Este contenido no está disponible en el idioma seleccionado.

Chapter 4. Deploying OpenShift sandboxed containers on Azure


You can deploy OpenShift sandboxed containers on Microsoft Azure Cloud Computing Services.

OpenShift sandboxed containers deploys peer pods. The peer pod design circumvents the need for nested virtualization. For more information, see peer pod and Peer pods technical deep dive.

Cluster requirements

  • You have installed Red Hat OpenShift Container Platform 4.14 or later on the cluster where you are installing the OpenShift sandboxed containers Operator.
  • Your cluster has at least one worker node.

For details on installing OpenShift Container Platform on Microsoft Azure Cloud Computing Services see Installing on Azure.

4.1. Peer pod resource requirements

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIME_CLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIME_CLASS, the webhook exits without modifying the pod.
  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

4.2. Configuring outbound connections

To enable peer pods to communicate with external networks, such as the public internet, you must configure outbound connectivity for the pod virtual machine (VM) subnet. This involves setting up a NAT gateway and, optionally, defining how the subnet integrates with your cluster’s virtual network (VNet) in Azure.

Peer pods and subnets
Peer pods operate in a dedicated Azure subnet that requires explicit configuration for outbound access. This subnet can either be the default worker subnet used by OpenShift Container Platform nodes or a separate, custom subnet created specifically for peer pods.
VNet peering
When using a separate subnet, VNet peering connects the peer pod VNet to the cluster’s VNet, ensuring internal communication while maintaining isolation. This requires non-overlapping CIDR ranges between the VNets.

You can configure outbound connectivity in two ways:

  • Default worker subnet: Modify the existing worker subnet to include a NAT gateway. This is simpler and reuses cluster resources, but it offers less isolation.
  • Peer pod VNet: Set up a dedicated VNet and subnet for peer pods, attach a NAT gateway, and peer it with the cluster VNet. This provides greater isolation and flexibility at the cost of additional complexity.

4.2.1. Configuring the default worker subnet for outbound connections

You can configure the default worker subnet with a NAT gateway.

Prerequisites

  • The Azure CLI (az) is installed and authenticated.
  • You have administrator access to the Azure resource group and the VNet.

Procedure

  1. Set the AZURE_RESOURCE_GROUP environment variable by running the following command:

    $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
        -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
    Copy to Clipboard Toggle word wrap
  2. Set the AZURE_REGION environment variable by running the following command:

    $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
        --query "{Location:location}" --output tsv) && \
        echo "AZURE_REGION: \"$AZURE_REGION\""
    Copy to Clipboard Toggle word wrap
  3. Set the AZURE_VNET_NAME environment variable by running the following command:

    $ AZURE_VNET_NAME=$(az network vnet list \
        -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)
    Copy to Clipboard Toggle word wrap
  4. Set the AZURE_SUBNET_ID environment variable by running the following command:

    $ AZURE_SUBNET_ID=$(az network vnet subnet list \
        --resource-group "${AZURE_RESOURCE_GROUP}" \
        --vnet-name "${AZURE_VNET_NAME}" --query "[].{Id:id} \
        | [? contains(Id, 'worker')]" --output tsv)
    Copy to Clipboard Toggle word wrap
  5. Set the NAT gateway environment variables for the peer pod subnet by running the following commands:

    $ export PEERPOD_NAT_GW=peerpod-nat-gw
    Copy to Clipboard Toggle word wrap
    $ export PEERPOD_NAT_GW_IP=peerpod-nat-gw-ip
    Copy to Clipboard Toggle word wrap
  6. Create a public IP address for the NAT gateway by running the following command:

    $ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
        -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}" --sku Standard
    Copy to Clipboard Toggle word wrap
  7. Create the NAT gateway and associate it with the public IP address by running the following command:

    $ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
        -l "${AZURE_REGION}" --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
        -n "${PEERPOD_NAT_GW}"
    Copy to Clipboard Toggle word wrap
  8. Update the VNet subnet to use the NAT gateway by running the following command:

    $ az network vnet subnet update --nat-gateway "${PEERPOD_NAT_GW}" \
        --ids "${AZURE_SUBNET_ID}"
    Copy to Clipboard Toggle word wrap

Verification

  • Confirm the NAT gateway is attached to the VNet subnet by running the following command:

    $ az network vnet subnet show --ids "${AZURE_SUBNET_ID}" \
        --query "natGateway.id" -o tsv
    Copy to Clipboard Toggle word wrap

    The output contains the NAT gateway resource ID. If no NAT gateway is attached, the output is empty.

    Example output

    /subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/myResourceGroup/providers/Microsoft.Network/natGateways/myNatGateway
    Copy to Clipboard Toggle word wrap

4.2.2. Creating a peer pod VNet for outbound connections

To enable public internet access, you can create a dedicated virtual network (VNet) for peer pods, attach a network address translation (NAT) gateway, create a subnet, and enable VNet peering with non-overlapping address spaces.

