Deploying confidential containers on Microsoft Azure

OpenShift sandboxed containers 1.12

Protecting containers and data by leveraging trusted execution environments

Red Hat Customer Content Services

Abstract

Confidential containers provide a confidential computing environment to protect containers and data by leveraging trusted execution environments. You install the OpenShift sandboxed containers Operator on an OpenShift Container Platform cluster for your confidential containers workload after configuring an attestation service such as Red Hat build of Trustee in a trusted environment.

Preface

Providing feedback on Red Hat documentation

You can provide feedback or report an error by submitting the Create Issue form in Jira.

Procedure

Ensure that you are logged in to Jira. If you do not have a Jira account, you must create a This content is not included.Red Hat Jira account.
Launch the This content is not included.Create Issue form.
Enter a descriptive title in the Summary field.
In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue.
Enter your Jira user ID in the Reporter field.
Click Create.

Chapter 1. Discover

You can deploy confidential containers workloads on a Red Hat OpenShift Container Platform cluster running on Microsoft Azure with the Intel® Trust Domain Extensions (TDX) and AMD SEV-SNP Trusted Execution Environments (TEEs). Confidential containers provides a confidential computing environment to protect containers and data by leveraging hardware-based Trusted Execution Environments (TEEs).

Additional resources

1.1. Compatibility with OpenShift Container Platform

You must ensure that your Red Hat OpenShift Container Platform version supports the features you require.

The required functionality for OpenShift Container Platform is supported by two main components:

Kata runtime: The Kata runtime is included with Red Hat Enterprise Linux CoreOS (RHCOS) and receives updates with every OpenShift Container Platform release. When enabling peer pods with the Kata runtime, the OpenShift sandboxed containers Operator requires external network connectivity to pull the necessary image components and helper utilities to create the pod virtual machine (VM) image.
OpenShift sandboxed containers Operator: The OpenShift sandboxed containers Operator is a Rolling Stream Operator, which means the latest version is the only supported version. It works with all currently supported versions of OpenShift Container Platform.

The Operator depends on the features that come with the RHCOS host and the environment it runs in.

Note

You must install RHCOS on the worker nodes. Red Hat Enterprise Linux (RHEL) nodes are not supported.

The following compatibility matrix for OpenShift sandboxed containers and OpenShift Container Platform releases identifies compatible features and environments.

Table 1.1. Supported architectures

Architecture	OpenShift Container Platform version (without GPU)	OpenShift Container Platform version (with GPU)
x86_64	4.19.28+	4.21.9+
s390x	4.19.28+	—

There are two ways to deploy the Kata containers runtime:

Bare metal
Peer pods

You can deploy OpenShift sandboxed containers by using peer pods on Microsoft Azure, Amazon Web Services (AWS), or Google Cloud. With the release of OpenShift sandboxed containers 1.12.0, the OpenShift sandboxed containers Operator requires OpenShift Container Platform version 4.19.28 or later for deployments without GPU support .

The following table describes OpenShift Container Platform versions and features with the following support levels:

GA: General Availability
TP: Technology Preview
DP: Developer Preview

Note

The version numbers in the table represent the minimum supported version. For example, "4.21.9+" means version 4.21.9 or any later version.

Table 1.2. Feature availability by OpenShift Container Platform version

Platform	TEE	GPU	4.19.28+	4.20.18+	4.21.9+
Bare metal	Intel® TDX or AMD SEV-SNP	No	GA	GA	GA
Bare metal	Intel® TDX or AMD SEV-SNP	NVIDIA H100	—	—	TP
IBM Z bare metal	IBM SE for Linux	No	GA	GA	GA
IBM Z peer pods	IBM SE for Linux	No	GA	GA	GA
Azure	Intel® TDX or AMD SEV-SNP	No	GA	GA	GA
Azure	Intel® TDX or AMD SEV-SNP	NVIDIA H100	—	—	DP

Note

Confidential containers includes Red Hat build of Trustee.

GPU support with Kata requires the KubeletPodResourcesGet feature gate to be enabled. This is enabled only in OpenShift Container Platform 4.21 and later.

Additional resources

1.2. Peer pod resource requirements

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the Content from kubernetes.io is not included.pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A Content from kubernetes.io is not included.mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIMECLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIMECLASS, the webhook exits without modifying the pod.
If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:
1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.

Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

1.3. Common terms

The following terms are used throughout the documentation.

Attestation

The process of verifying the integrity and trustworthiness of a Trusted Execution Environment (TEE) and the confidential containers workloads running within it, ensuring that only trusted code and data are executed. Red Hat build of Trustee performs this function.

Confidential containers

A technology that provides a confidential computing environment to protect containers and data by leveraging Trusted Execution Environments.

Initdata

A specification used to securely initialize a pod with workload-specific data (such as certificates, cryptographic keys, or an optional Kata Agent policy) at runtime, preventing the need to embed this data directly in the virtual machine (VM) image.

Kata Agent

A component within the pod Virtual Machine (VM) that enforces runtime policies and manages the lifecycle of the containers running inside the VM. Its policy controls API requests for peer pods.

Kata containers

Kata containers is a core upstream project that is used to build OpenShift sandboxed containers. OpenShift sandboxed containers integrate Kata containers with OpenShift Container Platform.

kata runtime

The optional runtime installed by the OpenShift sandboxed containers Operator when configuring bare metal deployments.

kata-cc runtime

The runtime class used specifically for confidential containers deployments on bare-metal servers.

kata-remote runtime

The runtime class used for peer pod deployments on cloud platforms or remote hypervisors.

KataConfig

A custom resource used to configure and launch OpenShift sandboxed containers.

TrusteeConfig

A custom resource used to configure and launch Red Hat build of Trustee.

OpenShift sandboxed containers

OpenShift sandboxed containers integrates Kata containers as an optional runtime to provide enhanced security and isolation for container workloads by running applications in lightweight virtual machines.

OpenShift sandboxed containers Operator

The OpenShift sandboxed containers Operator manages the lifecycle of OpenShift sandboxed containers and confidential containers on a cluster.

Peer pod

A peer pod in OpenShift sandboxed containers extends the concept of a standard pod. Unlike a standard sandboxed container, where the virtual machine is created on the worker node itself, in a peer pod, the virtual machine is created through a remote hypervisor using any supported hypervisor or cloud provider API.

The peer pod acts as a regular pod on the worker node, with its corresponding VM running elsewhere. The remote location of the VM is transparent to the user and is specified by the runtime class in the pod specification. The peer pod design circumvents the need for nested virtualization.

Pod

A pod is a construct that is inherited from Kubernetes and OpenShift Container Platform. It represents resources where containers can be deployed. Containers run inside pods, and pods are used to specify resources that can be shared between multiple containers.

