Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 3. Deploying confidential containers on Microsoft Azure Red Hat OpenShift

You can deploy confidential containers workloads on Microsoft Azure Red Hat OpenShift.

3.1. Preparation
Copiar o link

Review these prerequisites and concepts before you deploy confidential containers on Azure Red Hat OpenShift.

3.1.1. Prerequisites
Copiar o link

  • You have installed the latest version of Red Hat OpenShift Container Platform on the cluster where you are running your confidential containers workload.
  • You have deployed Red Hat build of Trustee on an OpenShift Container Platform cluster in a trusted environment. For more information, see Deploying Red Hat build of Trustee.
  • You have enabled ports 15150 and 9000 for communication in the subnet used for worker nodes and the pod virtual machine (VM). The ports enable communication between the Kata shim running on the worker node and the Kata agent running on the pod VM.

3.1.2. Outbound connections
Copiar o link

To enable peer pods to communicate with external networks, such as the public internet, you must configure outbound connectivity for the pod virtual machine (VM) subnet. This involves setting up a NAT gateway and, optionally, defining how the subnet integrates with your cluster’s virtual network (VNet) in Azure.

Peer pods and subnets
Peer pods operate in a dedicated Azure subnet that requires explicit configuration for outbound access. This subnet can either be the default worker subnet used by OpenShift Container Platform nodes or a separate, custom subnet created specifically for peer pods.
VNet peering
When using a separate subnet, VNet peering connects the peer pod VNet to the cluster’s VNet, ensuring internal communication while maintaining isolation. This requires non-overlapping CIDR ranges between the VNets.

You can configure outbound connectivity in two ways:

  • Default worker subnet: Modify the existing worker subnet to include a NAT gateway. This is simpler and reuses cluster resources, but it offers less isolation.
  • Peer pod VNet: Set up a dedicated VNet and subnet for peer pods, attach a NAT gateway, and peer it with the cluster VNet. This provides greater isolation and flexibility at the cost of additional complexity.

3.1.3. Peer pod resource requirements
Copiar o link

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIMECLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIMECLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

3.1.4. Initdata
Copiar o link

The initdata specification provides a flexible way to initialize a pod with workload-specific data at runtime, avoiding the need to embed such data in the virtual machine (VM) image.

This approach enhances security by reducing the exposure of confidential information and improves flexibility by eliminating custom image builds. For example, initdata can include three configuration settings:

  • An X.509 certificate for secure communication.
  • A cryptographic key for authentication.
  • An optional Kata Agent policy.rego file to enforce runtime behavior when overriding the default Kata Agent policy.

The initdata content configures the following components:

  • Attestation Agent (AA), which verifies the trustworthiness of the pod by sending evidence for attestation.
  • Confidential Data Hub (CDH), which manages secrets and secure data access within the pod VM.
  • Kata Agent, which enforces runtime policies and manages the lifecycle of the containers inside the pod VM.

You create an initdata.toml file and convert it to a Base64-encoded, gzip-format string. You apply the initdata string to your workload by one of the following methods:

  • Global configuration: Add the initdata string as the value of the INITDATA key in the peer pods config map to create a default configuration for all peer pods.

  • Pod configuration: Add the initdata string as an annotation to a pod manifest, allowing customization for individual workloads.

    Note

    The initdata annotation in the pod manifest overrides the global INITDATA value in the peer pods config map for that specific pod. The Kata runtime handles this precedence automatically at pod creation time.

Then, you create a hash from the initdata file. This hash is required as a reference value for the Reference Value Provider Service (RVPS) config map for Red Hat build of Trustee.

3.2. Deployment overview
Copiar o link

You deploy confidential containers on Azure Red Hat OpenShift by performing the following steps:

  1. Prepare your network by configuring outbound connectivity for the peer pods.
  2. Install the OpenShift sandboxed containers Operator.
  3. Enable the confidential containers feature gate.
  4. Create initdata to initialize a peer pod with sensitive or workload-specific data at runtime.
  5. Create the peer pods config map. You can add initdata to the config map to create a default global configuration for your peer pods.
  6. Create the KataConfig CR.
  7. Verify the attestation process.
  8. You can add initdata to a pod manifest to override the global initdata configuration you set in the peer pods config map.
  9. Optional: If you select a container image from an authenticated registry, you must configure a pull secret for the pod.
  10. Optional: You can select a custom peer pod VM image.

3.3. Creating MachineConfig config map for TDX
Copiar o link

If you use Intel Trust Domain Extensions (TDX), you must create a MachineConfig object before you install the Red Hat build of Trustee Operator.

Procedure

  1. Create a tdx-machine-config.yaml manifest file according to the following example: 

    apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: <role>
    1 
    
  name: 99-enable-intel-tdx
spec:
  kernelArguments:
  - kvm_intel.tdx=1
  - nohibernate
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/modules-load.d/vsock.conf
          mode: 0644
          contents:
            source: data:text/plain;charset=utf-8;base64,dnNvY2stbG9vcGJhY2sK
    Copy to Clipboard Toggle word wrap
    1
    Specify master for single-node OpenShift or kata-oc for a multi-node cluster.

  2. Create the TDX config map by running the following command: 

    $ oc create -f tdx-config.yaml
    Copy to Clipboard Toggle word wrap

3.4. Preparing your network
Copiar o link

You must prepare your network by configuring outbound connectivity for the peer pods. You can perform this task by using one of the following methods:

  • Add a NAT gateway to the default worker subnet. This method is simple and reuses cluster resources, but it offers less isolation.
  • Create a dedicated VNet and subnet for your peer pods, attach a NAT gateway, and peer it with the cluster VNet. This method is more complex but it provides greater isolation and flexibility.

3.4.1. Configuring the default worker subnet
Copiar o link

You can configure the default worker subnet for outbound connections by attaching a NAT gateway. This method is simple and reuses cluster resources, but it offers less isolation than a dedicated virtual network.

Prerequisites

  • The Azure CLI (az) is installed and authenticated.
  • You have administrator access to the Azure resource group and the VNet.

Procedure

  1. Set the AZURE_RESOURCE_GROUP environment variable by running the following command: 

    $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
    -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
    Copy to Clipboard Toggle word wrap

  2. Set the AZURE_REGION environment variable by running the following command: 

    $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
    --query "{Location:location}" --output tsv) && \
    echo "AZURE_REGION: \"$AZURE_REGION\""
    Copy to Clipboard Toggle word wrap

  3. Set the AZURE_VNET_NAME environment variable by running the following command: 

    $ AZURE_VNET_NAME=$(az network vnet list \
    -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)
    Copy to Clipboard Toggle word wrap

  4. Set the AZURE_SUBNET_ID environment variable by running the following command: 

    $ AZURE_SUBNET_ID=$(az network vnet subnet list \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${AZURE_VNET_NAME}" --query "[].{Id:id} \
    | [? contains(Id, 'worker')]" --output tsv)
    Copy to Clipboard Toggle word wrap

  5. Set the NAT gateway environment variables for the peer pod subnet by running the following commands: 

    $ export PEERPOD_NAT_GW=peerpod-nat-gw
    Copy to Clipboard Toggle word wrap 
    $ export PEERPOD_NAT_GW_IP=peerpod-nat-gw-ip
    Copy to Clipboard Toggle word wrap

  6. Create a public IP address for the NAT gateway by running the following command: 

    $ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
    -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}" --sku Standard
    Copy to Clipboard Toggle word wrap

  7. Create the NAT gateway and associate it with the public IP address by running the following command: 

    $ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
    -l "${AZURE_REGION}" --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
    -n "${PEERPOD_NAT_GW}"
    Copy to Clipboard Toggle word wrap