Prerequisites

  • The Azure CLI (az) is installed
  • You have signed in to Azure. See Authenticate to Azure using Azure CLI.
  • You have administrator access to the Azure resource group and VNet hosting the cluster.
  • You have verified the cluster VNet classless inter-domain routing (CIDR) address. The default value is 10.0.0.0/14. If you overrode the default value, you have ensured that you chose a non-overlapping CIDR address for the peer pod VNet. For example, 192.168.0.0/16.

Procedure

  1. Set the environmental variables for the peer pod network:

    1. Set the peer pod VNet environment variables by running the following commands:

      $ export PEERPOD_VNET_NAME="${PEERPOD_VNET_NAME:-peerpod-vnet}"
      Copy to Clipboard Toggle word wrap
      $ export PEERPOD_VNET_CIDR="${PEERPOD_VNET_CIDR:-192.168.0.0/16}"
      Copy to Clipboard Toggle word wrap
    2. Set the peer pod subnet environment variables by running the following commands:

      $ export PEERPOD_SUBNET_NAME="${PEERPOD_SUBNET_NAME:-peerpod-subnet}"
      Copy to Clipboard Toggle word wrap
      $ export PEERPOD_SUBNET_CIDR="${PEERPOD_SUBNET_CIDR:-192.168.0.0/16}"
      Copy to Clipboard Toggle word wrap
  2. Set the environmental variables for Azure:

    $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
        -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
    Copy to Clipboard Toggle word wrap
    $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
        --query "{Location:location}" --output tsv) && \
        echo "AZURE_REGION: \"$AZURE_REGION\""
    Copy to Clipboard Toggle word wrap
    $ AZURE_VNET_NAME=$(az network vnet list \
        -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)
    Copy to Clipboard Toggle word wrap
  3. Set the peer pod NAT gateway environment variables by running the following commands:

    $ export PEERPOD_NAT_GW="${PEERPOD_NAT_GW:-peerpod-nat-gw}"
    Copy to Clipboard Toggle word wrap
    $ export PEERPOD_NAT_GW_IP="${PEERPOD_NAT_PUBLIC_IP:-peerpod-nat-gw-ip}"
    Copy to Clipboard Toggle word wrap
  4. Configure the VNET:

    1. Create the peer pod VNet by running the following command:

      $ az network vnet create --resource-group "${AZURE_RESOURCE_GROUP}" \
          --name "${PEERPOD_VNET_NAME}" \
          --address-prefixes "${PEERPOD_VNET_CIDR}"
      Copy to Clipboard Toggle word wrap
    2. Create a public IP address for the peer pod VNet by running the following command:

      $ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
          -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}"
      Copy to Clipboard Toggle word wrap
    3. Create a NAT gateway for the peer pod VNet by running the following command:

      $ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
          -l "${AZURE_REGION}" \
          --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
          -n "${PEERPOD_NAT_GW}"
      Copy to Clipboard Toggle word wrap
    4. Create a subnet in the peer pod VNet and attach the NAT gateway by running the following command:

      $ az network vnet subnet create \
          --resource-group "${AZURE_RESOURCE_GROUP}" \
          --vnet-name "${PEERPOD_VNET_NAME}" \
          --name "${PEERPOD_SUBNET_NAME}" \
          --address-prefixes "${PEERPOD_SUBNET_CIDR}" \
          --nat-gateway "${PEERPOD_NAT_GW}"
      Copy to Clipboard Toggle word wrap
  5. Configure the virtual network peering connection:

    1. Create the peering connection by running the following command:

      $ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
          -n peerpod-azure-vnet-to-peerpod-vnet \
          --vnet-name "${AZURE_VNET_NAME}" \
          --remote-vnet "${PEERPOD_VNET_NAME}" --allow-vnet-access \
          --allow-forwarded-traffic
      Copy to Clipboard Toggle word wrap
    2. Sync the peering connection by running the following command:

      $ az network vnet peering sync -g "${AZURE_RESOURCE_GROUP}" \
          -n peerpod-azure-vnet-to-peerpod-vnet \
          --vnet-name "${AZURE_VNET_NAME}"
      Copy to Clipboard Toggle word wrap
    3. Complete the peering connection by running the following command:

      $ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
          -n peerpod-peerpod-vnet-to-azure-vnet \
          --vnet-name "${PEERPOD_VNET_NAME}" \
          --remote-vnet "${AZURE_VNET_NAME}" --allow-vnet-access \
          --allow-forwarded-traffic
      Copy to Clipboard Toggle word wrap

Verification

  1. Check the peering connection status from the cluster VNet by running the following command:

    $ az network vnet peering show -g "${AZURE_RESOURCE_GROUP}" \
        -n peerpod-azure-vnet-to-peerpod-vnet \
        --vnet-name "${AZURE_VNET_NAME}" \
        --query "peeringState" -o tsv
    Copy to Clipboard Toggle word wrap

    This should return Connected.

  2. Verify that the NAT gateway is attached to the peer pod subnet by running the following command:

    $ az network vnet subnet show --resource-group "${AZURE_RESOURCE_GROUP}" \
        --vnet-name "${PEERPOD_VNET_NAME}" --name "${PEERPOD_SUBNET_NAME}" \
        --query "natGateway.id" -o tsv
    Copy to Clipboard Toggle word wrap

You can deploy OpenShift sandboxed containers on Azure by using the OpenShift Container Platform web console to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  3. Optional: Select a custom pod VM image.
  4. Optional: Create the Azure secret.
  5. Optional: Customize the Kata agent policy.
  6. Create the peer pods config map.
  7. Create the KataConfig custom resource.
  8. Configure the OpenShift sandboxed containers workload objects.

4.3.1. Installing the OpenShift sandboxed containers Operator

You can install the OpenShift sandboxed containers Operator by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. In the web console, navigate to Operators OperatorHub.
  2. In the Filter by keyword field, type OpenShift sandboxed containers.
  3. Select the OpenShift sandboxed containers Operator tile and click Install.
  4. On the Install Operator page, select stable from the list of available Update Channel options.
  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

    Note

    Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  6. Verify that Automatic is selected for Approval Strategy. Automatic is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.
  7. Click Install.
  8. Navigate to Operators Installed Operators to verify that the Operator is installed.

4.3.2. Creating the peer pods secret

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have installed and configured the Azure CLI tool.

Procedure

  1. Retrieve the Azure subscription ID by running the following command:

    $ AZURE_SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" \
      -o tsv) && echo "AZURE_SUBSCRIPTION_ID: \"$AZURE_SUBSCRIPTION_ID\""
    Copy to Clipboard Toggle word wrap
  2. Generate the RBAC content by running the following command:

    $ az ad sp create-for-rbac --role Contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID \
      --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"
    Copy to Clipboard Toggle word wrap

    Example output

    {
      "client_id": `AZURE_CLIENT_ID`,
      "client_secret": `AZURE_CLIENT_SECRET`,
      "tenant_id": `AZURE_TENANT_ID`
    }
    Copy to Clipboard Toggle word wrap

  3. Record the RBAC output to use in the secret object.
  4. In the OpenShift Container Platform web console, navigate to Operators Installed Operators.
  5. Click the OpenShift sandboxed containers Operator tile.
  6. Click the Import icon (+) on the top right corner.
  7. In the Import YAML window, paste the following YAML manifest:

    apiVersion: v1
    kind: Secret
    metadata:
      name: peer-pods-secret
      namespace: openshift-sandboxed-containers-operator
    type: Opaque
    stringData:
      AZURE_CLIENT_ID: "<azure_client_id>" 
    1
    
      AZURE_CLIENT_SECRET: "<azure_client_secret>" 
    2
    
      AZURE_TENANT_ID: "<azure_tenant_id>" 
    3
    
      AZURE_SUBSCRIPTION_ID: "<azure_subscription_id>" 
    4
    Copy to Clipboard Toggle word wrap
    1
    Specify the AZURE_CLIENT_ID value.
    2
    Specify the AZURE_CLIENT_SECRET value.
    3
    Specify the AZURE_TENANT_ID value.
    4
    Specify the AZURE_SUBSCRIPTION_ID value.
  8. Click Save to apply the changes.
  9. Navigate to Workloads Secrets to verify the peer pods secret.

4.3.3. Creating the peer pods config map

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group:

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""
      Copy to Clipboard Toggle word wrap
    2. Retrieve and record the Azure VNet name:

      $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)
      Copy to Clipboard Toggle word wrap

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID:

      $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""
      Copy to Clipboard Toggle word wrap
    4. Retrieve and record the Azure network security group (NSG) ID:

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""
      Copy to Clipboard Toggle word wrap
    5. Retrieve and record the Azure region:

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""
      Copy to Clipboard Toggle word wrap
  2. In the OpenShift Container Platform web console, navigate to Operators Installed Operators.
  3. Select the OpenShift sandboxed containers Operator from the list of operators.
  4. Click the Import icon (+) in the top right corner.
  5. In the Import YAML window, paste the following YAML manifest:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: peer-pods-cm
      namespace: openshift-sandboxed-containers-operator
    data:
      CLOUD_PROVIDER: "azure"
      VXLAN_PORT: "9000"
      AZURE_INSTANCE_SIZE: "Standard_B2als_v2" 
    1
    
      AZURE_INSTANCE_SIZES: "Standard_B2als_v2,Standard_D2as_v5,Standard_D4as_v5,Standard_D2ads_v5" 
    2
    
