pods config map.
Kata Agent policy customization
The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. This policy determines which operations are allowed or denied. You can override the default policy with a custom policy for testing or development by adding an annotation to a peer pod manifest. In production environments, use initdata to change the policy.
Overriding default cluster credentials
Since version 1.7, OpenShift sandboxed containers uses the credentials of the OpenShift Container Platform cluster, which are provided by the Cloud Credentials Operator, by default. You can override the default credentials by creating a peer pods secret that specifies your cloud provider credentials. If you uninstall the Cloud Credentials Operator, you must create a peer pods secret.
Jira:KATA-2216
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}