On OSC 1.8.0 it was delivered a downstream-only implementation of signed containers because the feature wasn't fully done upstream and it was important for our relation with Microsoft to deliver it. While the feature works, it brought usability issues. For instance, user is mandatory to create the containers policy in KBS otherwise any pod will break to start. This made the OSC CoCo heavily dependent on KBS and prone to errors.

Probably, we would need o update the following sections in Trustee docs:

• 2.9. Creating the container image signature verification policy  (Azure)
• 3.10. Creating the container image signature verification policy (IBM)

Additional resources:

• Upstream issue: https://github.com/confidential-containers/cloud-api-adaptor/issues/1989 
• Bug report: https://issues.redhat.com/browse/KATA-4206 

POC: wmoschet eesposit@redhat.com