  8. Update the VNet subnet to use the NAT gateway by running the following command: 

    $ az network vnet subnet update --nat-gateway "${PEERPOD_NAT_GW}" \
    --ids "${AZURE_SUBNET_ID}"
    Copy to Clipboard Toggle word wrap

Verification

  • Confirm the NAT gateway is attached to the VNet subnet by running the following command: 

    $ az network vnet subnet show --ids "${AZURE_SUBNET_ID}" \
    --query "natGateway.id" -o tsv
    Copy to Clipboard Toggle word wrap

    The output contains the NAT gateway resource ID. If no NAT gateway is attached, the output is empty.

    Example output

    /subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/myResourceGroup/providers/Microsoft.Network/natGateways/myNatGateway
    Copy to Clipboard Toggle word wrap

3.4.2. Creating a dedicated peer pod virtual network
Copiar o link

You can configure outbound connections for peer pods by creating a dedicated virtual network (VNet). Then, you create a network address translation (NAT) gateway for the VNet, create a subnet within the VNet, and enable VNet peering with non-overlapping address spaces.

This method is more complex than creating a NAT gateway for the default worker subnet but it provides greater isolation and flexibility.

Prerequisites

  • The Azure CLI (az) is installed
  • You have signed in to Azure. See Authenticate to Azure using Azure CLI.
  • You have administrator access to the Azure resource group and VNet hosting the cluster.
  • You have verified the cluster VNet classless inter-domain routing (CIDR) address. The default value is 10.0.0.0/14. If you overrode the default value, you have ensured that you chose a non-overlapping CIDR address for the peer pod VNet. For example, 192.168.0.0/16.

Procedure

  1. Set the environmental variables for the peer pod network:

    1. Set the peer pod VNet environment variables by running the following commands: 

      $ export PEERPOD_VNET_NAME="${PEERPOD_VNET_NAME:-peerpod-vnet}"
      Copy to Clipboard Toggle word wrap 
      $ export PEERPOD_VNET_CIDR="${PEERPOD_VNET_CIDR:-192.168.0.0/16}"
      Copy to Clipboard Toggle word wrap

    2. Set the peer pod subnet environment variables by running the following commands: 

      $ export PEERPOD_SUBNET_NAME="${PEERPOD_SUBNET_NAME:-peerpod-subnet}"
      Copy to Clipboard Toggle word wrap 
      $ export PEERPOD_SUBNET_CIDR="${PEERPOD_SUBNET_CIDR:-192.168.0.0/16}"
      Copy to Clipboard Toggle word wrap

  2. Set the environmental variables for Azure: 

    $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
    -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
    Copy to Clipboard Toggle word wrap 
    $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
    --query "{Location:location}" --output tsv) && \
    echo "AZURE_REGION: \"$AZURE_REGION\""
    Copy to Clipboard Toggle word wrap 
    $ AZURE_VNET_NAME=$(az network vnet list \
    -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)
    Copy to Clipboard Toggle word wrap

  3. Set the peer pod NAT gateway environment variables by running the following commands: 

    $ export PEERPOD_NAT_GW="${PEERPOD_NAT_GW:-peerpod-nat-gw}"
    Copy to Clipboard Toggle word wrap 
    $ export PEERPOD_NAT_GW_IP="${PEERPOD_NAT_PUBLIC_IP:-peerpod-nat-gw-ip}"
    Copy to Clipboard Toggle word wrap

  4. Configure the VNET:

    1. Create the peer pod VNet by running the following command: 

      $ az network vnet create --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${PEERPOD_VNET_NAME}" \
    --address-prefixes "${PEERPOD_VNET_CIDR}"
      Copy to Clipboard Toggle word wrap

    2. Create a public IP address for the peer pod VNet by running the following command: 

      $ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
    -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}"
      Copy to Clipboard Toggle word wrap