In the context of OpenShift sandboxed containers, a pod is implemented as a virtual machine. Several containers can run in the same pod on the same virtual machine.

Red Hat build of Trustee

Red Hat build of Trustee is an attestation service that verifies the trustworthiness of the location where you plan to run your workload or where you plan to send confidential information. Red Hat build of Trustee includes components deployed on a trusted side and used to verify whether the remote workload is running in a Trusted Execution Environment (TEE).

Red Hat build of Trustee Operator

The Red Hat build of Trustee Operator manages the installation, lifecycle, and configuration of Red Hat build of Trustee.

Runtime class

An object that describes the specific runtime configuration used to execute a workload.

Sandbox

A sandbox is an isolated environment where programs can run. In a sandbox, you can run untested or untrusted programs without risking harm to the host machine or the operating system.

In the context of OpenShift sandboxed containers, sandboxing is achieved by running workloads in a different kernel using virtualization, providing enhanced control over the interactions between multiple workloads that run on the same host.

Trusted Execution Environment (TEE)

Hardware-based security technology leveraged by confidential containers to protect containers and data. Examples: Intel® TDX, AMD SEV-SNP.

1.4. OpenShift sandboxed containers Operator

The OpenShift sandboxed containers Operator encapsulates all of the components from Kata containers. It manages installation, lifecycle, and configuration tasks.

The OpenShift sandboxed containers Operator is packaged in the Operator bundle format as two container images:

The bundle image contains metadata and is required to make the operator OLM-ready.
The second container image contains the actual controller that monitors and manages the KataConfig resource.

The OpenShift sandboxed containers Operator is based on the Red Hat Enterprise Linux CoreOS (RHCOS) extensions concept. RHCOS extensions are a mechanism to install optional OpenShift Container Platform software. The OpenShift sandboxed containers Operator uses this mechanism to deploy sandboxed containers on a cluster.

The sandboxed containers RHCOS extension contains RPMs for Kata, QEMU, and its dependencies. You can enable them by using the MachineConfig resources that the Machine Config Operator provides.

Additional resources

1.5. FIPS compliance

OpenShift Container Platform is designed for Federal Information Processing Standards (FIPS) 140-2 and 140-3. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

For more information about the NIST validation program, see Content from csrc.nist.gov is not included.Cryptographic Module Validation Program. For the latest NIST status for the individual versions of RHEL cryptographic libraries that have been submitted for validation, see This content is not included.Compliance Activities and Government Standards.

OpenShift sandboxed containers can be used on FIPS enabled clusters.

When running in FIPS mode, OpenShift sandboxed containers components, VMs, and VM images are adapted to comply with FIPS.

Note

FIPS compliance for OpenShift sandboxed containers only applies to the kata runtime class. The peer pod runtime class, kata-remote, is not yet fully supported and has not been tested for FIPS compliance.

FIPS compliance is one of the most critical components required in highly secure environments, to ensure that only supported cryptographic technologies are allowed on nodes.

Important

The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the x86_64 architecture.

To understand Red Hat’s view of OpenShift Container Platform compliance frameworks, refer to the Risk Management and Regulatory Readiness chapter of the OpenShift Security Guide Book.

Chapter 2. Install

You install confidential containers on Microsoft Azure with the Intel® Trust Domain Extensions (TDX) and AMD SEV-SNP Trusted Execution Environments (TEEs) by configuring your environment and installing the OpenShift sandboxed containers Operator.

Perform the following steps:

Configure outbound connectivity for your pod virtual machine (VM) subnet.
Install the OpenShift sandboxed containers Operator.

2.1. Prerequisites

Review the following prerequisites before deploying confidential containers.

You have installed the latest version of Red Hat OpenShift Container Platform on the cluster where you are running your confidential containers workload.

Important

Check the Compatibility with OpenShift Container Platform for the specific minimum version required for confidential containers in release 1.12, as it requires a higher version than OpenShift sandboxed containers.

You have deployed Red Hat build of Trustee on an OpenShift Container Platform cluster in a trusted environment. For more information, see This content is not included.Deploying Red Hat build of Trustee.
You have enabled ports 15150 and 9000 for communication in the subnet used for worker nodes and the pod virtual machine (VM). The ports enable communication between the Kata shim running on the worker node and the Kata agent running on the pod VM.

2.2. Outbound connections

To enable peer pods to communicate with external networks, such as the public internet, you must configure outbound connectivity for the pod virtual machine (VM) subnet. This involves setting up a NAT gateway and, optionally, defining how the subnet integrates with your cluster’s virtual network (VNet) in Azure.

Peer pods and subnets: Peer pods operate in a dedicated Azure subnet that requires explicit configuration for outbound access. This subnet can either be the default worker subnet used by OpenShift Container Platform nodes or a separate, custom subnet created specifically for peer pods.
VNet peering: When using a separate subnet, VNet peering connects the peer pod VNet to the cluster’s VNet, ensuring internal communication while maintaining isolation. This requires non-overlapping CIDR ranges between the VNets.

You can configure outbound connectivity in two ways:

Default worker subnet: Modify the existing worker subnet to include a NAT gateway. This is simpler and reuses cluster resources, but it offers less isolation.
Peer pod VNet: Set up a dedicated VNet and subnet for peer pods, attach a NAT gateway, and peer it with the cluster VNet. This provides greater isolation and flexibility at the cost of additional complexity.

2.2.1. Configuring the default worker subnet

You can configure the default worker subnet for outbound connections by attaching a NAT gateway. This method is simple and reuses cluster resources, but it offers less isolation than a dedicated virtual network.

Prerequisites

The Azure CLI (az) is installed and authenticated.
You have administrator access to the Azure resource group and the VNet.

Procedure

Set the AZURE_RESOURCE_GROUP environment variable by running the following command:

$ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
    -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')

Set the AZURE_REGION environment variable by running the following command:

$ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
    --query "{Location:location}" --output tsv) && \
    echo "AZURE_REGION: \"$AZURE_REGION\""

Set the AZURE_VNET_NAME environment variable by running the following command:

$ AZURE_VNET_NAME=$(az network vnet list \
    -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)

Set the AZURE_SUBNET_ID environment variable by running the following command:

$ AZURE_SUBNET_ID=$(az network vnet subnet list \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${AZURE_VNET_NAME}" --query "[].{Id:id} \
    | [? contains(Id, 'worker')]" --output tsv)

Set the NAT gateway environment variables for the peer pod subnet by running the following commands:
```
$ export PEERPOD_NAT_GW=peerpod-nat-gw
```
```
$ export PEERPOD_NAT_GW_IP=peerpod-nat-gw-ip
```

Create a public IP address for the NAT gateway by running the following command:

$ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
    -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}" --sku Standard

Create the NAT gateway and associate it with the public IP address by running the following command:

$ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
    -l "${AZURE_REGION}" --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
    -n "${PEERPOD_NAT_GW}"

Update the VNet subnet to use the NAT gateway by running the following command:
```
$ az network vnet subnet update --nat-gateway "${PEERPOD_NAT_GW}" \
    --ids "${AZURE_SUBNET_ID}"
```

Verification

Confirm the NAT gateway is attached to the VNet subnet by running the following command:
```
$ az network vnet subnet show --ids "${AZURE_SUBNET_ID}" \
    --query "natGateway.id" -o tsv
```
The output contains the NAT gateway resource ID. If no NAT gateway is attached, the output is empty.
Example output
```
/subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/myResourceGroup/providers/Microsoft.Network/natGateways/myNatGateway
```

Additional Resources

2.2.2. Creating a dedicated peer pod virtual network

You can configure outbound connections for peer pods by creating a dedicated virtual network (VNet). Then, you create a network address translation (NAT) gateway for the VNet, create a subnet within the VNet, and enable VNet peering with non-overlapping address spaces.

This method is more complex than creating a NAT gateway for the default worker subnet but it provides greater isolation and flexibility.

Prerequisites

The Azure CLI (az) is installed
You have signed in to Azure. See Content from learn.microsoft.com is not included.Authenticate to Azure using Azure CLI.
You have administrator access to the Azure resource group and VNet hosting the cluster.
You have verified the cluster VNet classless inter-domain routing (CIDR) address. The default value is 10.0.0.0/14. If you overrode the default value, you have ensured that you chose a non-overlapping CIDR address for the peer pod VNet. For example, 192.168.0.0/16.

Procedure

Set the environmental variables for the peer pod network:
1. Set the peer pod VNet environment variables by running the following commands:
```
$ export PEERPOD_VNET_NAME="${PEERPOD_VNET_NAME:-peerpod-vnet}"
```
```
$ export PEERPOD_VNET_CIDR="${PEERPOD_VNET_CIDR:-192.168.0.0/16}"
```
2. Set the peer pod subnet environment variables by running the following commands:
```
$ export PEERPOD_SUBNET_NAME="${PEERPOD_SUBNET_NAME:-peerpod-subnet}"
```
```
$ export PEERPOD_SUBNET_CIDR="${PEERPOD_SUBNET_CIDR:-192.168.0.0/16}"
```

Set the environmental variables for Azure:

$ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
    -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')

$ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP}\
    --query "{Location:location}" --output tsv) && \
    echo "AZURE_REGION: \"$AZURE_REGION\""

$ AZURE_VNET_NAME=$(az network vnet list \
    -g "${AZURE_RESOURCE_GROUP}" --query '[].name' -o tsv)

Set the peer pod NAT gateway environment variables by running the following commands:

$ export PEERPOD_NAT_GW="${PEERPOD_NAT_GW:-peerpod-nat-gw}"

$ export PEERPOD_NAT_GW_IP="${PEERPOD_NAT_PUBLIC_IP:-peerpod-nat-gw-ip}"

Configure the VNET:

Create the peer pod VNet by running the following command:

$ az network vnet create --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${PEERPOD_VNET_NAME}" \
    --address-prefixes "${PEERPOD_VNET_CIDR}"

Create a public IP address for the peer pod VNet by running the following command:

$ az network public-ip create -g "${AZURE_RESOURCE_GROUP}" \
    -n "${PEERPOD_NAT_GW_IP}" -l "${AZURE_REGION}"

Create a NAT gateway for the peer pod VNet by running the following command:

$ az network nat gateway create -g "${AZURE_RESOURCE_GROUP}" \
    -l "${AZURE_REGION}" \
    --public-ip-addresses "${PEERPOD_NAT_GW_IP}" \
    -n "${PEERPOD_NAT_GW}"

Create a subnet in the peer pod VNet and attach the NAT gateway by running the following command:

$ az network vnet subnet create \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${PEERPOD_VNET_NAME}" \
    --name "${PEERPOD_SUBNET_NAME}" \
    --address-prefixes "${PEERPOD_SUBNET_CIDR}" \
    --nat-gateway "${PEERPOD_NAT_GW}"

Configure the virtual network peering connection:

Create the peering connection by running the following command:

$ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}" \
    --remote-vnet "${PEERPOD_VNET_NAME}" --allow-vnet-access \
    --allow-forwarded-traffic

Sync the peering connection by running the following command:

$ az network vnet peering sync -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}"

Complete the peering connection by running the following command:

$ az network vnet peering create -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-peerpod-vnet-to-azure-vnet \
    --vnet-name "${PEERPOD_VNET_NAME}" \
    --remote-vnet "${AZURE_VNET_NAME}" --allow-vnet-access \
    --allow-forwarded-traffic

Verification

Check the peering connection status from the cluster VNet by running the following command:

$ az network vnet peering show -g "${AZURE_RESOURCE_GROUP}" \
    -n peerpod-azure-vnet-to-peerpod-vnet \
    --vnet-name "${AZURE_VNET_NAME}" \
    --query "peeringState" -o tsv

This should return Connected.

Verify that the NAT gateway is attached to the peer pod subnet by running the following command:

$ az network vnet subnet show --resource-group "${AZURE_RESOURCE_GROUP}" \
    --vnet-name "${PEERPOD_VNET_NAME}" --name "${PEERPOD_SUBNET_NAME}" \
    --query "natGateway.id" -o tsv

Additional Resources

Azure documentation: Content from docs.microsoft.com is not included.NAT Gateway Overview
Azure documentation: Content from docs.microsoft.com is not included.VNet Peering Overview

2.3. Installing the OpenShift sandboxed containers Operator

You can install the OpenShift sandboxed containers Operator by using the command line interface (CLI).

Prerequisites

You have access to the cluster as a user with the cluster-admin role.

Procedure

Create an osc-namespace.yaml manifest file:

apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator

Create the namespace by running the following command:
```
$ oc create -f osc-namespace.yaml
```

Create an osc-operatorgroup.yaml manifest file:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator

Create the operator group by running the following command:
```
$ oc create -f osc-operatorgroup.yaml
```

Create an osc-subscription.yaml manifest file:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.12.0

Create the subscription by running the following command:
```
$ oc create -f osc-subscription.yaml
```
Verify that the Operator is correctly installed by running the following command:
```
$ oc get csv -n openshift-sandboxed-containers-operator
```
This command can take several minutes to complete.

Watch the process by running the following command:

$ watch oc get csv -n openshift-sandboxed-containers-operator

Example output

NAME                             DISPLAY                                  VERSION         PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.12.0          Succeeded

Chapter 3. Configure

You can configure confidential containers on Microsoft Azure with the Intel® Trust Domain Extensions (TDX) and AMD SEV-SNP Trusted Execution Environments (TEEs).

