The goal of the first phase of the confidential cluster initiative, as explained in the enhancement proposal, is to guarantee the confidentiality of a cluster; Ignition configs will not be protected in phase 1 neither in terms of integrity nor confidentiality. This mean the first phase of work needed from team MCO mostly relates to resolving dependancies for supporting phase 2 of the initiative. The two main goals for the MCO for this phase of supporting confidential clusters are:

• Bootc support for cluster upgrades
• Cluster flag to signal cluster is confidential mode

The RHCOS team has communicated that only bootc images will be supported for confidential clusters. Therefore, to allow for version upgrades of clusters in confidential compute mode, the MCO needs to support an upgrade path that uses bootc. Further, we need to ensure no rpm-ostree commands are invoked in an upgrade utilizing the bootc path. Accomplishing this goal depends on having a bootc update path, which will be refined and worked on in MCO-1238 (tentatively).

The experience the MCO needs to support for confidential clusters in phase 2 and beyond is a bit different from current clusters. For example, confidential clusters must take the bootc update path while standard clusters can continue using legacy functions relying on rpm-ostree until the MCO decides to fully migrate the experience, some configuration options will not be supported in confidential clusters, and more. Therefore, we need a way to signify if a cluster is in confidential mode. This is likely going to require the addition of a field in the API, which will require a feature gate unique from the existing bootc one.

This phase should ideally align with RHCOS’s plan of releasing confidential clusters in TechPreview in 4.22, though both the MCO and RHCOS teams understand this timeline is improbable.