Loading...

XML

Word

Printable

Type: Feature
Resolution: Unresolved
Priority: High
Fix Version/s: OSC 1.10.0
Affects Version/s: None
Component/s: None
Labels:
- ConfidentialComputing
- osc-candidate-1.10

Activity Type:
Product / Portfolio Work
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
Parent Link:
OCPSTRAT-2027OpenShift Confidential Containers
Hierarchy Progress Bar:

50% To Do, 0% In Progress, 50% Done
Release Note Text:

Hide
.Downstream-only signed containers no longer require manual trustee policy

Before this update, downstream-only signed containers required manual {trustee} policy creation, causing OSC CoCo dependency and usability issues. As a consequence, downstream-only signed containers required {trustee} policy, causing pod startup failures for users. With this release, the downstream-only signed container policy has been updated for improved usability. As a result, users no longer need to create containers policy in {trustee} for pods to start, reducing dependency and error prone scenarios.

Show
.Downstream-only signed containers no longer require manual trustee policy Before this update, downstream-only signed containers required manual {trustee} policy creation, causing OSC CoCo dependency and usability issues. As a consequence, downstream-only signed containers required {trustee} policy, causing pod startup failures for users. With this release, the downstream-only signed container policy has been updated for improved usability. As a result, users no longer need to create containers policy in {trustee} for pods to start, reducing dependency and error prone scenarios.
Release Note Type:
Bug Fix
Release Note Status:
Proposed
Product Documentation Required:
Yes

Cost of Delay:
0
WSJF:
0

Target Version:

OSC 1.7.0

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Intelligence Requested:
Market:

End users of coco prefers to provide either an encrypted container image or a signed container image for their workload.
CoCo on ARO should be able to deploy workload with encrypted or signed container images.

This feature focuses on the signed image support.

Part of it requires guest-side components for image validation. We also need to make sure there is no limitation from the node side when creating a container with a signed image.

clones

KATA-2591 support encrypted container images

is documented by

HCIDOCS-530 Signed image support for peer pods VM image

Closed

relates to

KATA-3574 Ensure signed container image support as available in OSC 1.8.0 continues to work with OSC 1.9.0

Closed

links to

Merge request - KATA-4139 and KATA-4218: CoCo bare metal Pradipta's notes + signed container images

Merge request - KATA-4327: Trustee v1.0.0 changes

Merge request - Updated 2 upstream sources

openshift/sandboxed-containers-operator#468: Enable image signature check for CoCo

(7 links to)

Assignee:: Julien ROPE

Reporter:: Jens Freimann

Contributors:: Victor Voronkov

QA Contact:: Victor Voronkov

Doc Contact:: John Wilkins

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/06/21 8:13 AM

Updated:: 2025/11/25 2:55 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates