Setting up and configuring IBM Confidential Computing Containers for Red Hat OpenShift Container Platform

Edit online

This section explains the procedure to set up and configure IBM Confidential Computing Containers for Red Hat OpenShift Container Platform.

Prerequisites

Procedure

You can deploy IBM Confidential Computing Containers for Red Hat OpenShift Container Platform by performing the following steps:
For Bare Metal
  1. Make sure that you have downloaded and registered IBM Confidential Computing Containers for Red Hat OpenShift Container Platform image.
  2. Perform the following steps from Deploying confidential containers on IBM Z and IBM LinuxONE bare metal.
    Note: You will be shown a link to continue to the third-party screen. Click Continue or the link to proceed.
    1. Preparing the environment for deploying the confidential containers on IBM Z and IBM LinuxONE bare metal.
    2. Installing the OpenShift sandboxed containers Operator.
    3. Configuring auto-detection of TEEs.
    4. Enabling the confidential containers.
    5. Create the kata-addon-artifacts config map.
      Important:
      During this step, you must set the addonImage to the image that was pushed to the remote registry during Prerequisites. For example:
      addonImage: "icr.io/<image_namespace>/<image_name>"

kernelPath: "<kernel_path>"
      • <image_namespace>: Replace this with your namespace in the registry. For example: ibm-confidential-computing.
      • <image_name>: Replace this with the actual image you want to deploy. For example: container-image:1.2.1
      • <kernel_path>: Replace this with the actual kernel path. For example: /image/cc-kernel-1.2.1.img.
      Note: If you face deployment or runtime issues, make sure the CCCO container image version and the Kata RPM file version from OpenShift Container Platform (OCP) matches. For more information, see Troubleshooting.
    6. Create the KataConfig custom resource.
For Peerpod
  1. Make sure that you have downloaded and registered IBM Confidential Computing Containers for Red Hat OpenShift Container Platform image.
  2. Perform the following steps from Deploying OpenShift sandboxed containers on IBM Z and IBM LinuxONE.
    Note: You will be shown a link to continue to the third-party screen. Click Continue or the link to proceed.
    1. Peer pod resource requirements
    2. Installing the OpenShift sandboxed containers Operator.
    3. Optional: Modifying the number of peer pod VMs per node.
    4. Optional: Configuring the libvirt volume.
    5. Creating the peer pods secret.
    6. Creating the peer pods config map.
    7. Creating the peer pod VM image config map.
      Important:

      During this step, you must set the PODVM_IMAGE_URI to the image that was pushed to the remote registry during Prerequisites. For example:

      PODVM_IMAGE_URI: "oci::icr.io/ibm_hpcc/ibm-ccco-podvm-container-image:v1.2.1::/image/ccco-v1.2.1.qcow2"

    8. Creating the KVM host secret.
    9. Creating the KataConfig custom resource.