      AZURE_SUBNET_ID: "<azure_subnet_id>" 
    3
    
      AZURE_NSG_ID: "<azure_nsg_id>" 
    4
    
      PROXY_TIMEOUT: "5m"
      AZURE_IMAGE_ID: "<azure_image_id>" 
    5
    
      AZURE_REGION: "<azure_region>" 
    6
    
      AZURE_RESOURCE_GROUP: "<azure_resource_group>" 
    7
    
      PEERPODS_LIMIT_PER_NODE: "10" 
    8
    
      TAGS: "key1=value1,key2=value2" 
    9
    
      DISABLECVM: "true"
    Copy to Clipboard Toggle word wrap
    1
    The "Standard_B2als_v2" instance size is the default value if an instance size is not defined in the workload.
    2
    Specify the instance sizes, without spaces, for creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.
    3
    Specify the AZURE_SUBNET_ID value that you retrieved.
    4
    Specify the AZURE_NSG_ID value that you retrieved.
    5
    Optional: By default, this value is populated when you run the KataConfig CR, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.
    6
    Specify the AZURE_REGION value you retrieved.
    7
    Specify the AZURE_RESOURCE_GROUP value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
  6. Click Save to apply the changes.
  7. Navigate to Workloads ConfigMaps to view the new config map.

4.3.4. Selecting a custom peer pod VM image

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Operators Installed Operators.
  2. Select the OpenShift sandboxed containers Operator from the list of operators.
  3. Click the Import icon (+) in the top right corner.
  4. In the Import YAML window, paste the following YAML manifest:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-manifest
      annotations:
        io.katacontainers.config.hypervisor.image: "<custom_image_id>" 
    1
    
    spec:
      runtimeClassName: kata-remote 
    2
    
      containers:
      - name: <example_container> 
    3
    
        image: registry.access.redhat.com/ubi9/ubi:9.3
        command: ["sleep", "36000"]
    Copy to Clipboard Toggle word wrap
    1
    Specify the custom peer pod image ID.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.
  5. Click Save to apply the changes.

4.3.5. Creating the Azure secret

You must create the SSH key secret, which is required by the Azure virtual machine (VM) creation API. Azure only requires the SSH public key. Confidential Containers disables SSH in VMs, so the keys have no effect in the VMs.

Procedure

  1. Generate an SSH key pair by running the following command:

    $ ssh-keygen -f ./id_rsa -N ""
    Copy to Clipboard Toggle word wrap
  2. In the OpenShift Container Platform web console, navigate to Workloads Secrets.
  3. On the Secrets page, verify that you are in the openshift-sandboxed-containers-operator project.
  4. Click Create and select Key/value secret.
  5. In the Secret name field, enter ssh-key-secret.
  6. In the Key field, enter id_rsa.pub.
  7. In the Value field, paste your public SSH key.
  8. Click Create.
  9. Delete the SSH keys you created:

    $ shred --remove id_rsa.pub id_rsa
    Copy to Clipboard Toggle word wrap

4.3.6. Customizing the Kata agent policy

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration:

    package agent_policy
    
    import future.keywords.in
    import input
    
    default CopyFileRequest := false
    default CreateContainerRequest := false
    default CreateSandboxRequest := true
    default DestroySandboxRequest := true
    default ExecProcessRequest := true  # Enabled to allow exec API
    default GetOOMEventRequest := true
    default GuestDetailsRequest := true
    default OnlineCPUMemRequest := true
    default PullImageRequest := true
    default ReadStreamRequest := true   # Enabled to allow log API
    default RemoveContainerRequest := true
    default RemoveStaleVirtiofsShareMountsRequest := true
    default SignalProcessRequest := true
    default StartContainerRequest := true
    default StatsContainerRequest := true
    default TtyWinResizeRequest := true
    default UpdateEphemeralMountsRequest := true
    default UpdateInterfaceRequest := true
    default UpdateRoutesRequest := true
    default WaitProcessRequest := true
    default WriteStreamRequest := false
    Copy to Clipboard Toggle word wrap

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command:

    $ base64 -w0 policy.rego
    Copy to Clipboard Toggle word wrap

    Save the output for use in the yaml file.

  3. In the OpenShift Container Platform web console, navigate to Operators Installed Operators.
  4. Select the OpenShift sandboxed containers Operator from the list of operators.
  5. Click the Import icon (+) in the top right corner.
  6. In the Import YAML window, paste the following YAML manifest and add the Base64-encoded policy to it:

    apiVersion: v1
    kind: Pod
    metadata:
      name: <pod_name>
      annotations:
        io.katacontainers.config.agent.policy: <base64_encoded_policy>
    spec:
      runtimeClassName: kata-remote
      containers:
      - name: <container_name>
        image: registry.access.redhat.com/ubi9/ubi:latest
        command:
        - sleep
        - "36000"
        securityContext:
          privileged: false
          seccompProfile:
            type: RuntimeDefault
    Copy to Clipboard Toggle word wrap
  7. Click Save to apply the changes.

4.3.7. Creating the KataConfig custom resource

You must create the KataConfig custom resource (CR) to install kata-remote as a RuntimeClass on your worker nodes.

The kata-remote runtime class is installed on all worker nodes by default. If you want to install kata-remote on specific nodes, you can add labels to those nodes and then define the label in the KataConfig CR.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors might increase the reboot time:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Optional: You have installed the Node Feature Discovery Operator if you want to enable node eligibility checks.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Operators Installed Operators.
  2. Select the OpenShift sandboxed containers Operator.
  3. On the KataConfig tab, click Create KataConfig.
  4. Enter the following details:

    • Name: Optional: The default name is example-kataconfig.
    • Labels: Optional: Enter any relevant, identifying attributes to the KataConfig resource. Each label represents a key-value pair.
    • enablePeerPods: Select for public cloud, IBM Z®, and IBM® LinuxONE deployments.
    • kataConfigPoolSelector. Optional: To install kata-remote on selected nodes, add a match expression for the labels on the selected nodes:

      1. Expand the kataConfigPoolSelector area.
      2. In the kataConfigPoolSelector area, expand matchExpressions. This is a list of label selector requirements.
      3. Click Add matchExpressions.
      4. In the Key field, enter the label key the selector applies to.
      5. In the Operator field, enter the key’s relationship to the label values. Valid operators are In, NotIn, Exists, and DoesNotExist.
      6. Expand the Values area and then click Add value.
      7. In the Value field, enter true or false for key label value.
    • logLevel: Define the level of log data retrieved for nodes with the kata-remote runtime class.
  5. Click Create. The KataConfig CR is created and installs the kata-remote runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

Verification

  1. On the KataConfig tab, click the KataConfig CR to view its details.
  2. Click the YAML tab to view the status stanza.

    The status stanza contains the conditions and kataNodes keys. The value of status.kataNodes is an array of nodes, each of which lists nodes in a particular state of kata-remote installation. A message appears each time there is an update.

  3. Click Reload to refresh the YAML.

    When all workers in the status.kataNodes array display the values installed and conditions.InProgress: False with no specified reason, the kata-remote is installed on the cluster.

Additional resources
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Navigate to Workloads ConfigMaps.
  2. Click the provider config map to view its details.
  3. Click the YAML tab.
  4. Check the status stanza of the YAML file.

    If the AZURE_IMAGE_ID parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command:

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation
    Copy to Clipboard Toggle word wrap
  2. Retrieve the job log by running the following command:

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation
    Copy to Clipboard Toggle word wrap

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

4.3.8. Configuring workload objects

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance size, which you defined in the config map, by adding an annotation to the YAML file.

If you do not want to define the instance size manually, you can add an annotation to use an automatic instance size, based on the memory available.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. In the OpenShift Container Platform web console, navigate to Workloads workload type, for example, Pods.
  2. On the workload type page, click an object to view its details.
  3. Click the YAML tab.
  4. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example:

    apiVersion: v1
    kind: <object>
    # ...
    spec:
      runtimeClassName: kata-remote
    # ...
    Copy to Clipboard Toggle word wrap
  5. Add an annotation to the pod-templated object to use a manually defined instance size or an automatic instance size:

    • To use a manually defined instance size, add the following annotation:

      apiVersion: v1
      kind: <object>
      metadata:
        annotations:
          io.katacontainers.config.hypervisor.machine_type: "Standard_B2als_v2" 
      1
      
      # ...
      Copy to Clipboard Toggle word wrap
      1
      Specify the instance size that you defined in the config map.
    • To use an automatic instance size, add the following annotations:

      apiVersion: v1
      kind: <Pod>
      metadata:
        annotations:
          io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
          io.katacontainers.config.hypervisor.default_memory: <memory>
      # ...
      Copy to Clipboard Toggle word wrap

      Define the amount of memory available for the workload to use. The workload will run on an automatic instance size based on the amount of memory available.

  6. Click Save to apply the changes.

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.

You can deploy OpenShift sandboxed containers on Azure by using the command line interface (CLI) to perform the following tasks:

  1. Install the OpenShift sandboxed containers Operator.
  2. Optional: Create the peer pods secret if you uninstalled the Cloud Credential Operator, which is installed with the OpenShift sandboxed containers Operator.
  3. Optional: Select a custom pod VM image.
  4. Create the peer pods config map.
  5. Optional: Create the Azure secret.
  6. Optional: Customize the Kata agent policy.
  7. Create the KataConfig custom resource.
  8. Optional: Modify the number of virtual machines running on each worker node.
  9. Configure the OpenShift sandboxed containers workload objects.

4.4.1. Installing the OpenShift sandboxed containers Operator

You can install the OpenShift sandboxed containers Operator by using the CLI.

Prerequisites

  • You have installed the OpenShift CLI (oc).
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap
  2. Create the namespace by running the following command:

    $ oc apply -f osc-namespace.yaml
    Copy to Clipboard Toggle word wrap
  3. Create an osc-operatorgroup.yaml manifest file:

    apiVersion: operators.coreos.com/v1
    kind: OperatorGroup
    metadata:
      name: sandboxed-containers-operator-group
      namespace: openshift-sandboxed-containers-operator
    spec:
      targetNamespaces:
      - openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap
  4. Create the operator group by running the following command:

    $ oc apply -f osc-operatorgroup.yaml
    Copy to Clipboard Toggle word wrap
  5. Create an osc-subscription.yaml manifest file:

    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: sandboxed-containers-operator
      namespace: openshift-sandboxed-containers-operator
    spec:
      channel: stable
      installPlanApproval: Automatic
      name: sandboxed-containers-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
      startingCSV: sandboxed-containers-operator.v1.9.0
    Copy to Clipboard Toggle word wrap
  6. Create the subscription by running the following command:

    $ oc apply -f osc-subscription.yaml
    Copy to Clipboard Toggle word wrap
  7. Verify that the Operator is correctly installed by running the following command:

    $ oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    This command can take several minutes to complete.

  8. Watch the process by running the following command:

    $ watch oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
    openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.9.0    1.8.1        Succeeded
    Copy to Clipboard Toggle word wrap

4.4.2. Creating the peer pods secret

When the peer pods secret is empty and the Cloud Credential Operator (CCO) is installed, the OpenShift sandboxed containers Operator uses the CCO to retrieve the secret. If you have uninstalled the CCO, you must create the peer pods secret for OpenShift sandboxed containers manually or the peer pods will fail to operate.

The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

By default, the OpenShift sandboxed containers Operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

Prerequisites

  • You have installed and configured the Azure CLI tool.

Procedure

  1. Retrieve the Azure subscription ID by running the following command:

    $ AZURE_SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" \
      -o tsv) && echo "AZURE_SUBSCRIPTION_ID: \"$AZURE_SUBSCRIPTION_ID\""
    Copy to Clipboard Toggle word wrap
  2. Generate the RBAC content by running the following command:

    $ az ad sp create-for-rbac --role Contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID \
      --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"
    Copy to Clipboard Toggle word wrap

    Example output

    {
      "client_id": `AZURE_CLIENT_ID`,
      "client_secret": `AZURE_CLIENT_SECRET`,
      "tenant_id": `AZURE_TENANT_ID`
    }
    Copy to Clipboard Toggle word wrap

  3. Record the RBAC output to use in the secret object.
  4. Create a peer-pods-secret.yaml manifest file according to the following example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: peer-pods-secret
      namespace: openshift-sandboxed-containers-operator
    type: Opaque
    stringData:
      AZURE_CLIENT_ID: "<azure_client_id>" 
    1
    
      AZURE_CLIENT_SECRET: "<azure_client_secret>" 
    2
    
      AZURE_TENANT_ID: "<azure_tenant_id>" 
    3
    
      AZURE_SUBSCRIPTION_ID: "<azure_subscription_id>" 
    4
    Copy to Clipboard Toggle word wrap
    1
    Specify the AZURE_CLIENT_ID value.
    2
    Specify the AZURE_CLIENT_SECRET value.
    3
    Specify the AZURE_TENANT_ID value.
    4
    Specify the AZURE_SUBSCRIPTION_ID value.
  5. Create the secret by running the following command:

    $ oc apply -f peer-pods-secret.yaml
    Copy to Clipboard Toggle word wrap

4.4.3. Creating the peer pods config map

You must create the peer pods config map for OpenShift sandboxed containers.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group:

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""
      Copy to Clipboard Toggle word wrap
    2. Retrieve and record the Azure VNet name:

      $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)
      Copy to Clipboard Toggle word wrap

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID:

      $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""
      Copy to Clipboard Toggle word wrap
    4. Retrieve and record the Azure network security group (NSG) ID:

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""
      Copy to Clipboard Toggle word wrap
    5. Retrieve and record the Azure region:

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""
      Copy to Clipboard Toggle word wrap
  2. Create a peer-pods-cm.yaml manifest file according to the following example:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: peer-pods-cm
      namespace: openshift-sandboxed-containers-operator
    data:
      CLOUD_PROVIDER: "azure"
      VXLAN_PORT: "9000"
      AZURE_INSTANCE_SIZE: "Standard_B2als_v2" 
    1
    
      AZURE_INSTANCE_SIZES: "Standard_B2als_v2,Standard_D2as_v5,Standard_D4as_v5,Standard_D2ads_v5" 
    2
    
