Install the OSC operator

Openshift sandboxed containers support for Red Hat Openshift provides you with built-in support for running Kata Containers as an additional optional runtime. The new runtime supports containers in dedicated virtual machines (VMs), providing improved workload isolation. This is particularly useful for performing the following tasks:

  • Run privileged or untrusted workloads

  • Ensure isolation for sensitive workloads

  • Ensure kernel isolation for each workload

  • Share the same workload across tenants

  • Ensure proper isolation and sandboxing for testing software

  • Ensure default resource containment through VM boundaries

Please refer to Openshift sandboxed containers official documentation for more information.

When runnig on Openshift cluster deployed on cloud, OSC is capable of deploying containers using the peer-pods technology.

The peer-pods solution extends Red Hat Openshift sandboxed containers (OSC) to run on any environment without requiring bare-metal servers or nested virtualization support. It does this by extending Kata containers runtime (which OSC is built on) to handle VM lifecycle management using cloud provider APIs (AWS, Azure, etc…​) or third-party hypervisors APIs (such as VMware vSphere). More info on the peer pods solution is available here.

Together with its full integration with Trustee, and the support of hardware TEE, the OSC operator is capable of offering the Confidential Containers (CoCo) technology on ARO.

To summarize, a Confidential Container on ARO is simply a container running in a Confidential VM backed up by TEE hardware and set up using the peer-pods technology. The Confidential VM runs RHEL and it contains components to automatically connect with Trustee and perform attestation.

After setting up the Trustee operator, in this chapter we are going to set up OSC to enable CoCo.

There are two ways to install the OSC operator:

Using the web interface

  1. In the Openshift Container Platform web console, navigate to Operators > OperatorHub.

  2. In the Filter by keyword field, type Openshift sandboxed containers.

  3. Click on the Openshift sandboxed containers Operator tile.

    01 operatorhub ui

  4. On the Install Operator page, select stable from the list of available Update Channel options.

    02 install ui

  5. Verify that Operator recommended Namespace is selected for Installed Namespace. This installs the Operator in the mandatory openshift-sandboxed-containers-operator namespace. If this namespace does not yet exist, it is automatically created.

Attempting to install the Openshift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

  1. Verify that Automatic is selected for Update approval. Automatic is the default value, and enables automatic updates to Openshift sandboxed containers when a new z-stream release is available.

  2. Click Install.

    03 install ui

The Openshift sandboxed containers Operator is now installed on your cluster.

Verification

  1. Navigate to Operators > Installed Operators.

  2. Verify that the Openshift sandboxed containers Operator is displayed.

    04 install ui

Using the command line

If you don’t want to copy-paste, there is a script that performs all the steps above automatically.

  1. Create and apply a Namespace.yaml manifest file:

    cat > Namespace.yaml <<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator
EOF
    oc apply -f Namespace.yaml

  2. Create and apply a OperatorGroup.yaml manifest file:

    cat > OperatorGroup.yaml <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator
EOF
    oc apply -f OperatorGroup.yaml

  3. Create and apply a Subscription.yaml manifest file:

    cat > Subscription.yaml <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
EOF
    You can change the operator version by changing the startingCSV field in the Subscription.yaml file. 
    oc apply -f Subscription.yaml

Verification

Ensure that the Operator is correctly installed by running the following command and checking that the PHASE is in Succeeded state:

oc get csv -n openshift-sandboxed-containers-operator

Example output

NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.10.1                                          Succeeded

Scripted way

Avoid copy-pasting all steps above and do it in one step: NOTE: You can change the operator version by changing the startingCSV field under the Subscription resource type.

oc apply -f-<<EOF
---
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Automatic
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
EOF

Verification

Ensure that the Operator is correctly installed by running the following command and checking that the PHASE is in Succeeded state:

watch oc get csv -n openshift-sandboxed-containers-operator