phoenix-oss/tenant-tpl
Template
3
1
Fork 1
Code Issues 1 Pull requests 1 Projects Releases 1 Packages Wiki Activity Actions
Page: Guide kata cc
Pages
01 Home Environments Guide Alerting Guide Database Guide Ingress Guide ObjectStorage Guide Quay Guide Repository Handling Multiple Environments Guide SSL TLS Guide Secret Encryption Guide Storage Guide VM Guide kata cc
1 Guide kata cc
Baptiste Bonnot edited this page 2025-11-07 16:45:44 +01:00
Table of Contents

OpenShift Confidential Computing with Kata Containers

This guide demonstrates how to run confidential workloads on OpenShift using Kata Containers. Workloads scheduled with the kata-cc RuntimeClass leverage AMD SEV, SEV-ES, and SEV-SNP hardware-backed memory encryption.

Test Pod Manifest

Below is a pod manifest that demonstrates confidential computing with SEV-SNP enabled.

apiVersion: v1
kind: Pod
metadata:
  name: kata-cc-demo
spec:
  runtimeClassName: kata-cc
  containers:
    - name: demo
      image: registry.access.redhat.com/ubi9/ubi-minimal:latest
      command: ["/bin/sh", "-c"]
      args:
        - |
          microdnf install -y procps-ng util-linux
          echo "Verifying confidential computing (SEV-SNP) status..."
          dmesg | grep -i SEV
          echo "Pod will remain running for inspection"
          sleep 3600
      securityContext:
        privileged: true
  restartPolicy: Never

# Expected Output from inside the pod:
# ------------------------------------
# Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP
# SEV: Status: SEV SEV-ES SEV-SNP
# SEV: APIC: wakeup_secondary_cpu() replaced with wakeup_cpu_via_vmgexit()
# SEV: Using SNP CPUID table, 29 entries present.
# SEV: SNP running at VMPL0
# SEV: SNP guest platform device initialized
# sev-guest sev-guest: Initialized SEV guest driver (using vmpck_id 0)