Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Deploying OpenShift sandboxed containers on Google Cloud

You can deploy OpenShift sandboxed containers on Google Cloud,

Important

Red Hat OpenShift sandboxed containers on Google Cloud is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

You deploy OpenShift sandboxed containers by performing the following steps:

  1. Install the OpenShift sandboxed containers Operator on the OpenShift Container Platform cluster.
  2. Enable ports to allow internal communication with peer pods.
  3. Create the peer pods config map.
  4. Create the pod VM image config map.
  5. Optional: Customize the Kata agent policy.
  6. Create the KataConfig custom resource.
  7. Optional: Modify the number of virtual machines running on each worker node.
  8. Configure your workload for OpenShift sandboxed containers.

5.1. Prerequisites
Copia collegamento

  • You have installed the latest version of Red Hat OpenShift Container Platform.
  • Your OpenShift Container Platform cluster has at least one worker node.
  • You have enabled ports 15150 and 9000 for communication in the subnet used for worker nodes and the pod virtual machine (VM). The ports enable communication between the Kata shim running on the worker node and the Kata agent running on the pod VM.

5.2. Installing the OpenShift sandboxed containers Operator
Copia collegamento

You install the OpenShift sandboxed containers Operator by using the command line interface (CLI).

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

  2. Create the namespace by running the following command: 

    $ oc create -f osc-namespace.yaml
    Copy to Clipboard Toggle word wrap

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

  4. Create the operator group by running the following command: 

    $ oc create -f osc-operatorgroup.yaml
    Copy to Clipboard Toggle word wrap

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.10.3
    Copy to Clipboard Toggle word wrap

  6. Create the subscription by running the following command: 

    $ oc create -f osc-subscription.yaml
    Copy to Clipboard Toggle word wrap

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.10.3    1.9.0        Succeeded
    Copy to Clipboard Toggle word wrap

5.3. Enabling port 15150 for Google Cloud
Copia collegamento

You must enable port 15150 to allow internal communication with peer pods running on Compute Engine.

Prerequisites

  • You have installed the Google Cloud command line interface (CLI) tool.
  • You have access to the OpenShift Container Platform cluster as a user with the roles/container.admin role.

Procedure

  1. Set the project ID variable by running the following command: 

    $ export GCP_PROJECT_ID="<project_id>"
    Copy to Clipboard Toggle word wrap

  2. Log in to Google Cloud by running the following command: 

    $ gcloud auth login
    Copy to Clipboard Toggle word wrap

  3. Set the Google Cloud project ID by running the following command: 

    $ gcloud config set project ${GCP_PROJECT_ID}
    Copy to Clipboard Toggle word wrap

  4. Open port 15150 by running the following command: 

    $ gcloud compute firewall-rules create allow-port-15150-restricted \
   --project=${GCP_PROJECT_ID} \
   --network=default \
   --allow=tcp:15150 \
   --source-ranges=<external_ip_cidr-1>[,<external_ip_cidr-2>,...]
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify one or more IP addresses or ranges in CIDR format, separated by commas. For example, 203.0.113.5/32,198.51.100.0/24.

Verification

  • Verify that port 15150 is open by running the following command: 

    $ gcloud compute firewall-rule list
    Copy to Clipboard Toggle word wrap

5.4. Creating the peer pods config map
Copia collegamento

You must create the peer pods config map.

Procedure

  1. Log in to your Compute Engine instance to set the following environmental variables:

    1. Get the project ID by running the following command: 

      $ GCP_PROJECT_ID=$(gcloud config get-value project)
      Copy to Clipboard Toggle word wrap

    2. Get the zone by running the following command: 

      $ GCP_ZONE=$(gcloud config get-value compute/zone)
      Copy to Clipboard Toggle word wrap

    3. Retrieve a list of network names by running the following command: 

      $ gcloud compute networks list --format="value(name)"
      Copy to Clipboard Toggle word wrap

    4. Specify the network by running the following command: 

      $ GCP_NETWORK=<network_name>
      Copy to Clipboard Toggle word wrap

      Only auto-mode networks are supported. Custom networks are not supported at this time.

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "gcp"
  VXLAN_PORT: "9000"
  PROXY_TIMEOUT: "5m"
  GCP_MACHINE_TYPE: "e2-medium"
  GCP_PROJECT_ID: "<project_id>"
  GCP_ZONE: "<gcp_zone>"
  GCP_NETWORK: "<gcp_network>"
  TAGS: "key1=value1,key2=value2"
  PEERPODS_LIMIT_PER_NODE: "10"
  ROOT_VOLUME_SIZE: "6"
  DISABLECVM: "true"
    Copy to Clipboard Toggle word wrap
    GCP_MACHINE_TYPE
    Defines the default machine type that is used if the machine type is not defined in the workload object.
    TAGS
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
    PEERPODS_LIMIT_PER_NODE
    You can increase this value to run more peer pods on a node. The default value is 10.
    ROOT_VOLUME_SIZE
    You can increase this value for pods with larger container images. Specify the root volume size in gigabytes for the pod VM. The default and minimum size is 6 GB.

  3. Create the config map by running the following command: 

    $ oc create -f peer-pods-cm.yaml
    Copy to Clipboard Toggle word wrap

5.5. Creating the peer pod VM image
Copia collegamento

You must create a QCOW2 peer pod virtual machine (VM) image.

Prerequisites

  • You have installed podman.
  • You have access to a container registry.

Procedure

  1. Clone the OpenShift sandboxed containers repository by running the following command: 

    $ git clone https://github.com/openshift/sandboxed-containers-operator.git
    Copy to Clipboard Toggle word wrap

  2. Navigate to sandboxed-containers-operator/config/peerpods/podvm/bootc by running the following command: 

    $ cd sandboxed-containers-operator/config/peerpods/podvm/bootc
    Copy to Clipboard Toggle word wrap

  3. Log in to registry.redhat.io by running the following command: 

    $ podman login registry.redhat.io
    Copy to Clipboard Toggle word wrap

    You must log in to registry.redhat.io, because the podman build process must access the Containerfile.rhel container image hosted on the registry.

  4. Set the image path for your container registry by running the following command: 

    $ IMG="<container_registry_url>/<username>/podvm-bootc:latest"
    Copy to Clipboard Toggle word wrap

  5. Build the pod VM bootc image by running the following command: 

    $ podman build -t ${IMG} -f Containerfile.rhel .
    Copy to Clipboard Toggle word wrap

  6. Log in to your container registry by running the following command: 

    $ podman login <container_registry_url>
    Copy to Clipboard Toggle word wrap

  7. Push the image to your container registry by running the following command: 

    $ podman push ${IMG}
    Copy to Clipboard Toggle word wrap

    For testing and development, you can make the image public.

  8. Verify the podvm-bootc image by running the following command: 

    $ podman images
    Copy to Clipboard Toggle word wrap

    Example output

    REPOSITORY                               TAG     IMAGE ID      CREATED         SIZE
example.com/example_user/podvm-bootc     latest  88ddab975a07  2 seconds ago   1.82 GB
    Copy to Clipboard Toggle word wrap

5.6. Creating the peer pod VM image config map
Copia collegamento

Create the config map for the pod virtual machine (VM) image.

Procedure

  1. Create a podvm-image-cm.yaml manifest with the following content: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: podvm-image-cm
  namespace: openshift-sandboxed-containers-operator
data:
  IMAGE_TYPE: pre-built
  PODVM_IMAGE_URI: <container_registry_url>/<username>/podvm-bootc:latest
  IMAGE_BASE_NAME: "podvm-image"
  IMAGE_VERSION: "0-0-0"

  INSTALL_PACKAGES: "no"
  DISABLE_CLOUD_CONFIG: "true"
  UPDATE_PEERPODS_CM: "yes"
  BOOT_FIPS: "no"

  BOOTC_BUILD_CONFIG: |
    [[customizations.user]]
    name = "peerpod"
    password = "peerpod"
    groups = ["wheel", "root"]

    [[customizations.filesystem]]
    mountpoint = "/"
    minsize = "5 GiB"

    [[customizations.filesystem]]
    mountpoint = "/var/kata-containers"
    minsize = "15 GiB"
    Copy to Clipboard Toggle word wrap

  2. Create the config map by running the following command: 

    $ oc create -f podvm-image-cm.yaml
    Copy to Clipboard Toggle word wrap

5.7. Customizing the Kata Agent policy
Copia collegamento

You can customize the Kata Agent policy to override the default policy, which is permissive, for a peer pod. The Kata Agent policy is a security mechanism that controls API requests for peer pods.

Important

You must override the default policy in a production environment.

As a minimum requirement, you must disable ExecProcessRequest to prevent a cluster administrator from accessing sensitive data by running the oc exec command on a peer pod.

You can use the default policy in development and test environments where security is not a concern, for example, in an environment where the control plane can be trusted.

A custom policy replaces the default policy entirely. To modify specific APIs, include the full policy and adjust the relevant rules.

Procedure

  1. Create a custom policy.rego file by modifying the default policy: 

    package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := false
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SetPolicyRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true
    Copy to Clipboard Toggle word wrap

    The default policy allows all API calls. Adjust the true or false values to customize the policy further based on your needs.

  2. Convert the policy.rego file to a Base64-encoded string by running the following command: 

    $ base64 -w0 policy.rego
    Copy to Clipboard Toggle word wrap

    Record the output.

  3. Add the Base64-encoded policy string to the my-pod.yaml manifest: 

    apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  annotations:
    io.katacontainers.config.agent.policy: <base64_encoded_policy>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault
    Copy to Clipboard Toggle word wrap

  4. Create the pod by running the following command: 

    $ oc create -f my-pod.yaml
    Copy to Clipboard Toggle word wrap

5.8. Creating the KataConfig custom resource
Copia collegamento

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors can increase the reboot time:

  • A large OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    Copy to Clipboard Toggle word wrap
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, osc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc create -f example-kataconfig.yaml
    Copy to Clipboard Toggle word wrap

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
    Copy to Clipboard Toggle word wrap

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
    Copy to Clipboard Toggle word wrap

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME             HANDLER          AGE
kata-remote      kata-remote      152m
    Copy to Clipboard Toggle word wrap

5.9. Modifying the number of peer pod VMs per node
Copia collegamento

You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).

Procedure

  1. Check the current limit by running the following command: 

    $ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
  -o jsonpath='{.spec.limit}{"\n"}'
    Copy to Clipboard Toggle word wrap

  2. Specify a new value for the limit key by running the following command: 

    $ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \
  --type merge --patch '{"spec":{"limit":"<value>"}}'
    Copy to Clipboard Toggle word wrap

5.10. Verifying the pod VM image
Copia collegamento

After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.

Procedure

  1. Obtain the config map you created for the peer pods: 

    $ oc get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o yaml
    Copy to Clipboard Toggle word wrap

  2. Check the status stanza of the YAML file.

    If the PODVM_IMAGE_NAME parameter is populated, the pod VM image was created successfully.

Troubleshooting

  1. Retrieve the events log by running the following command: 

    $ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creation
    Copy to Clipboard Toggle word wrap

  2. Retrieve the job log by running the following command: 

    $ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation
    Copy to Clipboard Toggle word wrap

If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.

5.11. Configuring your workload for OpenShift sandboxed containers
Copia collegamento

You configure your workload for OpenShift sandboxed containers by setting kata-remote as the runtime class for the following pod-templated objects:

  • Pod objects
  • ReplicaSet objects
  • ReplicationController objects
  • StatefulSet objects
  • Deployment objects
  • DeploymentConfig objects
Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

Prerequisites

  • You have created the KataConfig custom resource (CR).

Procedure

  1. Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example: 

    apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...
    Copy to Clipboard Toggle word wrap

  2. Apply the changes to the workload object by running the following command: 

    $ oc apply -f <object.yaml>
    Copy to Clipboard Toggle word wrap

    OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

  • Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on OpenShift sandboxed containers.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat