-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
Product / Portfolio Work
-
-
False
-
-
False
-
None
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
Deliver OpenShift Confidential Clusters as a General Availability (GA) production-ready offering on Microsoft Azure with AMD SEV-SNP, providing enterprise customers with fully supported, hardware-attested confidential computing capabilities backed by production SLAs, comprehensive certifications, and mature operational tooling.
This feature represents the culmination of the confidential clusters journey, delivering production-grade reliability, full Red Hat support, advanced enterprise features, compliance certifications, and the foundation for future multi-cloud expansion. GA enables customers to confidently deploy business-critical workloads requiring data-in-use protection, meeting the most stringent regulatory and security requirements.
Goals (aka. expected user outcomes)
Primary User Types/Personas:
- Enterprise Customers (Financial Services, Healthcare, Government, Critical Infrastructure): Can deploy confidential clusters in production with confidence in Red Hat's enterprise support, meeting regulatory compliance requirements and business SLAs
- CIOs and Business Decision Makers: Have a certified, vendor-supported solution for confidential computing that reduces business risk and enables competitive differentiation
- Security & Compliance Officers: Can demonstrate hardware-based data protection controls to auditors and regulators with comprehensive compliance certifications and attestation evidence
- Production SREs and Operations Teams: Operate confidential clusters at scale with mature tooling, automation, comprehensive monitoring, and 24/7 Red Hat support
- ISV Partners: Can certify and sell solutions built on production-supported OpenShift confidential clusters with customer confidence
Observable Functionality:
- All Technology Preview functionality with production-grade quality and support
- Full Red Hat production support with defined SLAs and 24/7 availability
- Advanced operational features: automated remediation, policy-as-code, comprehensive audit logging
- Advanced monitoring and observability
- Production-hardened security with ongoing CVE management and security updates
- Long-term support and predictable upgrade paths across OpenShift versions
Requirements (aka. Acceptance Criteria):
Functional Requirements:
- Production-Grade Operator
- Operator meets all Red Hat GA quality standards and enterprise requirements
- Tested upgrade paths across multiple OpenShift versions
- Fully integrated with OpenShift release payload and lifecycle
- OpenShift Console Integration
- Console overview page shows confidential cluster status and attestation health
- Node details page displays SEV-SNP enabled state and attestation status
- Operator details page shows configuration and operational status
- Visual indicators for attestation failures with drill-down to details
- Console actions for common operations (view attestation logs, refresh status)
- Enhanced Observability & Monitoring
- Integration with OpenShift cluster monitoring operator
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | Self-managed primary; ARO compatibility validated but not officially supported; document ARO requirements for GA |
| Classic (standalone cluster) | Yes - fully supported and primary deployment model |
| Hosted control planes | Still not supported; architecture refinements documented for future HyperShift integration |
| Multi node, Compact (three node), or Single node (SNO), or all | all |
| Connected / Restricted Network | Both supported |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | x86_x64 only (Azure AMD SEV-SNP confidential VMs); other architectures explicitly not supported |
| Operator compatibility | Dependencies: Machine API, Machine Config Operator, Cluster Version Operator; OLM integration for Tech Preview |
| Backport needed (list applicable versions) | N/A - new capability targeting next OpenShift minor release (e.g., 4.X) |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | OpenShift Console integration required |
| Other (please specify) |
Out of Scope
Explicitly Not Supported in GA:
- Other Cloud Providers: AWS and GCP support will be scoped during this phase
- Other TEE Technologies: Intel TDX, ARM CCA, other AMD technologies not supported
- Managed Services: ARO (Azure Red Hat OpenShift), ROSA, OSD integration
- Hosted Control Planes: HyperShift/hypershift integration
Background
Phase Progression Context:
- Phase I: Architecture foundation, upstream repository, technical socialization
- Phase II: Developer Preview - first implementation, Azure + AMD SEV-SNP
- Phase III: Technology Preview - production-quality approach, operational maturity, Console UI
- Phase IV (This Phase): General Availability - production support, enterprise features
Documentation Considerations
Complete Product Documentation Required:
- Planning & Architecture
- Solution overview and confidential computing concepts
- Security architecture and threat model
- Installation & Configuration
- Prerequisites checklist with validation commands
- Azure subscription preparation (quotas, permissions, resources)
- Configuration reference for all CRDs and parameters
- Custom network configuration scenarios
- Troubleshooting installation failures
- Operations & Administration
- Day 2 operations guide
- Monitoring and alerting configuration
- Node lifecycle management (add, remove, replace, maintain)
- Attestation policy management
- Upgrading confidential clusters
- Troubleshooting & Support
- Common error messages and solutions
- Diagnostic commands and data collection
- Release Information
- Release notes with new features and bug fixes
- Known limitations and unsupported scenarios
- Tech Preview support policy