On OSC 1.8.0 it was delivered a downstream-only implementation of signed containers because the feature wasn't fully done upstream and it was important for our relation with Microsoft to deliver it. While the feature works, it brought usability issues. For instance, user is mandatory to create the containers policy in KBS otherwise any pod will break to start. This made the OSC CoCo heavily dependent on KBS and prone to errors.

Probably, we would need o update the following sections in Trustee docs:

• 2.9. Creating the container image signature verification policy  (Azure)
• 3.10. Creating the container image signature verification policy (IBM)

Additional resources:

• Upstream issue: https://github.com/confidential-containers/cloud-api-adaptor/issues/1989 
• Bug report: https://issues.redhat.com/browse/KATA-4206 
• GDoc with suggested changes: https://docs.google.com/document/d/1B7Dj8G78vVewzxR5G3JioPL_OZQTfznYFKmlG5WkaQs/edit?usp=sharing  

POC: wmoschet eesposit@redhat.com 

MR: https://gitlab.cee.redhat.com/telco-team-documentation/sandboxed-containers-documentation/-/merge_requests/666 (as a part of MR for https://issues.redhat.com/browse/KATA-4327 Trustee v1.0.0 changes, Trustee part)