Perform the following steps:

Enable confidential containers.
Create initdata to initialize a pod with sensitive or workload-specific data at runtime.
Important
Do not use the default permissive Kata Agent policy in a production environment. You must configure a restrictive policy, preferably by creating initdata.
As a minimum requirement, you must disable ExecProcessRequest to prevent a cluster administrator from accessing sensitive data by running the oc exec command on a confidential containers pod.
Create the peer pods config map.
Optional: Add initdata to a pod manifest to override the global initdata configuration set in the peer pods config map.
Optional: If you select a custom peer pod VM image from an authenticated registry, configure a pull secret.
Optional: Select a custom peer pod VM image.
Create the KataConfig CR.
Verify the attestation process.
Configure your workload for confidential containers.

3.1. Enabling confidential containers

You enable confidential containers by creating an osc-feature-gates config map.

Procedure

Create a my-feature-gate.yaml manifest file:

apiVersion: v1
kind: ConfigMap
metadata:
  name: osc-feature-gates
  namespace: openshift-sandboxed-containers-operator
data:
  confidential: "true"

Create the config map by running the following command:
```
$ oc create -f my-feature-gate.yaml
```

3.2. Initializing pods at runtime by using initdata

You can initialize a pod with workload-specific data at runtime by creating and applying initdata.

This approach enhances security by reducing the exposure of confidential information and improves flexibility by eliminating custom image builds. For example, initdata can include three configuration settings:

An X.509 certificate for secure communication.
A cryptographic key for authentication.
An optional Kata Agent policy.rego file to enforce runtime behavior when overriding the default Kata Agent policy.

The initdata content configures the following components:

Attestation Agent (AA), which verifies the trustworthiness of the pod by sending evidence for attestation.
Confidential Data Hub (CDH), which manages secrets and secure data access within the pod VM.
Kata Agent, which enforces runtime policies and manages the lifecycle of the containers inside the pod VM.

You create an initdata.toml file and convert it to a gzip-format Base64-encoded string.

Then, you create a hash from the initdata file. This hash is required as a reference value for the Reference Value Provider Service (RVPS) config map for Red Hat build of Trustee.

3.3. Create initdata

You create initdata to securely initialize a pod with sensitive or workload-specific data at runtime, thus avoiding the need to embed this data in a virtual machine image. This approach provides additional security by reducing the risk of exposure of confidential information and eliminates the need for custom image builds.

You can specify initdata in the peer pods config map, for global configuration, or in a peer pod manifest, for a specific pod. The initdata value in a peer pod manifest overrides the value set in the peer pods config map.

Then, you generate a Platform Configuration Register (PCR) 8 hash from the initdata.toml file for the Reference Value Provider Service (RVPS) config map for Red Hat build of Trustee.

Red Hat build of Trustee uses the RVPS to validate attestation evidence sent by confidential workloads. The RVPS contains trusted reference values, such as file hashes, that are compared to the PCR measurements included in attestation requests. These hashes are not generated by Red Hat build of Trustee.

Prerequisites

You have installed the Node Feature Discovery (NFD) Operator. For more information, see This content is not included.Node Feature Discovery Operator in the OpenShift Container Platform documentation.
You have deleted the kbs_cert setting if you configure insecure_http = true in the kbs-config config map for Red Hat build of Trustee.

Procedure

Obtain the Red Hat build of Trustee URL by running the following command:

$ TRUSTEE_URL=$(oc get route kbs-service \
  -n trustee-operator-system -o jsonpath='{.spec.host}') \
  && echo $TRUSTEE_URL

Create the initdata.toml file:

algorithm = sha256
version = "0.1.0"
[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]

url = '<trustee_url>'

[token_configs.kbs]
url = '<trustee_url>'
'''
"cdh.toml" = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []

[kbc]
name = 'cc_kbc'
url = '<trustee_url>'
kbs_cert = """
-----BEGIN CERTIFICATE-----
<kbs_certificate>
-----END CERTIFICATE-----
"""
[image]
image_security_policy_uri = 'kbs:///default/<secret-policy-name>/<key>
'''

"policy.rego" = '''
package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := false
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default ExecProcessRequest := false
default SetPolicyRequest := false
default WriteStreamRequest := false

default ExecProcessRequest := false
'''

url: Specify Red Hat build of Trustee URL. If you configure Red Hat build of Trustee with insecure_http for testing purposes, use HTTP. Otherwise, use HTTPS. For production systems, avoid using insecure_http unless you configure your environment to handle TLS externally, for example, with a proxy.
<kbs_certificate>: Specify the Base64-encoded TLS certificate for the attestation agent.
kbs_cert: Delete the kbs_cert setting if you configure insecure_http = true in the kbs-config config map for Red Hat build of Trustee.
image_security_policy_uri: Optional, only if you enabled the container image signature verification policy. Replace <secret-policy-name> and <key> with the secret name and key, respectively specified in This content is not included.Creating the KbsConfig custom resource.

Convert the initdata.toml file to a gzipped, Base64-encoded string in a text file by running the following command:
```
$ cat initdata.toml | gzip | base64 -w0 > initdata.txt
```
Record this string to use in the peer pods config map or the peer pod manifest.
Calculate the hash of an initdata.toml file and assign its value to the hash variable by running the following command:
```
$ hash=$(<algorithm> initdata.toml | cut -d' ' -f1)
```
Assign 32 bytes of 0s to the initial_pcr variable by running the following command:
```
$ initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
```
Calculate the SHA-256 hash of hash and initial_pcr and assign its value to the PCR8_HASH variable by running the following command:
```
$ PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
```
Record the PCR8_HASH value for the RVPS config map.

3.4. Creating the peer pods config map

You must create the peer pods config map.

Optional: Add initdata to the peer pods config map to create a default configuration for all peer pods.

Procedure

Obtain the following values from your Azure instance:

Retrieve and record the Azure resource group:

$ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster \
  -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') \
  && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""

Retrieve and record the Azure VNet name:

$ AZURE_VNET_NAME=$(az network vnet list \
  --resource-group ${AZURE_RESOURCE_GROUP} \
  --query "[].{Name:name}" --output tsv)

This value is used to retrieve the Azure subnet ID.