    3. Create a NAT gateway for the peer pod VNet by running the following command: 

      $ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
    -l "${AZURE_REGION}" \
    --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
    -n "${PEERPOD_NAT_GW}"
      Copy to Clipboard Toggle word wrap

    4. Create a subnet in the peer pod VNet and attach the NAT gateway by running the following command: 

      $ az network vnet subnet create \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${PEERPOD_VNET_NAME}" \
    --name "${PEERPOD_SUBNET_NAME}" \
    --address-prefixes "${PEERPOD_SUBNET_CIDR}" \
    --nat-gateway "${PEERPOD_NAT_GW}"
      Copy to Clipboard Toggle word wrap

  5. Configure the virtual network peering connection:

    1. Create the peering connection by running the following command: 

      $ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}" \
    --remote-vnet "${PEERPOD_VNET_NAME}" --allow-vnet-access \
    --allow-forwarded-traffic
      Copy to Clipboard Toggle word wrap

    2. Sync the peering connection by running the following command: 

      $ az network vnet peering sync -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}"
      Copy to Clipboard Toggle word wrap

    3. Complete the peering connection by running the following command: 

      $ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-peerpod-vnet-to-azure-vnet \
    --vnet-name "${PEERPOD_VNET_NAME}" \
    --remote-vnet "${AZURE_VNET_NAME}" --allow-vnet-access \
    --allow-forwarded-traffic
      Copy to Clipboard Toggle word wrap

Verification

  1. Check the peering connection status from the cluster VNet by running the following command: 

    $ az network vnet peering show -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}" \
    --query "peeringState" -o tsv
    Copy to Clipboard Toggle word wrap

    This should return Connected.

  2. Verify that the NAT gateway is attached to the peer pod subnet by running the following command: 

    $ az network vnet subnet show --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${PEERPOD_VNET_NAME}" --name "${PEERPOD_SUBNET_NAME}" \
    --query "natGateway.id" -o tsv
    Copy to Clipboard Toggle word wrap

3.5. Installing the OpenShift sandboxed containers Operator
Copiar o link

You install the OpenShift sandboxed containers Operator by using the command line interface (CLI).

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml
    Copy to Clipboard Toggle word wrap

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml
    Copy to Clipboard Toggle word wrap

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.11.0
    Copy to Clipboard Toggle word wrap

  6. Create the subscription by running the following command: 

    $ oc create -f osc-subscription.yaml
    Copy to Clipboard Toggle word wrap

  7. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    This command can take several minutes to complete.

  8. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.11.0    1.10.3        Succeeded
    Copy to Clipboard Toggle word wrap

3.6. Creating the osc-feature-gates config map
Copiar o link

You enable the confidential containers feature gate by creating the config map.

Procedure

  1. Create a my-feature-gate.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: osc-feature-gates
  namespace: openshift-sandboxed-containers-operator
data:
  confidential: "true"
  deploymentMode: <deployment_mode>
    Copy to Clipboard Toggle word wrap

    where

    <deployment_mode>

    On OpenShift Container Platform clusters with the Machine Config Operator (MCO), the deploymentMode field is optional and can be omitted. Specifies the strategy for installing and configuring the Kata runtime. Specify the deployment mode:

    • MachineConfig for clusters that always use the MCO
    • DaemonSet for clusters that never use the MCO
    • DaemonSetFallback for clusters that sometimes use the MCO

  2. Create the my-feature-gates config map by running the following command: 

    $ oc create -f my-feature-gate.yaml
    Copy to Clipboard Toggle word wrap

3.7. Creating initdata
Copiar o link

You create initdata to securely initialize a pod with sensitive or workload-specific data at runtime, thus avoiding the need to embed this data in a virtual machine image. This approach provides additional security by reducing the risk of exposure of confidential information and eliminates the need for custom image builds.

You can specify initdata in the pods config map, for global configuration, or in a pod manifest, for a specific pod. The initdata value in a pod manifest overrides the value set in the pods config map.

Important

In a production environment, you must create initdata to override the default permissive Kata agent policy.

You can specify initdata in the peer pods config map, for global configuration, or in a peer pod manifest, for a specific pod. The initdata value in a peer pod manifest overrides the value set in the peer pods config map.

Then, you generate a Platform Configuration Register (PCR) 8 hash from the initdata.toml file for the Reference Value Provider Service (RVPS) config map for Red Hat build of Trustee.

Red Hat build of Trustee uses the RVPS to validate attestation evidence sent by confidential workloads. The RVPS contains trusted reference values, such as file hashes, that are compared to the PCR measurements included in attestation requests. These hashes are not generated by Red Hat build of Trustee.

Important

You must delete the kbs_cert setting if you configure insecure_http = true in the kbs-config config map for Red Hat build of Trustee.

Procedure

  1. Obtain the Red Hat build of Trustee URL by running the following command: 

    $ TRUSTEE_URL=$(oc get route kbs-service \
  -n trustee-operator-system -o jsonpath='{.spec.host}') \
  && echo $TRUSTEE_URL
    Copy to Clipboard Toggle word wrap

  2. Create the initdata.toml file: 

    algorithm = "sha384"
version = "0.1.0"

[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]

url = '<trustee_url>'

[token_configs.kbs]
url = '<trustee_url>'
'''

"cdh.toml" = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []

[kbc]
name = 'cc_kbc'
url = '<trustee_url>'
kbs_cert = """
-----BEGIN CERTIFICATE-----
<kbs_certificate>
-----END CERTIFICATE-----
"""
[image]
image_security_policy_uri = 'kbs:///default/<secret-policy-name>/<key>
'''

"policy.rego" = '''
package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := false
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default ExecProcessRequest := false
default SetPolicyRequest := false
default WriteStreamRequest := false

ExecProcessRequest if {
    input_command = concat(" ", input.process.Args)
    some allowed_command in policy_data.allowed_commands
    input_command == allowed_command
}

policy_data := {
  "allowed_commands": [
        "curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status"
  ]
}
'''
    Copy to Clipboard Toggle word wrap
    url
    Specify the Red Hat build of Trustee URL. If you configure the Red Hat build of Trustee with insecure_http for testing purposes, use HTTP. Otherwise, use HTTPS. For production systems, avoid using insecure_http unless you configure your environment to handle TLS externally, for example, with a proxy.
    <kbs_certificate>
    Specify the Base64-encoded TLS certificate for the attestation agent.
    kbs_cert
    Delete the kbs_cert setting if you configure insecure_http = true in the kbs-config config map for Red Hat build of Trustee.
    image_security_policy_uri
    Optional, only if you enabled the container image signature verification policy. Replace <secret-policy-name> and <key> with the secret name and key, respectively specified in Creating the KbsConfig custom resource.

  3. Convert the initdata.toml file to a Base64-encoded string in gzip format in a text file by running the following command: 

    $ cat initdata.toml | gzip | base64 -w0 > initdata.txt
    Copy to Clipboard Toggle word wrap

    Record this string to use in the peer pods config map or the peer pod manifest.

  4. Calculate the SHA-256 hash of an initdata.toml file and assign its value to the hash variable by running the following command: 

    $ hash=$(sha256sum initdata.toml | cut -d' ' -f1)
    Copy to Clipboard Toggle word wrap

  5. Assign 32 bytes of 0s to the initial_pcr variable by running the following command: 

    $ initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
    Copy to Clipboard Toggle word wrap

  6. Calculate the SHA-256 hash of hash and initial_pcr and assign its value to the PCR8_HASH variable by running the following command: 

    $ PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
    Copy to Clipboard Toggle word wrap

    Record the PCR8_HASH value for the RVPS config map.

3.8. Creating the peer pods config map
Copiar o link

You must create the peer pods config map.

Optional: Add initdata to the peer pods config map to create a default configuration for all peer pods.

Procedure

  1. Obtain the following values from your Azure instance:

    1. Retrieve and record the Azure resource group: 

      $ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
  -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') \
  && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""
      Copy to Clipboard Toggle word wrap

    2. Retrieve and record the Azure VNet name: 

      $ AZURE_VNET_NAME=$(az network vnet list \
  --resource-group ${AZURE_RESOURCE_GROUP} \
  --query "[].{Name:name}" --output tsv)
      Copy to Clipboard Toggle word wrap

      This value is used to retrieve the Azure subnet ID.

    3. Retrieve and record the Azure subnet ID: 

      $ AZURE_SUBNET_ID=$(az network vnet subnet list \
  --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME \
  --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) \
   && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""
      Copy to Clipboard Toggle word wrap

    4. Retrieve and record the Azure network security group (NSG) ID: 

      $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} \
  --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""
      Copy to Clipboard Toggle word wrap

    5. Retrieve and record the Azure region: 

      $ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} \
  --query "{Location:location}" --output tsv) \
  && echo "AZURE_REGION: \"$AZURE_REGION\""
      Copy to Clipboard Toggle word wrap

  2. Create a peer-pods-cm.yaml manifest file according to the following example: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "azure"
  VXLAN_PORT: "9000"
  PROXY_TIMEOUT: "5m"
  AZURE_INSTANCE_SIZE: "Standard_DC2as_v5"
  AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5"
  AZURE_SUBNET_ID: "<azure_subnet_id>"
  AZURE_NSG_ID: "<azure_nsg_id>"
  AZURE_IMAGE_ID: ""
  AZURE_REGION: "<azure_region>"
  AZURE_RESOURCE_GROUP: "<azure_resource_group>"
  TAGS: "key1=value1,key2=value2"
  PEERPODS_LIMIT_PER_NODE: "10"
  ROOT_VOLUME_SIZE: "6"
  DISABLECVM: "false"
  INITDATA: "<initdata_string>"
    Copy to Clipboard Toggle word wrap
    AZURE_INSTANCE_SIZE
    Defines the default instance size that is used if the instance size is not defined in the workload object. "Standard_DC2as_v5" is for AMD SEV-SNP. If your TEE is Intel TDX, specify Standard_EC4eds_v5.
    AZURE_IMAGE_ID
    Leave this value empty. When you install the Operator, a Job is scheduled to download the default pod VM image from the Red Hat Ecosystem Catalog and upload it to the Azure Image Gallery within the same Azure Resource Group as the OpenShift Container Platform cluster. This image provides root disk integrity protection (dm-verity) and encrypted container storage. See Confidential VMs: The core of confidential containers for details.
    AZURE_INSTANCE_SIZES
    Specify the allowed instance sizes, without spaces, for creating the pod. You can define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.
    TAGS
    You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
    PEERPODS_LIMIT_PER_NODE
    You can increase this value to run more peer pods on a node. The default value is 10.
    ROOT_VOLUME_SIZE
    You can increase this value for pods with larger container images. Specify the root volume size in gigabytes for the pod VM. The default and minimum size is 6 GB.
    INITDATA
    Specify the initdata string to create a default configuration for all peer pods. If you add initdata to a peer pod manifest, that setting overrides this global configuration.

  3. Create the config map by running the following command: 

    $ oc create -f peer-pods-cm.yaml
    Copy to Clipboard Toggle word wrap

3.9. Applying initdata to a pod
Copiar o link

You can override the global INITDATA setting you applied in the peer pods config map by applying customized initdata to a specific pod for special use cases, such as development and testing with a relaxed policy, or when using different Red Hat build of Trustee configurations. You can customize initdata by adding an annotation to the workload pod YAML.

Prerequisite

  • You have created an initdata string.

