-
Setup Cloud Resources
If using AWS, create VPC and AMI. Similarly for other providers create the necessary resources.
-
Setup Kubernetes cluster in the cloud
At least one node in the cluster must have the "worker" role. Verify by executing the following command.
kubectl get nodes
You should see "worker" under the "ROLES" column as shown below:
NAME STATUS ROLES AGE VERSION testk-master-0 Ready control-plane,master,worker 37h v1.25.0
If "worker" role is missing, execute the following command to set the role.
export NODENAME=<node-name> kubectl label node $NODENAME node.kubernetes.io/worker=
Please refer to the instructions available in the following doc.
- Update the
kustomization.yaml
file ininstall/overlays/$(CLOUD_PROVIDER)/kustomization.yaml
with your own settings - Optionally set up authenticated registry support
You can either deploy the CoCo operator and cloud-api-adaptor with the Makefile
by running
-
set CLOUD_PROVIDER
export CLOUD_PROVIDER=<aws|azure|ibmcloud|ibmcloud-powervs|libvirt|vsphere>
- optional: set also
RESOURCE_CTRL=true
to allow the peerpod-ctrl to run, monitor and delete dangling cloud resources (upon provider's support)
- optional: set also
-
make deploy
deploys operator, runtime and cloud-api-adaptor pod in the configured cluster- validate kubectl is available in your
$PATH
and$KUBECONFIG
is set
- validate kubectl is available in your
Note:
make delete
deletes the cloud-api-adaptor daemonset from the configured cluster (and peerpod-ctrl if RESOURCE_CTRL=true is set)
Alternatively the manual approach, if you want to pick a specific CoCo release/reference is:
-
Deploy the CoCo operator
- Either deploy a released version of Confidential Containers Operator, run the following command where
<RELEASE_VERSION>
needs to be substituted with the desired release tag. For example, to deploy thev0.6.0
release run:export RELEASE_VERSION="v0.6.0"
.
export RELEASE_VERSION=<RELEASE_VERSION> kubectl apply -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}"
- Or for development activities, to install the latest, non-released version of the Confidential Containers Operator run:
kubectl apply -k "github.com/confidential-containers/operator/config/default"
- Wait for the cc-operator-controller-manager be in running state with:
kubectl get pods -n confidential-containers-system --watch
- Either deploy a released version of Confidential Containers Operator, run the following command where
-
Create the peer pods variant of the CC custom resource to install the required pieces of CC and create the
kata-remote
RuntimeClass
- Again, either deploy a release version of the Confidential Containers peer pod customer resource with, by running the following command where
<RELEASE_VERSION>
needs to be substituted with the desired release tag:
Note: the release version needs to be
v0.6.0
or afterexport RELEASE_VERSION=<RELEASE_VERSION> kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/peer-pods?ref=<RELEASE_VERSION>
- Alternatively install the latest development version with:
kubectl apply -k "github.com/confidential-containers/operator/config/samples/ccruntime/peer-pods"
- Again, either deploy a release version of the Confidential Containers peer pod customer resource with, by running the following command where
-
Wait until all the pods are running with:
kubectl get pods -n confidential-containers-system --watch
-
Wait until the
kata-remote
runtime class has been created by running:kubectl get runtimeclass --watch
-
Apply the kustomize.yaml configuration that you modified earlier with:
kubectl apply -k install/overlays/ibmcloud
-
Wait until all the pods are running with:
kubectl get pods -n confidential-containers-system --watch
-
Check POD status
kubectl get pods -n confidential-containers-system
A successful install should show all the PODs with "Running" status under the
confidential-containers-system
namespace.NAME READY STATUS RESTARTS AGE cc-operator-controller-manager-546574cf87-phbdv 2/2 Running 0 43m cc-operator-daemon-install-pzc4b 1/1 Running 0 42m cc-operator-pre-install-daemon-sgld6 1/1 Running 0 42m cloud-api-adaptor-daemonset-mk8ln 1/1 Running 0 37s
-
View cloud-api-adaptor logs
kubectl logs pod/cloud-api-adaptor-daemonset-mk8ln -n confidential-containers-system
-
Set CLOUD_PROVIDER
export CLOUD_PROVIDER=<aws|azure|ibmcloud|ibmcloud-powervs|libvirt|vsphere>
-
Set container registry and image name
export registry=<namespace>/<image_name>
-
Build the container image and push it to
$registry
make image