Retrieve and record the Azure subnet ID:

$ AZURE_SUBNET_ID=$(az network vnet subnet list \
  --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME \
  --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) \
   && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""

Retrieve and record the Azure network security group (NSG) ID:

$ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} \
  --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""

Retrieve and record the Azure region:

$ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} \
  --query "{Location:location}" --output tsv) \
  && echo "AZURE_REGION: \"$AZURE_REGION\""

Create a peer-pods-cm.yaml manifest file according to the following example:
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: peer-pods-cm
  namespace: openshift-sandboxed-containers-operator
data:
  CLOUD_PROVIDER: "azure"
  VXLAN_PORT: "9000"
  PROXY_TIMEOUT: "5m"
  AZURE_INSTANCE_SIZE: "Standard_DC2as_v5"
  AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5"
  AZURE_SUBNET_ID: "<azure_subnet_id>"
  AZURE_NSG_ID: "<azure_nsg_id>"
  AZURE_IMAGE_ID: ""
  AZURE_REGION: "<azure_region>"
  AZURE_RESOURCE_GROUP: "<azure_resource_group>"
  TAGS: "key1=value1,key2=value2"
  PEERPODS_LIMIT_PER_NODE: "10"
  ROOT_VOLUME_SIZE: "6"
  DISABLECVM: "false"
  INITDATA: "<initdata_string>"
```
AZURE_INSTANCE_SIZE
Defines the default instance size that is used if the instance size is not defined in the workload object. "Standard_DC2as_v5" is for AMD SEV-SNP. If your TEE is Intel® Trust Domain Extensions (TDX), specify Standard_EC4eds_v5.
AZURE_IMAGE_ID
Leave this value empty. When you install the Operator, a Job is scheduled to download the default pod VM image from the Red Hat Ecosystem Catalog and upload it to the Azure Image Gallery within the same Azure Resource Group as the OpenShift Container Platform cluster. This image provides root disk integrity protection (dm-verity) and encrypted container storage. See This content is not included.Confidential VMs: The core of confidential containers for details.
AZURE_INSTANCE_SIZES
Specify the allowed instance sizes, without spaces, for creating the pod. You can define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.
TAGS
You can configure custom tags as key:value pairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters.
PEERPODS_LIMIT_PER_NODE
You can increase this value to run more peer pods on a node. The default value is 10.
ROOT_VOLUME_SIZE
You can increase this value for pods with larger container images. Specify the root volume size in gigabytes for the pod VM. The default and minimum size is 6 GB.
INITDATA
Specify the initdata string to create a default configuration for all peer pods. If you add initdata to a peer pod manifest, that setting overrides this global configuration.
Create the config map by running the following command:
```
$ oc create -f peer-pods-cm.yaml
```

3.5. Applying initdata to a pod

You can override the global INITDATA setting you applied in the peer pods config map by applying customized initdata to a specific pod for special use cases, such as development and testing with a relaxed policy, or when using different Red Hat build of Trustee configurations. You can customize initdata by adding an annotation to the workload pod YAML.

Prerequisite

You have created an initdata string.

Procedure

Add the initdata string to the pod manifest and save the file as my-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: <initdata_string>
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault

where

<initdata_string>: Specify the gzipped, Base64-encoded initdata value in a pod annotation to override the global INITDATA setting in the peer pods config map.
<container_name>: Specify a container name.

Create the pod by running the following command:
```
$ oc create -f my-pod.yaml
```

3.6. Configuring a pull secret for peer pods

You must configure a pull secret for peer pods. Then, you can link the pull secret to the default service account or you can specify the pull secret in the peer pod manifest.

Procedure

Set the NS variable to the namespace where you deploy your peer pods:
```
$ NS=<namespace>
```
Copy the pull secret to the peer pod namespace:
```
$ oc get secret pull-secret -n openshift-config -o yaml \
  | sed "s/namespace: openshift-config/namespace: ${NS}/" \
  | oc apply -n "${NS}" -f -
```
You can use the cluster pull secret, as in this example, or a custom pull secret.
Optional: Link the pull secret to the default service account:
```
$ oc secrets link default pull-secret --for=pull -n ${NS}
```

3.7. Selecting a custom peer pod VM image

You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements, by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.

Prerequisites

If the custom peer pod VM image is in a private registry, you have created a pull secret.
You have the ID of a custom pod VM image, which is compatible with your cloud provider or hypervisor.

Procedure

Create a my-pod-manifest.yaml file according to the following example:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod-manifest
  annotations:
    io.katacontainers.config.hypervisor.image: "<custom_image_id>"
spec:
  runtimeClassName: kata-remote
  containers:
  - name: <example_container>
    image: registry.access.redhat.com/ubi9/ubi:9.3
    command: ["sleep", "36000"]

Create the pod by running the following command:
```
$ oc create -f my-pod-manifest.yaml
```

3.8. Create the KataConfig custom resource

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Prerequisites

Be aware that creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes depending on your deployment size, hardware type, and other factors.

Procedure

Create an example-kataconfig.yaml manifest file according to the following example:
```
apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  enablePeerPods: true
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
```
<label_key>: '<label_value>'
Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, kata-remote: 'true'.
Create the KataConfig CR by running the following command:
```
$ oc create -f example-kataconfig.yaml
```
The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.
Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.
Monitor the installation progress by running the following command:
```
$ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
```
When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.
Verify the daemon set by running the following command:
```
$ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
```
Verify the runtime classes by running the following command:
```
$ oc get runtimeclass
```
Example output
```
NAME           HANDLER             AGE
kata            kata                34m
kata-remote    kata-remote        152m
```
You can also see the default kata runtime class in addition to kata-remote.

3.9. Verifying attestation

You can verify the attestation process by creating a test pod to retrieve a specific resource from Red Hat build of Trustee.

Important

This procedure is an example to verify that attestation is working. Do not write sensitive data to standard I/O, because the data can be captured by using a memory dump. Only data written to memory is encrypted.

Procedure

Create a test-pod.yaml manifest file:

apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: "<initdata_string>"
spec:
  runtimeClassName: kata-remote
  containers:
    - name: skr-openshift
      image: registry.access.redhat.com/ubi9/ubi:latest
      command:
        - sleep
        - "36000"
      securityContext:
        privileged: false
        seccompProfile:
          type: RuntimeDefault

where:

io.katacontainers.config.hypervisor.cc_init_data: Optional: Specifies initdata in a pod annotation, which overrides the global INITDATA setting in the peer pods config map.

Create the pod by running the following command:
```
$ oc create -f test-pod.yaml
```
Log in to the pod by running the following command:
```
$ oc exec -it ocp-cc-pod -- bash
```
Fetch the Red Hat build of Trustee resource by running the following command:
```
$ curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status
```
Example output
```
success #/
```

3.10. Configuring your workload

You configure your workload for confidential containers by setting kata-remote as the runtime class for the following pod-templated objects:

Pod objects
ReplicaSet objects
ReplicationController objects
StatefulSet objects
Deployment objects
DeploymentConfig objects

Important

Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.

You can define whether the workload should be deployed using the default instance size, which you defined in the peer pods config map, by adding an annotation to the YAML file.

If you do not want to define the instance size manually, you can add an annotation to use an automatic instance size, based on the memory available.

Prerequisites

You have created the KataConfig custom resource (CR).

Procedure

Add spec.runtimeClassName: kata-remote to the manifest of each pod-templated workload object as in the following example:
```
apiVersion: v1
kind: <object>
# ...
spec:
  runtimeClassName: kata-remote
# ...
```
Optional: To override the default instance size, add the following annotation with an instance size that is defined in the peer pods config map:
```
apiVersion: v1
kind: <object>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.machine_type: <instance>
# ...
```
Optional: To use an automatic instance size, add the following annotations:
```
apiVersion: v1
kind: <Pod>
metadata:
  annotations:
    io.katacontainers.config.hypervisor.default_vcpus: <vcpus>
    io.katacontainers.config.hypervisor.default_memory: <memory>
# ...
```
The workload will run on an automatic instance size based on the amount of memory available.
Apply the changes to the workload object by running the following command:
```
$ oc apply -f <object.yaml>
```
OpenShift Container Platform creates the workload object and begins scheduling it.

Verification

Inspect the spec.runtimeClassName field of a pod-templated object. If the value is kata-remote, then the workload is running on confidential containers.

Chapter 4. Update

You update confidential containers by updating the OpenShift Container Platform cluster and the OpenShift sandboxed containers Operator.

Then, you update the pod virtual machine (VM) image by deleting and re-creating KataConfig custom resource (CR). Updating the OpenShift sandboxed containers Operator when enablePeerpods: true is set in the KataConfig CR does not update the pod VM image automatically.

You must perform the following steps:

Update your OpenShift Container Platform cluster to update the Kata runtime and its dependencies.
The RHCOS extension sandboxed containers contains the required components to run OpenShift sandboxed containers, such as the Kata containers runtime, the hypervisor QEMU, and other dependencies. You update the extension by updating the cluster to a new release of OpenShift Container Platform.
Update the OpenShift sandboxed containers Operator.
Delete the KataConfig CR.
Verify that the image ID in the peer pods config map is empty.
Re-create the KataConfig CR.

Additional resources

4.1. Updating the OpenShift sandboxed containers Operator

You can update the OpenShift sandboxed containers Operator by using the command line interface (CLI).

Procedure

Create an osc-subscription.yaml manifest file:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.12.0

Create the subscription by running the following command:
```
$ oc create -f osc-subscription.yaml
```
Verify that the Operator is correctly installed by running the following command:
```
$ oc get csv -n openshift-sandboxed-containers-operator
```
This command can take several minutes to complete.

Watch the process by running the following command:

$ watch oc get csv -n openshift-sandboxed-containers-operator

Example output

NAME                             DISPLAY                                  VERSION   REPLACES    PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.12.0    1.11.1      Succeeded

4.2. Deleting the KataConfig custom resource

You must delete the KataConfig custom resource (CR).

Deleting the KataConfig CR automatically reboots the worker nodes. Reboot can take from 10 to 60 minutes. The following factors can affect the reboot time:

A larger OpenShift Container Platform deployment with a greater number of worker nodes.
Activation of the BIOS and Diagnostics utility.
Deployment on a hard drive rather than an SSD.
Deployment on physical nodes such as bare metal, rather than on virtual nodes.
A slow CPU and network.

Prerequisites

You have deleted all pods that use the kata-remote runtime class.

Procedure

Delete the KataConfig CR by running the following command:
```
$ oc delete kataconfig example-kataconfig
```
The OpenShift sandboxed containers Operator removes all resources that were initially created to enable the runtime on your cluster.
Important
When you delete the KataConfig CR, the CLI stops responding until all worker nodes reboot. You must wait for the deletion process to complete before performing the verification.
Verify the CR removal by running the following command:
```
$ oc get kataconfig example-kataconfig
```
Example output
```
No example-kataconfig instances exist
```

4.3. Verifying empty peer pod image ID

You must verify that the image ID in the peer pods config map is empty.

Procedure

Obtain the value of the AZURE_IMAGE_ID in the peer pods config map by running the following command:
```
$ oc get configmap -n openshift-sandboxed-containers-operator peer-pods-cm -o jsonpath="{.data.AZURE_IMAGE_ID}"
```
If the value is not empty, update the value and patch the config map by running the following command:
```
$ oc patch configmap peer-pods-cm -n openshift-sandboxed-containers-operator -p '{"data":{"AZURE_IMAGE_ID":""}}'
```

4.4. Create the KataConfig custom resource

You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.

Prerequisites

Be aware that creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes depending on your deployment size, hardware type, and other factors.

Procedure

Create an example-kataconfig.yaml manifest file according to the following example:
```
apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:
  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
```
<label_key>: '<label_value>'
Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, kata-remote: 'true'.
Create the KataConfig CR by running the following command:
```
$ oc create -f example-kataconfig.yaml
```
The new KataConfig CR is created and installs kata-remote as a runtime class on the worker nodes.
Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.
Monitor the installation progress by running the following command:
```
$ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
```
When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.
Verify the daemon set by running the following command:
```
$ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
```
Verify the runtime classes by running the following command:
```
$ oc get runtimeclass
```
Example output
```
NAME           HANDLER             AGE
kata            kata                34m
kata-remote    kata-remote        152m
```
You can also see the default kata runtime class in addition to kata-remote.

Chapter 5. Uninstall

You uninstall confidential containers by deleting the workload pods, uninstalling the OpenShift sandboxed containers Operator, and deleting its resources.

You perform the following tasks:

Delete pods that use the kata-remote runtime class.
Important
You must delete the workload pods before you delete the KataConfig CR. The pod names usually have the prefix podvm and custom tags, if provided. If you deploy confidential containers on a cloud provider and any resources remain after following these procedures, you might receive an unexpected bill for those resources from your cloud provider. Once you complete uninstalling OpenShift sandboxed containers on a cloud provider, check the cloud provider console to ensure that the procedures deleted all of the resources.
Delete the KataConfig custom resource (CR).
Uninstall the OpenShift sandboxed containers Operator.
Delete the KataConfig custom resource definition (CRD).

5.1. Deleting workload pods

You must delete your workload pods. The pod names usually have the prefix podvm and custom tags, if provided.

Prerequisites

You have installed the jq utility.

Procedure

Search for the pods by running the following command:

$ oc get pods -A -o json | jq -r '.items[] | \
  select(.spec.runtimeClassName == "kata-remote").metadata.name'

Delete each pod by running the following command:
```
$ oc delete pod <pod>
```

5.2. Deleting the KataConfig custom resource

You must delete the KataConfig custom resource (CR).

Deleting the KataConfig CR automatically reboots the worker nodes. Reboot can take from 10 to 60 minutes. The following factors can affect the reboot time:

A larger OpenShift Container Platform deployment with a greater number of worker nodes.
Activation of the BIOS and Diagnostics utility.
Deployment on a hard drive rather than an SSD.
Deployment on physical nodes such as bare metal, rather than on virtual nodes.
A slow CPU and network.

Prerequisites

You have deleted all pods that use the kata-remote runtime class.

Procedure

Delete the KataConfig CR by running the following command:
```
$ oc delete kataconfig example-kataconfig
```
The OpenShift sandboxed containers Operator removes all resources that were initially created to enable the runtime on your cluster.
Important
When you delete the KataConfig CR, the CLI stops responding until all worker nodes reboot. You must wait for the deletion process to complete before performing the verification.
Verify the CR removal by running the following command:
```
$ oc get kataconfig example-kataconfig
```
Example output
```
No example-kataconfig instances exist
```

5.3. Uninstalling the OpenShift sandboxed containers Operator

You uninstall the OpenShift sandboxed containers Operator by using the command line.

Prerequisites

You have deleted all pods with the kata-remote runtime class.
You have deleted the KataConfig custom resource.

Procedure

Delete the subscription by running the following command:

$ oc delete subscription OpenShift sandboxed containers Operator -n openshift-sandboxed-containers-operator

Delete the namespace by running the following command:
```
$ oc delete namespace openshift-sandboxed-containers-operator
```

5.4. Deleting the KataConfig CRD

You must delete the KataConfig custom resource definition (CRD).

Prerequisites

You have deleted the KataConfig custom resource.
You have uninstalled the OpenShift sandboxed containers Operator.

Procedure

Delete the KataConfig CRD by running the following command:
```
$ oc delete crd kataconfigs.kataconfiguration.openshift.io
```
Verify that the CRD was deleted by running the following command:
```
$ oc get crd kataconfigs.kataconfiguration.openshift.io
```
Example output
```
Unknown CRD kataconfigs.kataconfiguration.openshift.io
```

Chapter 6. Observe

You can monitor the health of your confidential containers environment.

The following tools are available:

OpenShift Container Platform web console. Administrators can access and query raw metrics through Prometheus.
Logging

6.1. Metrics

You can monitor system health by querying metrics displayed in the OpenShift Container Platform web console.

You can access the following metrics:

Kata agent metrics: Kata agent metrics display information about the kata agent process running in the VM embedded in your sandboxed containers. These metrics include data from /proc/<pid>/[io, stat, status].
Kata guest operating system metrics: Kata guest operating system metrics display data from the guest operating system running in your sandboxed containers. These metrics include data from /proc/[stats, diskstats, meminfo, vmstats] and /proc/net/dev.
Hypervisor metrics: Hypervisor metrics display data regarding the hypervisor running the VM embedded in your sandboxed containers. These metrics mainly include data from /proc/<pid>/[io, stat, status].
Kata monitor metrics: Kata monitor is the process that gathers metric data and makes it available to Prometheus. The kata monitor metrics display detailed information about the resource usage of the kata-monitor process itself. These metrics also include counters from Prometheus data collection.
Kata containerd shim v2 metrics: Kata containerd shim v2 metrics display detailed information about the kata shim process. These metrics include data from /proc/<pid>/[io, stat, status] and detailed resource usage metrics.

6.2. Viewing metrics

You can access the metrics for OpenShift sandboxed containers in the Metrics page In the OpenShift Container Platform web console.

Prerequisites

You have access to the cluster as a user with the cluster-admin role or with view permissions for all projects.

Procedure

In the OpenShift Container Platform web console, navigate to Observe → Metrics.
In the input field, enter the query for the metric you want to observe.
All kata-related metrics begin with kata. Typing kata displays a list of all available kata metrics.

The metrics from your query are visualized on the page.

6.3. Enabling debug logs for CRI-O runtime

You can enable debug logs by updating the logLevel field in the KataConfig CR. This changes the log level in the CRI-O runtime for the worker nodes running OpenShift sandboxed containers.

Prerequisites

You have installed the OpenShift CLI (oc).
You have access to the cluster as a user with the cluster-admin role.

Procedure

Change the logLevel field in your existing KataConfig CR to debug:

$ oc patch kataconfig <kataconfig> --type merge --patch '{"spec":{"logLevel":"debug"}}'

Monitor the kata-oc machine config pool until the value of UPDATED is True, indicating that all worker nodes are updated:

$ oc get mcp kata-oc

Example output

NAME     CONFIG                 UPDATED  UPDATING  DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT  DEGRADEDMACHINECOUNT  AGE
kata-oc  rendered-kata-oc-169   False    True      False     3             1                  1                    0                     9h

Verification

Start a debug session with a node in the machine config pool:
```
$ oc debug node/<node_name>
```
Change the root directory to /host:
```
# chroot /host
```
Verify the changes in the crio.conf file:
```
# crio config | egrep 'log_level
```
Example output
```
log_level = "debug"
```

6.4. Viewing debug logs for components

Cluster administrators can use the debug logs to troubleshoot issues. The logs for each node are printed to the node journal.

You can review the logs for the following OpenShift sandboxed containers components:

Kata agent
Kata runtime (containerd-shim-kata-v2)
virtiofsd

QEMU only generates warning and error logs. These warnings and errors print to the node journal in both the Kata runtime logs and the CRI-O logs with an extra qemuPid field.

Example of QEMU logs

Mar 11 11:57:28 openshift-worker-0 kata[2241647]: time="2023-03-11T11:57:28.587116986Z" level=info msg="Start logging QEMU (qemuPid=2241693)" name=containerd-shim-v2 pid=2241647 sandbox=d1d4d68efc35e5ccb4331af73da459c13f46269b512774aa6bde7da34db48987 source=virtcontainers/hypervisor subsystem=qemu

Mar 11 11:57:28 openshift-worker-0 kata[2241647]: time="2023-03-11T11:57:28.607339014Z" level=error msg="qemu-kvm: -machine q35,accel=kvm,kernel_irqchip=split,foo: Expected '=' after parameter 'foo'" name=containerd-shim-v2 pid=2241647 qemuPid=2241693 sandbox=d1d4d68efc35e5ccb4331af73da459c13f46269b512774aa6bde7da34db48987 source=virtcontainers/hypervisor subsystem=qemu

Mar 11 11:57:28 openshift-worker-0 kata[2241647]: time="2023-03-11T11:57:28.60890737Z" level=info msg="Stop logging QEMU (qemuPid=2241693)" name=containerd-shim-v2 pid=2241647 sandbox=d1d4d68efc35e5ccb4331af73da459c13f46269b512774aa6bde7da34db48987 source=virtcontainers/hypervisor subsystem=qemu

The Kata runtime prints Start logging QEMU when QEMU starts, and Stop Logging QEMU when QEMU stops. The error appears in between these two log messages with the qemuPid field. The actual error message from QEMU appears in red.

The console of the QEMU guest is printed to the node journal as well. You can view the guest console logs together with the Kata agent logs.

Prerequisites

You have installed the OpenShift CLI (oc).
You have access to the cluster as a user with the cluster-admin role.

Procedure

To review the Kata agent logs and guest console logs, run the following command:

$ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t kata -g “reading guest console”

To review the Kata runtime logs, run the following command:
```
$ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t kata
```

To review the virtiofsd logs, run the following command:

$ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t virtiofsd

To review the QEMU logs, run the following command:

$ oc debug node/<nodename> -- journalctl -D /host/var/log/journal -t kata -g "qemuPid=\d+"

Chapter 7. Troubleshoot

You can open a Red Hat support case and provide debugging information by using must-gather. The must-gather tool collects diagnostic information about your OpenShift Container Platform cluster, including virtual machines and other data.

7.1. Using must-gather

The oc adm must-gather CLI command collects the information from your cluster that is most likely needed for debugging issues, including:

Resource definitions
Service logs

By default, the oc adm must-gather command uses the default plugin image and writes into ./must-gather.local.

Alternatively, you can collect specific information by running the command with the appropriate arguments as described in the following sections:

To collect data related to one or more specific features, use the --image argument with an image, as listed in a following section.
For example:
```
$ oc adm must-gather --image=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:1.12.0
```
To collect the audit logs, use the -- /usr/bin/gather_audit_logs argument, as described in a following section.
For example:
```
$ oc adm must-gather -- /usr/bin/gather_audit_logs
```
Note
Audit logs are not collected as part of the default set of information to reduce the size of the files.

When you run oc adm must-gather, a new pod with a random name is created in a new project on the cluster. The data is collected on that pod and saved in a new directory that starts with must-gather.local. This directory is created in the current working directory.

For example:

NAMESPACE                      NAME                 READY   STATUS      RESTARTS      AGE
...
openshift-must-gather-5drcj    must-gather-bklx4    2/2     Running     0             72s
openshift-must-gather-5drcj    must-gather-s8sdh    2/2     Running     0             72s
...

Optionally, you can run the oc adm must-gather command in a specific namespace by using the --run-namespace option.

For example:

$ oc adm must-gather --run-namespace <namespace> --image=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:1.12.0

Chapter 8. Reference

8.1. KataConfig status messages

The following table displays the status messages for the KataConfig custom resource (CR) for a cluster with two worker nodes.

Table 8.1. KataConfig status messages

Status	Description
Initial installation When a `KataConfig` CR is created and starts installing `kata-remote` on both workers, the following status is displayed for a few seconds.	conditions: message: Performing initial installation of kata-remote on cluster reason: Installing status: 'True' type: InProgress kataNodes: nodeCount: 0 readyNodeCount: 0
Installing Within a few seconds the status changes.	kataNodes: nodeCount: 2 readyNodeCount: 0 waitingToInstall: - worker-0 - worker-1
Installing (Worker-1 installation starting) For a short period of time, the status changes, signifying that one node has initiated the installation of `kata-remote`, while the other is in a waiting state. This is because only one node can be unavailable at any given time. The `nodeCount` remains at 2 because both nodes will eventually receive `kata-remote`, but the `readyNodeCount` is currently 0 as neither of them has reached that state yet.	kataNodes: installing: - worker-1 nodeCount: 2 readyNodeCount: 0 waitingToInstall: - worker-0
Installing (Worker-1 installed, worker-0 installation started) After some time, `worker-1` will complete its installation, causing a change in the status. The `readyNodeCount` is updated to 1, indicating that `worker-1` is now prepared to execute `kata-remote` workloads. You cannot schedule or run `kata-remote` workloads until the runtime class is created at the end of the installation process.	kataNodes: installed: - worker-1 installing: - worker-0 nodeCount: 2 readyNodeCount: 1
Installed When installed, both workers are listed as installed, and the `InProgress` condition transitions to `False` without specifying a reason, indicating the successful installation of `kata-remote` on the cluster.	conditions: message: "" reason: "" status: 'False' type: InProgress kataNodes: installed: - worker-0 - worker-1 nodeCount: 2 readyNodeCount: 2

Status Description

Status	Description
Initial uninstall If `kata-remote` is installed on both workers, and you delete the `KataConfig` to remove `kata-remote` from the cluster, both workers briefly enter a waiting state for a few seconds.	conditions: message: Removing kata-remote from cluster reason: Uninstalling status: 'True' type: InProgress kataNodes: nodeCount: 0 readyNodeCount: 0 waitingToUninstall: - worker-0 - worker-1
Uninstalling After a few seconds, one of the workers starts uninstalling.	kataNodes: nodeCount: 0 readyNodeCount: 0 uninstalling: - worker-1 waitingToUninstall: - worker-0
Uninstalling Worker-1 finishes and worker-0 starts uninstalling.	kataNodes: nodeCount: 0 readyNodeCount: 0 uninstalling: - worker-0

Initial uninstall

If kata-remote is installed on both workers, and you delete the KataConfig to remove kata-remote from the cluster, both workers briefly enter a waiting state for a few seconds.

 conditions:
    message: Removing kata-remote from cluster
    reason: Uninstalling
    status: 'True'
    type: InProgress
 kataNodes:
   nodeCount: 0
   readyNodeCount: 0
   waitingToUninstall:
   - worker-0
   - worker-1

Uninstalling

After a few seconds, one of the workers starts uninstalling.

 kataNodes:
   nodeCount: 0
   readyNodeCount: 0
   uninstalling:
   - worker-1
   waitingToUninstall:
   - worker-0

Uninstalling

Worker-1 finishes and worker-0 starts uninstalling.

 kataNodes:
   nodeCount: 0
   readyNodeCount: 0
   uninstalling:
   - worker-0

Note

The reason field can also report the following causes:

Failed: This is reported if the node cannot finish its transition. The status reports True and the message is Node <node_name> Degraded: <error_message_from_the_node>.
BlockedByExistingKataPods: This is reported if there are pods running on a cluster that use the kata-remote runtime while kata-remote is being uninstalled. The status field is False and the message is Existing pods using "kata-remote" RuntimeClass found. Please delete the pods manually for KataConfig deletion to proceed. There could also be a technical error message reported like Failed to list kata pods: <error_message> if communication with the cluster control plane fails.

Legal Notice

Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.

The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.

All other trademarks are the property of their respective owners.