Procedure

  1. Add the initdata string to the pod manifest: 

    apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: <initdata_string>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault
    Copy to Clipboard Toggle word wrap

  2. Create the pod by running the following command: 

    $ oc create -f my-pod.yaml
    Copy to Clipboard Toggle word wrap

3.10. Creating the KataConfig custom resource
Copiar o link

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors can increase the reboot time:

  • A large OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:

  enablePeerPods: true

  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    Copy to Clipboard Toggle word wrap
    1
    Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, cc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc create -f example-kataconfig.yaml
    Copy to Clipboard Toggle word wrap

    The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.

    Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
    Copy to Clipboard Toggle word wrap

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

  4. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
    Copy to Clipboard Toggle word wrap

  5. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME             HANDLER          AGE
kata-remote      kata-remote      152m
    Copy to Clipboard Toggle word wrap

3.11. Verifying attestation
Copiar o link

You can verify the attestation process by creating a test pod to retrieve a specific resource from Red Hat build of Trustee.

Important

This procedure is an example to verify that attestation is working. Do not write sensitive data to standard I/O, because the data can be captured by using a memory dump. Only data written to memory is encrypted.

Procedure

  1. Create a test-pod.yaml manifest file: 

    apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: <initdata_string>
    1 
    
spec:
  runtimeClassName: kata-remote
  containers:
    - name: skr-openshift
      image: registry.access.redhat.com/ubi9/ubi:latest
      command:
        - sleep
        - "36000"
      securityContext:
        privileged: false
        seccompProfile:
          type: RuntimeDefault
    Copy to Clipboard Toggle word wrap
    1
    Optional: Setting initdata in a pod annotation overrides the global INITDATA setting in the peer pods config map.

  2. Create the pod by running the following command: 

    $ oc create -f test-pod.yaml
    Copy to Clipboard Toggle word wrap

  3. Log in to the pod by running the following command: 

    $ oc exec -it ocp-cc-pod -- bash
    Copy to Clipboard Toggle word wrap

  4. Fetch the Red Hat build of Trustee resource by running the following command: 

    $ curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status
    Copy to Clipboard Toggle word wrap

    Example output

    success #/
    Copy to Clipboard Toggle word wrap

3.12. Configuring a pull secret for peer pods
Copiar o link

If you select a custom peer pod VM image from a private registry such as registry.access.redhat.com, you must configure a pull secret for peer pods.

Then, you can link the pull secret to the default service account or you can specify the pull secret in the peer pod manifest.

Procedure

  1. Set the NS variable to the namespace where you deploy your peer pods: 

    $ NS=<namespace>
    Copy to Clipboard Toggle word wrap

  2. Copy the pull secret to the peer pod namespace: 

    $ oc get secret pull-secret -n openshift-config -o yaml \
  | sed "s/namespace: openshift-config/namespace: ${NS}/" \
  | oc apply -n "${NS}" -f -
    Copy to Clipboard Toggle word wrap

    You can use the cluster pull secret, as in this example, or a custom pull secret.

  3. Optional: Link the pull secret to the default service account: 

    $ oc secrets link default pull-secret --for=pull -n ${NS}
    Copy to Clipboard Toggle word wrap

  4. Alternatively, add the pull secret to the peer pod manifest: 

    apiVersion: v1
kind: <Pod>
spec:
  containers:
  - name: <container_name>
    image: <image_name>
  imagePullSecrets:
  - name: pull-secret
# ...
    Copy to Clipboard Toggle word wrap

3.13. Selecting a custom peer pod VM image
Copiar o link

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements, by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

  • If the custom peer pod VM image is in a private registry, you have created a pull secret.
  • You have the ID of a custom pod VM image, which is compatible with your cloud provider or hypervisor.

Procedure

  1. Create a my-pod-manifest.yaml file according to the following example: 

    apiVersion: v1
kind: Pod
metadata:
  name: my-pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <example_container>
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]
    Copy to Clipboard Toggle word wrap

  2. Create the pod by running the following command: 

    $ oc create -f my-pod-manifest.yaml
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat