redhat-cop · strangiato · Dec 12, 2023 · Nov 12, 2023 · Nov 12, 2023 · Nov 12, 2023
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonAnnotations:
+  argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+
+namespace: openshift-nfd
+
+resources:
+  - ../../../operator/overlays/stable
+  - ../../../instance/overlays/kata
@@ -1,6 +1,6 @@
----
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - cluster-kataconfig-kataconfig.yaml
+  - ../../base
+  - nfd.yaml
@@ -0,0 +1,20 @@
+apiVersion: nfd.openshift.io/v1
+kind: NodeFeatureDiscovery
+metadata:
+  name: nfd-kata
+  namespace: openshift-nfd
+spec:
+  operand:
+    image: quay.io/openshift/origin-node-feature-discovery:4.12
+    imagePullPolicy: Always
+    servicePort: 12000
+  workerConfig:
+    configData: |
+      sources:
+         custom:
+           - name: "feature.node.kubernetes.io/runtime.kata"
+             matchOn:
+               - cpuId: ["SSE4", "VMX"]
+                 loadedKMod: ["kvm", "kvm_intel"]
+               - cpuId: ["SSE4", "SVM"]
+                 loadedKMod: ["kvm", "kvm_amd"]
@@ -0,0 +1 @@
+sandboxed-containers-operator
@@ -0,0 +1,68 @@
+# sandboxed-containers-operator
+
+# Requirements
+Your cluster must be installed on bare metal infrastructure with Red Hat Enterprise Linux CoreOS workers.
+
+# Details
+OpenShift sandboxed containers based on the Kata Containers open source
+project, provides an Open Container Initiative (OCI) compliant container
+runtime using lightweight virtual machines, running your workloads in their own
+isolated kernel and therefore contributing an additional layer of isolation
+back to OpenShift’s Defense-in-Depth strategy. For more information
+[see](https://catalog.redhat.com/software/operators/detail/5ee0d499fdbe7cddc2c91cf5).
+
+# Features & benefits
+- **Isolated Developer Environments & Priviliges Scoping**
+  As a developer working on debugging an application using state-of-the-art
+  tooling you might need elevated privileges such as CAP_ADMIN or CAP_BPF. With
+  OpenShift sandboxed containers, any impact will be limited to a separate
+  dedicated kernel.
+
+- **Legacy Containerized Workload Isolation**
+  You are mid-way in converting a containerized monolith into cloud-native
+  microservices. However, the monolith still runs on your cluster unpatched and
+  unmaintained. OpenShift sandboxed containers helps isolate it in its own kernel
+  to reduce risk.
+
+- **Safe Multi-tenancy & Resource Sharing (CI/CD Jobs, CNFs, ..)**
+  If you are providing a service to multiple tenants, it could mean that the
+  service workloads are sharing the same resources (e.g., worker node). By
+  deploying in a dedicated kernel, the impact of these workloads have on one
+  another is greatly reduced.
+
+- **Additional Isolation with Native Kubernetes User Experience**
+  OpenShift sandboxed containers is used as a compliant OCI runtime.
+  Therefore, many operational patterns used with normal containers are still
+  preserved including but not limited to image scanning, GitOps, Imagestreams,
+  and so on.
+
+# How to install
+  Read the information about the Operator and click Install.
+
+  On the Install Operator page:
+
+  - Select preview-1.0 from the list of available Update Channel options.
+  This ensures that you install the version of OpenShift sandboxed containers
+  that is compatible with your OpenShift Container Platform version.
+
+  - For Installed Namespace, ensure that the Operator recommended namespace
+    option is selected. This installs the Operator in the mandatory
+    openshift-sandboxed-containers-operator namespace, which is automatically
+    created if it does not exist. Attempting to install the OpenShift
+    sandboxed containers Operator in a namespace other than
+    openshift-sandboxed-containers-operator causes the installation to fail.
+
+  - For Approval Strategy, ensure that Automatic, which is the default value,
+    is selected. OpenShift sandboxed containers automatically updates when a new
+    z-stream release is available.
+
+  - Click Install to make the Operator available to the OpenShift sandboxed
+    containers namespace.
+
+  - The OpenShift sandboxed containers Operator is now installed on your
+    cluster. You can trigger the Operator by enabling the runtime on your cluster.
+    You can do this by creating a KataConfig CRD instance. For this click
+    on "create instance" on the operator overview page.
+
+# Documentation
+See the official documentation [here](https://docs.openshift.com/container-platform/4.8/sandboxed_containers/understanding-sandboxed-containers.html).
@@ -0,0 +1,5 @@
+# Notes
+
+## Links
+
+- https://cloud.redhat.com/blog/openshift-sandboxed-containers-101
@@ -0,0 +1,36 @@
+# OpenShift sandboxed containers Operator
+
+Install OpenShift sandboxed containers Operator.
+
+Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use.
+
+The current *overlays* available are for the following channels:
+
+* [preview-1.0](operator/overlays/preview-1.0)
+* [preview-1.1](operator/overlays/preview-1.1)
+* [stable](operator/overlays/stable)
+* [stable-1.2](operator/overlays/stable-1.2)
+* [stable-1.3](operator/overlays/stable-1.3)
+
+## Usage
+
+If you have cloned the `gitops-catalog` repository, you can install OpenShift sandboxed containers Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory.
+
+```
+oc apply -k sandboxed-containers-operator/operator/overlays/<channel>
+```
+
+Or, without cloning:
+
+```
+oc apply -k https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/<channel>
+```
+
+As part of a different overlay in your own GitOps repo:
+
+```
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/<channel>?ref=main
+```
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonAnnotations:
+  argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+
+resources:
+  - ../../operator/overlays/stable
+  - ../../instance/overlays/aws
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonAnnotations:
+  argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+
+resources:
+  - ../../operator/overlays/stable
+  - ../../instance/overlays/default
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- pod-kata.yaml
+- pod-normal.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: http-kata
+spec:
+  containers:
+    - name: http
+      image: registry.fedoraproject.org/fedora
+      ports:
+        - containerPort: 8080
+      command:
+        - "python3"
+      args:
+        - "-m"
+        - "http.server"
+        - "8080"
+      resources: {}
+  runtimeClassName: kata
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: http-normal
+spec:
+  containers:
+    - name: http
+      image: registry.fedoraproject.org/fedora
+      ports:
+        - containerPort: 8080
+      command:
+        - "python3"
+      args:
+        - "-m"
+        - "http.server"
+        - "8080"
+      resources: {}
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../base
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kata-verification
+
+resources:
+- ../../base
+- namespace.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kata-verification
+  annotations:
+    openshift.io/display-name: "Sandboxed Containers Verification"
+    argocd.argoproj.io/sync-wave: "0"
@@ -1,8 +1,7 @@
----
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 namespace: openshift-sandboxed-containers-operator
 
 resources:
-  - example-deploy.yaml
+  - setup-machineset.yaml