From 50ada75a2b7d00e766e292522ebb5517c487f106 Mon Sep 17 00:00:00 2001 From: Baptiste Bonnot Date: Fri, 7 Nov 2025 16:45:44 +0100 Subject: [PATCH] Adding Kata guide --- 01-Home.md | 1 + Guide-kata-cc.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 Guide-kata-cc.md diff --git a/01-Home.md b/01-Home.md index a3324ed..5c291d5 100644 --- a/01-Home.md +++ b/01-Home.md @@ -3,6 +3,7 @@ ## Guides - [Repository Handling Multiple Environments](Guide-Repository-Handling-Multiple-Environments.md) - [Database-PostgreSQL](Guide-Database.md#cloudnative-postgresql-guide) +- [Confidential-Computing-Kata-CC](Guide-kata-cc.md#OpenShift-Confidential-Computing-with-Kata-Containers) diff --git a/Guide-kata-cc.md b/Guide-kata-cc.md new file mode 100644 index 0000000..4948a64 --- /dev/null +++ b/Guide-kata-cc.md @@ -0,0 +1,42 @@ +# OpenShift Confidential Computing with Kata Containers + +This guide demonstrates how to run confidential workloads on OpenShift using **Kata Containers**. Workloads scheduled with the `kata-cc` RuntimeClass leverage **AMD SEV, SEV-ES, and SEV-SNP** hardware-backed memory encryption. + +--- + +## Test Pod Manifest + +Below is a pod manifest that demonstrates confidential computing with SEV-SNP enabled. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: kata-cc-demo +spec: + runtimeClassName: kata-cc + containers: + - name: demo + image: registry.access.redhat.com/ubi9/ubi-minimal:latest + command: ["/bin/sh", "-c"] + args: + - | + microdnf install -y procps-ng util-linux + echo "Verifying confidential computing (SEV-SNP) status..." + dmesg | grep -i SEV + echo "Pod will remain running for inspection" + sleep 3600 + securityContext: + privileged: true + restartPolicy: Never + +# Expected Output from inside the pod: +# ------------------------------------ +# Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP +# SEV: Status: SEV SEV-ES SEV-SNP +# SEV: APIC: wakeup_secondary_cpu() replaced with wakeup_cpu_via_vmgexit() +# SEV: Using SNP CPUID table, 29 entries present. +# SEV: SNP running at VMPL0 +# SEV: SNP guest platform device initialized +# sev-guest sev-guest: Initialized SEV guest driver (using vmpck_id 0) +