      AZURE_SUBNET_ID: "<azure_subnet_id>" 
    3
    
      AZURE_NSG_ID: "<azure_nsg_id>" 
    4
    
      PROXY_TIMEOUT: "5m"
      AZURE_IMAGE_ID: "<azure_image_id>" 
    5
    
      AZURE_REGION: "<azure_region>" 
    6
    
      AZURE_RESOURCE_GROUP: "<azure_resource_group>" 
    7
    
      PEERPODS_LIMIT_PER_NODE: "10" 
    8
    
      TAGS: "key1=value1,key2=value2" 
    9
    
      DISABLECVM: "true"
    Copy to Clipboard Toggle word wrap
    1
    The "Standard_B2als_v2" instance size is the default value if an instance size is not defined in the workload.
    2
    Specify the instance sizes, without spaces, for creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.
    3
    Specify the AZURE_SUBNET_ID value that you retrieved.
    4
    Specify the AZURE_NSG_ID value that you retrieved.
    5
    Optional: By default, this value is populated when you run the KataConfig CR, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.
    6
    Specify the AZURE_REGION value you retrieved.
    7
    Specify the AZURE_RESOURCE_GROUP value you retrieved.
    8
    Specify the maximum number of peer pods that can be created per node. The default value is 10.
    9
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
  3. Create the config map by running the following command:

    $ oc apply -f peer-pods-cm.yaml
    Copy to Clipboard Toggle word wrap

4.4.4. Selecting a custom peer pod VM image

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • The ID of the custom pod VM image to use, compatible with the cloud provider or hypervisor, is available.

Procedure

  1. Edit the pod manifest by adding the io.katacontainers.config.hypervisor.image annotation and save it in a pod-manifest.yaml file:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-manifest
      annotations:
        io.katacontainers.config.hypervisor.image: "<custom_image_id>" 
    1
    
    spec:
      runtimeClassName: kata-remote 
    2
    
      containers:
      - name: <example_container> 
    3
    
        image: registry.access.redhat.com/ubi9/ubi:9.3
        command: ["sleep", "36000"]
    Copy to Clipboard Toggle word wrap
    1
    Specify the custom peer pod image ID.
    2
    Ensure that the runtimeClassName field is set to kata-remote to create a peer pod.
    3
    Specify the container name.
  2. Create the pod by running the following command:

    $ oc apply -f pod-manifest.yaml
    Copy to Clipboard Toggle word wrap

4.4.5. Creating the Azure secret

You must create the SSH key secret, which is required by the Azure virtual machine (VM) creation API. Azure only requires the SSH public key. Confidential Containers disables SSH in VMs, so the keys have no effect in the VMs.

Procedure

  1. Generate an SSH key pair by running the following command:

    $ ssh-keygen -f ./id_rsa -N ""
    Copy to Clipboard Toggle word wrap
  2. Create the Secret object by running the following command:

    $ oc create secret generic ssh-key-secret \
      -n openshift-sandboxed-containers-operator \
      --from-file=id_rsa.pub=./id_rsa.pub \
      --from-file=id_rsa=./id_rsa
    Copy to Clipboard Toggle word wrap
  3. Delete the SSH keys you created:

    $ shred --remove id_rsa.pub id_rsa
    Copy to Clipboard Toggle word wrap

4.4.6. Customizing the Kata agent policy

The Kata agent policy is a security mechanism that controls agent API requests for pods running with the Kata runtime. Written in Rego and enforced by the Kata agent within the pod virtual machine (VM), this policy determines which operations are allowed or denied.

You can override the default policy with a custom one for specific use cases, such as development and testing where security is not a concern. For example, you might run in an environment where the control plane can be trusted. You can apply a custom policy in several ways:

  • Embedding it in the pod VM image.
  • Patching the peer pods config map.
  • Adding an annotation to the workload pod YAML.

For production systems, the preferred method is to use initdata to override the Kata agent policy. The following procedure applies a custom policy to an individual pod using the io.katacontainers.config.agent.policy annotation. The policy is provided in Base64-encoded Rego format. This approach overrides the default policy at pod creation without modifying the pod VM image.

Note

A custom policy replaces the default policy entirely. To modify only specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a policy.rego file with your custom policy. The following example shows all configurable APIs, with exec and log enabled for demonstration:

    package agent_policy
    
    import future.keywords.in
    import input
    
    default CopyFileRequest := false
    default CreateContainerRequest := false
    default CreateSandboxRequest := true
    default DestroySandboxRequest := true
    default ExecProcessRequest := true  # Enabled to allow exec API
    default GetOOMEventRequest := true
    default GuestDetailsRequest := true
    default OnlineCPUMemRequest := true
    default PullImageRequest := true
    default ReadStreamRequest := true   # Enabled to allow log API
    default RemoveContainerRequest := true
    default RemoveStaleVirtiofsShareMountsRequest := true
    default SignalProcessRequest := true
    default StartContainerRequest := true
    default StatsContainerRequest := true
    default TtyWinResizeRequest := true
    default UpdateEphemeralMountsRequest := true
    default UpdateInterfaceRequest := true
    default UpdateRoutesRequest := true
    default WaitProcessRequest := true
    default WriteStreamRequest := false
    Copy to Clipboard Toggle word wrap

    This policy enables the exec (ExecProcessRequest) and log (ReadStreamRequest) APIs. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command:

    $ base64 -w0 policy.rego
    Copy to Clipboard Toggle word wrap

    Save the output for use in the yaml file.

  3. Add the Base64-encoded policy to a my-pod.yaml pod specification file:

    apiVersion: v1
    kind: Pod
    metadata:
      name: <pod_name>
      annotations:
        io.katacontainers.config.agent.policy: <base64_encoded_policy>
    spec:
      runtimeClassName: kata-remote
      containers:
      - name: <container_name>
        image: registry.access.redhat.com/ubi9/ubi:latest
        command:
        - sleep
        - "36000"
        securityContext:
          privileged: false
          seccompProfile:
            type: RuntimeDefault
    Copy to Clipboard Toggle word wrap
  4. Apply the pod manifest by running the following command:

    $ oc apply -f my-pod.yaml
    Copy to Clipboard Toggle word wrap

4.4.7. Creating the KataConfig custom resource

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Creating the KataConfig CR triggers the OpenShift sandboxed containers Operator to do the following:

  • Create a RuntimeClass CR named kata-remote with a default configuration. This enables users to configure workloads to use kata-remote as the runtime by referencing the CR in the RuntimeClassName field. This CR also specifies the resource overhead for the runtime.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Important

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. Factors that impede reboot time are as follows:

  • A larger OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example:

    apiVersion: kataconfiguration.openshift.io/v1
    kind: KataConfig
    metadata:
      name: example-kataconfig
    spec:
      enablePeerPods: true
      logLevel: info
    #  kataConfigPoolSelector:
    #    matchLabels:
    #      <label_key>: '<label_value>' 
    1
    Copy to Clipboard Toggle word wrap
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.
  2. Create the KataConfig CR by running the following command:

    $ oc apply -f example-kataconfig.yaml
    Copy to Clipboard Toggle word wrap

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command:

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
    Copy to Clipboard Toggle word wrap

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command:

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
    Copy to Clipboard Toggle word wrap
  5. Verify the runtime classes by running the following command:

    $ oc get runtimeclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME             HANDLER          AGE
    kata             kata             152m
    kata-remote      kata-remote      152m
    Copy to Clipboard Toggle word wrap

4.4.8. Modifying the number of peer pod VMs per node

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command:

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
    -o jsonpath='{.spec.limit}{"\n"}'
    Copy to Clipboard Toggle word wrap
  2. Modify the limit attribute of the peerpodConfig CR by running the following command:

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
    --type merge --patch '{"spec":{"limit":"<value>"}}' 
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <value> with the limit you want to define.
Verifying the pod VM image

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Obtain the config map you created for the peer pods:

    $ oc get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o yaml
    Copy to Clipboard Toggle word wrap
  2. Check the status stanza of the YAML file.

    If the AZURE_IMAGE_ID parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command:

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation
    Copy to Clipboard Toggle word wrap
  2. Retrieve the job log by running the following command:

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation
    Copy to Clipboard Toggle word wrap

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

4.4.9. Configuring workload objects

You must configure OpenShift sandboxed containers workload objects by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance size, which you defined in the config map, by adding an annotation to the YAML file.

If you do not want to define the instance size manually, you can add an annotation to use an automatic instance size, based on the memory available.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example:

    apiVersion: v1
    kind: <object>
    # ...
    spec:
      runtimeClassName: kata-remote
    # ...
    Copy to Clipboard Toggle word wrap
  2. Add an annotation to the pod-templated object to use a manually defined instance size or an automatic instance size:

    • To use a manually defined instance size, add the following annotation:

      apiVersion: v1
      kind: <object>
      metadata:
        annotations:
          io.katacontainers.config.hypervisor.machine_type: "Standard_B2als_v2" 
      1
      
      # ...
      Copy to Clipboard Toggle word wrap
      1
      Specify the instance size that you defined in the config map.
    • To use an automatic instance size, add the following annotations:

      apiVersion: v1
      kind: <Pod>
      metadata:
        annotations:
          io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
          io.katacontainers.config.hypervisor.default_memory: <memory>
      # ...
      Copy to Clipboard Toggle word wrap

      Define the amount of memory available for the workload to use. The workload will run on an automatic instance size based on the amount of memory available.

  3. Apply the changes to the workload object by running the following command:

    $ oc apply -f <object.yaml>
    Copy to Clipboard Toggle word wrap

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers, using peer pods.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat