Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3947

OSC Operator Core - Automated CoCo Bare Metal Enablement (for OCP 4.19+)

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • None
    • None
    • OSC Operator Core - Automated CoCo Bare Metal Enablement (for OCP 4.19+)
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • In Progress
    • KATA-3747 - Confidential Containers on Bare Metal [Technology Preview]
    • KATA-3747Confidential Containers on Bare Metal [Technology Preview]
    • 67% To Do, 17% In Progress, 17% Done
    • Yes
    • Denali #1
    • 0

      Epic Goal

      • Implement foundational operator logic for CoCo on Bare Metal to automate as much of the setup as possible, moving responsibilities from helper scripts into the operator and minimizing user configuration.

      Why is this important?

      • This epic covers the operator's core logic for CoCo BM. Key activities include:
        • OCP Version Check: Implement logic to disable/warn CoCo BM functionality if OCP < 4.19.
        • Flexible Deployment Mode: Implements a deploymentMode feature that allows administrators to choose the installation method (MachineConfig, DaemonSet, DaemonSetFallback) via a ConfigMap.
        • Automated TEE Hardware Detection: Consume Node Feature Discovery (NFD) labels to automatically detect SNP vs. TDX capabilities.
        • Dynamic RuntimeClass Management: Dynamically create kata-qemu-snp and kata-qemu-tdx RuntimeClass objects based on detected hardware.
        • DaemonSet-driven Installation: The operator now uses a DaemonSet as the primary mechanism to install kata-containers RPMs and manage CRI-O configuration, which is essential for clusters without the MCO.

      Scenarios

      1. As an Administrator, I want to enable CoCo on BM by setting deploymentMode: DaemonSet in a ConfigMap, and have the operator automatically detect my TEE hardware (SNP/TDX).
      2. As an Administrator on an unsupported cluster (OCP < 4.19), I want to be clearly notified via operator status conditions and cluster events that CoCo on Bare Metal is not supported, so I don't waste time trying to configure a non-functional feature.
      3. As an Administrator, I want the OSC operator to automatically detect whether my nodes are SNP or TDX capable without me specifying it, so that configuration is simplified and less error-prone.

      Acceptance Criteria 

      (The Epic is complete when...)

      1. Operator reconciliation for CoCo BM is skipped on OCP < 4.19, and a Condition with Status: "False" and Reason: "UnsupportedOCPVersion" is set on the KataConfig resource.
      2. The operator correctly consumes NFD labels to identify SNP and TDX nodes.
      3. The operator automatically creates TEE-specific RuntimeClass objects (kata-qemu-snp, kata-qemu-tdx) with correct node selectors based on NFD detection.
      4. The DaemonSet manages the installation of kata-containers RPMs and the creation of CRI-O configuration drop-in files on the host.
      5. The operator manages the deployment of the "CoCo guest payload / initrd toolkit" container image (from EPIC 2) to CoCo-enabled nodes via a DaemonSet.
      6. The operator monitors installation progress by reading node labels (e.g., installing, installed) that are updated by the DaemonSet.

      Additional context:

              rhgkurz Greg Kurz
              jfreiman Jens Freimann
              Victor Voronkov Victor Voronkov
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: