-
Setup Cloud Resources
If using AWS, create VPC and AMI. Similarly for other providers create the necessary resources.
-
Setup Kubernetes cluster in the cloud
At least one node in the cluster must have the "worker" role. Verify by executing the following command.
kubectl get nodesYou should see "worker" under the "ROLES" column as shown below:
NAME STATUS ROLES AGE VERSION testk-master-0 Ready control-plane,master,worker 37h v1.25.0If "worker" role is missing, execute the following command to set the role.
export NODENAME=<node-name> kubectl label node $NODENAME node.kubernetes.io/worker=
Please refer to the instructions available in the following doc.
- Update the
kustomization.yamlfile ininstall/overlays/$(CLOUD_PROVIDER)/kustomization.yamlwith your own settings - Optionally set up authenticated registry support
You can deploy the CoCo operator and cloud-api-adaptor with the Makefile by running
-
set CLOUD_PROVIDER
export CLOUD_PROVIDER=<aws|azure|ibmcloud|ibmcloud-powervs|libvirt|vsphere>RESOURCE_CTRLis set totrueby default to allow the peerpod-ctrl to run, monitor and delete dangling cloud resources
-
make deploydeploys operator, runtime and cloud-api-adaptor pod in the configured cluster- validate kubectl is available in your
$PATHand$KUBECONFIGis set
- validate kubectl is available in your
Note:
make deletedeletes the cloud-api-adaptor daemonset from the configured cluster (and peerpod-ctrl if RESOURCE_CTRL=true is set)
Alternatively the manual approach, if you want to pick a specific CoCo release/reference is:
-
Deploy the CoCo operator
- Follow the instructions in the "Deploy the Operator" section of the CoCo Operator's INSTALL.md file.
-
Create the peer pods variant of the CC custom resource to install the required pieces of CC and create the
kata-remoteRuntimeClass- Again, either deploy a release version of the Confidential Containers peer pod customer resource with, by running the following command where
<RELEASE_VERSION>needs to be substituted with the desired release tag:
Note: the release version needs to be
v0.6.0or afterexport RELEASE_VERSION=<RELEASE_VERSION> kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/peer-pods?ref=<RELEASE_VERSION>- Alternatively install the latest development version with:
kubectl apply -k "github.com/confidential-containers/operator/config/samples/ccruntime/peer-pods" - Again, either deploy a release version of the Confidential Containers peer pod customer resource with, by running the following command where
-
Wait until all the pods are running with:
kubectl get pods -n confidential-containers-system --watch -
Wait until the
kata-remoteruntime class has been created by running:kubectl get runtimeclass --watch -
Apply the kustomize.yaml configuration that you modified earlier with:
kubectl apply -k install/overlays/ibmcloud -
Wait until all the pods are running with:
kubectl get pods -n confidential-containers-system --watch
-
Check POD status
kubectl get pods -n confidential-containers-systemA successful install should show all the PODs with "Running" status under the
confidential-containers-systemnamespace.NAME READY STATUS RESTARTS AGE cc-operator-controller-manager-546574cf87-phbdv 2/2 Running 0 43m cc-operator-daemon-install-pzc4b 1/1 Running 0 42m cc-operator-pre-install-daemon-sgld6 1/1 Running 0 42m cloud-api-adaptor-daemonset-mk8ln 1/1 Running 0 37s -
View cloud-api-adaptor logs
kubectl logs pod/cloud-api-adaptor-daemonset-mk8ln -n confidential-containers-system
-
Set CLOUD_PROVIDER
export CLOUD_PROVIDER=<aws|azure|ibmcloud|ibmcloud-powervs|libvirt|vsphere> -
Set container registry and image name
export registry=<namespace>/<image_name> -
Build the container image and push it to
$registrymake image