adding kata node check features docs

modules/sandboxed-containers-check-node-eligiblilty.adoc

@@ -0,0 +1,116 @@
+// Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying-sandboxed-container-workloads.adoc
+
+:_module-type: PROCEDURE
+[id="sandboxed-containers-check-node-eligiblilty_{context}"]
+= Checking whether cluster nodes are eligible to run {sandboxed-containers-first}
+
+Before running {sandboxed-containers-first}, you can check whether the nodes in your cluster are eligible to run Kata containers. Some cluster nodes might not comply with sandboxed containers' minimum requirements. The most common reason for node ineligibility is the lack of virtualization support on the node. If you attempt to run sandboxed workloads on ineligible nodes, you will experience errors. You can use the Node Feature Discovery Operator (NFD) and a `NodeFeatureDiscovery` resource to automatically check node eligibility.
+
+[NOTE]
+====
+If you want to install the Kata runtime on only selected worker nodes that you know are eligible, apply the `feature.node.kubernetes.io/runtime.kata=true` label to the selected nodes and set `checkNodeEligibility: true` in the `KataConfig` resource.
+
+Alternatively, to install the Kata runtime on all worker nodes, set `checkNodeEligibility: false` in the `KataConfig` resource.
+
+In both these scenarios, you do not need to create the `NodeFeatureDiscovery` resource. You should only apply the `feature.node.kubernetes.io/runtime.kata=true` label manually if you are sure that the node is eligible to run Kata containers.
+====
+
+The following procedure applies the `feature.node.kubernetes.io/runtime.kata=true` label to all eligible nodes and configures the `KataConfig` resource to check for node eligibility.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in as a user with `cluster-admin` privileges.
+* Install the Node Feature Discovery (NFD) Operator.
+
+.Procedure
+
+. Create a `NodeFeatureDiscovery` resource to detect node capabilities suitable for running Kata containers:
+
+.. Save the following YAML in the `nfd.yaml` file:
++
+[source,yaml]
+----
+apiVersion: nfd.openshift.io/v1
+kind: NodeFeatureDiscovery
+metadata:
+  name: nfd-kata
+  namespace: openshift-nfd
+spec:
+  operand:
+    namespace: openshift-nfd
+    image: quay.io/openshift/origin-node-feature-discovery:4.10
+    imagePullPolicy: Always
+    servicePort: 12000
+  workerConfig:
+    configData: |
+      sources:
+         custom:
+           - name: "feature.node.kubernetes.io/runtime.kata"
+             matchOn:
+               - cpuId: ["SSE4", "VMX"]
+                 loadedKMod: ["kvm", "kvm_intel"]
+               - cpuId: ["SSE4", "SVM"]
+                 loadedKMod: ["kvm", "kvm_amd"]
+----
+
+.. Create the `NodeFeatureDiscovery` custom resource (CR):
++
+[source,terminal]
+----
+$ oc create -f nfd.yaml
+----
++
+.Example output
+[source,terminal]
+----
+nodefeaturediscovery.nfd.openshift.io/nfd-kata created
+----
++
+A `feature.node.kubernetes.io/runtime.kata=true` label is applied to all qualifying worker nodes.
+
+. Set the `checkNodeEligibility` field to `true` in the `KataConfig` resource to enable the feature, for example:
+
+.. Save the following YAML in the `kata-config.yaml` file:
++
+[source,yaml]
+----
+apiVersion: kataconfiguration.openshift.io/v1
+kind: KataConfig
+metadata:
+  name: example-kataconfig
+spec:
+  checkNodeEligibility: true
+----
+
+.. Create the `KataConfig` CR:
++
+[source,terminal]
+----
+$ oc create -f kata-config.yaml
+----
++
+.Example output
+[source,terminal]
+----
+kataconfig.kataconfiguration.openshift.io/example-kataconfig created
+----
+
+.Verification
+
+* Verify that qualifying nodes in the cluster have the correct label applied:
++
+[source,terminal]
+----
+$ oc get nodes --selector='feature.node.kubernetes.io/runtime.kata=true'
+----
++
+.Example output
+[source,terminal]
+----
+NAME                           STATUS                     ROLES    AGE     VERSION
+compute-3.example.com          Ready                      worker   4h38m   v1.23.3+e419edf
+compute-2.example.com          Ready                      worker   4h35m   v1.23.3+e419edf
+----

sandboxed_containers/deploying-sandboxed-container-workloads.adoc

@@ -14,6 +14,14 @@ include::modules/sandboxed-containers-preparing-openshift-cluster.adoc[leveloffs
 .Additional resources
 * xref:../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a user-provisioned cluster on bare metal]
 
+include::modules/sandboxed-containers-check-node-eligiblilty.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about installing the Node Feature Discovery (NFD) Operator, see xref:../hardware_enablement/psap-node-feature-discovery-operator.adoc#installing-the-node-feature-discovery-operator_node-feature-discovery-operator[Installing NFD].
+
+[id="deploying-sandboxed-containers-workloads-web-console"]
 == Deploying {sandboxed-containers-first} workloads using the web console
 
 You can deploy {sandboxed-containers-first} workloads from the web console. First, you must install the {sandboxed-containers-operator}, then create the `KataConfig` custom resource (CR). Once you are ready to deploy a workload in a sandboxed container, you must manually add `kata` as the `runtimeClassName` to the workload YAML file.
@@ -23,6 +31,7 @@ include::modules/sandboxed-containers-create-kataconfig-resource-web-console.ado
 //include::modules/sandboxed-containers-selecting-nodes-web-console.adoc[leveloffset=+3]
 include::modules/sandboxed-containers-deploying-workloads-with-kata-runtime-web.adoc[leveloffset=+2]
 
+[id="deploying-sandboxed-containers-workloads-cli"]
 == Deploying {sandboxed-containers-first} workloads using the CLI
 
 You can deploy {sandboxed-containers-first} workloads using the CLI. First, you must install the {sandboxed-containers-operator}, then create the `KataConfig` custom resource. Once you are ready to deploy a workload in a sandboxed container, you must add `kata` as the `runtimeClassName` to the workload YAML file.