Skip to content

feat: Kyverno-based cc_init_data injection for OSC 1.12#77

Open
butler54 wants to merge 2 commits intovalidatedpatterns:mainfrom
butler54:feature/kyverno-initdata
Open

feat: Kyverno-based cc_init_data injection for OSC 1.12#77
butler54 wants to merge 2 commits intovalidatedpatterns:mainfrom
butler54:feature/kyverno-initdata

Conversation

@butler54
Copy link
Copy Markdown
Collaborator

@butler54 butler54 commented Apr 20, 2026

Summary

  • Add Kyverno MutatingPolicy to inject cc_init_data into pods with kata runtime classes, replacing broken io.katacontainers.config.agent.policy annotation
  • Add ValidatingPolicy to audit initdata ConfigMaps for required fields
  • Add ClusterPolicy to propagate initdata ConfigMaps from imperative namespace to workload namespaces
  • Update imperative job to generate both default and debug initdata ConfigMaps with Kyverno validation fields
  • Update values-simple.yaml: OSC 1.12.0, Trustee 1.1.0, Kyverno Helm chart, OpenShift SCC overrides
  • Trustee app temporarily targets feature/trustee-1.1-compat branch (revert after trustee-chart PR merged)

Three initdata modes

Mode Trigger ConfigMap
Default coco.io/initdata-configmap: initdata Generated by imperative job
Debug coco.io/initdata-configmap: debug-initdata Generated by imperative job (permissive policy, same KBS cert)
User-provided Pod already has cc_init_data annotation User-managed (no mutation)

Dependencies

Test plan

  • Deploy with main.clusterGroupName: simple on Azure
  • Verify Kyverno pods running in kyverno namespace
  • Verify Kyverno policies created: oc get mpol,vpol,cpol
  • Wait for imperative job → both initdata and debug-initdata ConfigMaps created
  • Verify ConfigMaps propagated to hello-openshift and kbs-access namespaces
  • Create test pod with kata runtime → verify io.katacontainers.config.hypervisor.cc_init_data injected
  • Test debug mode: pod with coco.io/initdata-configmap: debug-initdata
  • Test user-provided: pod with explicit cc_init_data, no coco.io annotation → no mutation
  • Revert trustee app to chart: trustee + chartVersion: 0.2.* after trustee-chart release

🤖 Generated with Claude Code

butler54 and others added 2 commits April 20, 2026 21:19
@butler54 @claude
feat!: add Kyverno-based cc_init_data injection for OSC 1.12 / Truste…
95ad702 
…e 1.1

Replace broken io.katacontainers.config.agent.policy annotation with
Kyverno MutatingPolicy that injects cc_init_data from ConfigMaps into
pods with kata runtime classes.

- Add coco-kyverno-policies chart with MutatingPolicy, ValidatingPolicy,
  and ClusterPolicy for ConfigMap namespace propagation
- Update imperative job to generate both default and debug initdata
  ConfigMaps with Kyverno validation fields
- Update workload pod templates to use coco.io/initdata-configmap
  annotation instead of inline policy
- Update values-simple.yaml: OSC 1.12, Trustee 1.1, Kyverno Helm app
- Add conditional memory annotation for non-Azure platforms
- Delete insecure-policy.rego (policy now embedded in cc_init_data)

BREAKING CHANGE: Requires Kyverno and OSC 1.12 / Trustee 1.1.0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@butler54 @claude
chore: point trustee app to feature branch for testing
41dfd80 
Temporarily targets butler54/trustee-chart feature/trustee-1.1-compat
branch instead of released chart version. Revert to chart: trustee +
chartVersion: 0.2.* after trustee-chart PR is merged and released.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@butler54 butler54 requested a review from a team April 20, 2026 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@butler54