From 7934758fee811beb9ef340b964bea63267c0ad9b Mon Sep 17 00:00:00 2001
From: Samantha Gidlow <sagidlow@redhat.com>
Date: Mon, 29 Mar 2021 16:42:10 -0400
Subject: [PATCH] Initial additions of sandboxed containers

---
 _topic_map.yml                                | 11 ++++++++
 modules/common-attributes.adoc                |  2 ++
 ...sandboxed-containers-about-sandboxing.adoc |  7 +++++
 .../sandboxed-containers-building-blocks.adoc |  7 +++++
 ...ed-containers-installing-operator-cli.adoc |  7 +++++
 ...iners-installing-operator-web-console.adoc |  7 +++++
 ...dboxed-containers-installing-operator.adoc |  7 +++++
 modules/sandboxed-containers-limitations.adoc |  7 +++++
 .../sandboxed-containers-os-extensions.adoc   |  7 +++++
 ...ontainers-preparing-openshift-cluster.adoc |  7 +++++
 ...boxed-containers-scheduling-workloads.adoc |  7 +++++
 .../sandboxed-containers-selecting-nodes.adoc |  7 +++++
 ...-triggering-installation-kata-runtime.adoc |  7 +++++
 ...-containers-uninstalling-kata-runtime.adoc | 20 +++++++++++++
 ...containers-viewing-workloads-from-cli.adoc |  7 +++++
 ...rs-viewing-workloads-from-web-console.adoc |  7 +++++
 ...ploying-sandboxed-container-workloads.adoc | 16 +++++++++++
 ...sabling-sandboxed-container-workloads.adoc |  8 ++++++
 sandboxed_containers/modules                  |  1 +
 .../understanding-sandboxed-containers.adoc   | 28 +++++++++++++++++++
 20 files changed, 177 insertions(+)
 create mode 100644 modules/sandboxed-containers-about-sandboxing.adoc
 create mode 100644 modules/sandboxed-containers-building-blocks.adoc
 create mode 100644 modules/sandboxed-containers-installing-operator-cli.adoc
 create mode 100644 modules/sandboxed-containers-installing-operator-web-console.adoc
 create mode 100644 modules/sandboxed-containers-installing-operator.adoc
 create mode 100644 modules/sandboxed-containers-limitations.adoc
 create mode 100644 modules/sandboxed-containers-os-extensions.adoc
 create mode 100644 modules/sandboxed-containers-preparing-openshift-cluster.adoc
 create mode 100644 modules/sandboxed-containers-scheduling-workloads.adoc
 create mode 100644 modules/sandboxed-containers-selecting-nodes.adoc
 create mode 100644 modules/sandboxed-containers-triggering-installation-kata-runtime.adoc
 create mode 100644 modules/sandboxed-containers-uninstalling-kata-runtime.adoc
 create mode 100644 modules/sandboxed-containers-viewing-workloads-from-cli.adoc
 create mode 100644 modules/sandboxed-containers-viewing-workloads-from-web-console.adoc
 create mode 100644 sandboxed_containers/deploying-sandboxed-container-workloads.adoc
 create mode 100644 sandboxed_containers/disabling-sandboxed-container-workloads.adoc
 create mode 120000 sandboxed_containers/modules
 create mode 100644 sandboxed_containers/understanding-sandboxed-containers.adoc

diff --git a/_topic_map.yml b/_topic_map.yml
index 4b68337deb..a29b63e214 100644
--- a/_topic_map.yml
+++ b/_topic_map.yml
@@ -1653,6 +1653,17 @@ Topics:
 - Name: Disabling Windows container workloads
   File: disabling-windows-container-workloads
 ---
+Name: Sandboxed Container Support for OpenShift
+Dir: sandboxed_containers
+Distros: openshift-origin,openshift-enterprise
+Topics:
+- Name: Understanding OpenShift sandboxed containers
+  File: understanding-sandboxed-containers
+- Name: Deploying sandboxed containers workloads
+  File: deploying-sandboxed-container-workloads
+- Name: Disabling sandboxed container workloads
+  File: disabling-sandboxed-container-workloads
+---
 Name: Logging
 Dir: logging
 Distros: openshift-enterprise,openshift-origin,openshift-dedicated
diff --git a/modules/common-attributes.adoc b/modules/common-attributes.adoc
index e68c1999f5..514d91c9dc 100644
--- a/modules/common-attributes.adoc
+++ b/modules/common-attributes.adoc
@@ -26,6 +26,8 @@ endif::[]
 :cloud-redhat-com: Red Hat OpenShift Cluster Manager
 :rh-storage-first: Red Hat OpenShift Container Storage
 :rh-storage: OpenShift Container Storage
+:sandboxed-containers-first: OpenShift sandboxed containers
+:sandboxed-containers: Sandboxed Containers Operator
 :rh-virtualization-first: Red Hat Virtualization (RHV)
 :rh-virtualization: RHV
 ifdef::openshift-origin[]
diff --git a/modules/sandboxed-containers-about-sandboxing.adoc b/modules/sandboxed-containers-about-sandboxing.adoc
new file mode 100644
index 0000000000..534df9cf8a
--- /dev/null
+++ b/modules/sandboxed-containers-about-sandboxing.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/understanding_sandboxed_containers.adoc
+
+[id="about-sandboxing_{context}"]
+
+= About sandboxing
diff --git a/modules/sandboxed-containers-building-blocks.adoc b/modules/sandboxed-containers-building-blocks.adoc
new file mode 100644
index 0000000000..e9e1d674b4
--- /dev/null
+++ b/modules/sandboxed-containers-building-blocks.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/understanding_sandboxed_containers.adoc
+
+[id="sandboxed-containers-building-blocks_{context}"]
+
+= Sandboxed containers building blocks
diff --git a/modules/sandboxed-containers-installing-operator-cli.adoc b/modules/sandboxed-containers-installing-operator-cli.adoc
new file mode 100644
index 0000000000..dae4346f40
--- /dev/null
+++ b/modules/sandboxed-containers-installing-operator-cli.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-installing-operator-cli_{context}"]
+
+= Installing the Sandboxed Containers Operator using the CLI
diff --git a/modules/sandboxed-containers-installing-operator-web-console.adoc b/modules/sandboxed-containers-installing-operator-web-console.adoc
new file mode 100644
index 0000000000..f2c74930c7
--- /dev/null
+++ b/modules/sandboxed-containers-installing-operator-web-console.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-installing-operator-web-console_{context}"]
+
+= Installing the Sandboxed Containers Operator using the web console
diff --git a/modules/sandboxed-containers-installing-operator.adoc b/modules/sandboxed-containers-installing-operator.adoc
new file mode 100644
index 0000000000..dcca4a20e1
--- /dev/null
+++ b/modules/sandboxed-containers-installing-operator.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="installing-sandboxed-container-operator_{context}"]
+
+= Installing the Sandboxed Containers Operator
diff --git a/modules/sandboxed-containers-limitations.adoc b/modules/sandboxed-containers-limitations.adoc
new file mode 100644
index 0000000000..db8243454f
--- /dev/null
+++ b/modules/sandboxed-containers-limitations.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/understanding_sandboxed_containers.adoc
+
+[id="sandboxed-containers-limitations_{context}"]
+
+= Limitations
diff --git a/modules/sandboxed-containers-os-extensions.adoc b/modules/sandboxed-containers-os-extensions.adoc
new file mode 100644
index 0000000000..709a3bea17
--- /dev/null
+++ b/modules/sandboxed-containers-os-extensions.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/understanding_sandboxed_containers.adoc
+
+[id="sandboxed-containers-os-extensions_{context}"]
+
+= OS extensions
diff --git a/modules/sandboxed-containers-preparing-openshift-cluster.adoc b/modules/sandboxed-containers-preparing-openshift-cluster.adoc
new file mode 100644
index 0000000000..97650a4876
--- /dev/null
+++ b/modules/sandboxed-containers-preparing-openshift-cluster.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-preparing-openshift-cluster_{context}"]
+
+= Preparing your cluster for OpenShift sandboxed containers
diff --git a/modules/sandboxed-containers-scheduling-workloads.adoc b/modules/sandboxed-containers-scheduling-workloads.adoc
new file mode 100644
index 0000000000..a2fa188c63
--- /dev/null
+++ b/modules/sandboxed-containers-scheduling-workloads.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-scheduling-workloads_{context}"]
+
+= Scheduling sandboxed containers workloads
diff --git a/modules/sandboxed-containers-selecting-nodes.adoc b/modules/sandboxed-containers-selecting-nodes.adoc
new file mode 100644
index 0000000000..ff180d6cde
--- /dev/null
+++ b/modules/sandboxed-containers-selecting-nodes.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-selecting-nodes_{context}"]
+
+= Selecting nodes for OpenShift sandboxed containers
diff --git a/modules/sandboxed-containers-triggering-installation-kata-runtime.adoc b/modules/sandboxed-containers-triggering-installation-kata-runtime.adoc
new file mode 100644
index 0000000000..10f6c8dcc0
--- /dev/null
+++ b/modules/sandboxed-containers-triggering-installation-kata-runtime.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-triggering-installation-kata-runtime_{context}"]
+
+= Triggering the installation of the Kata runtime
diff --git a/modules/sandboxed-containers-uninstalling-kata-runtime.adoc b/modules/sandboxed-containers-uninstalling-kata-runtime.adoc
new file mode 100644
index 0000000000..bfd0c07155
--- /dev/null
+++ b/modules/sandboxed-containers-uninstalling-kata-runtime.adoc
@@ -0,0 +1,20 @@
+//Module included in the following assemblies:
+//
+// *disabling-sandboxed-container-workloads.adoc
+
+[id="sandboxed-containers-uninstalling-kata-runtime_{context}"]
+
+= Uninstalling the Kata runtime
+
+This section describes how to remove and uninstall the `kata` runtime and all its related resources, such as CRI-O config and `RuntimeClass`, from from your cluster.
+
+.Procedure
+
+- Delete the `KataConfig` custom resource:
++
+[source,terminal]
+----
+oc delete kataconfig <KataConfig_CR_Name>
+----
+
+The {sandboxed-containers} removes all resources that were initially created to enable the runtime on your cluster. After you run the command above, your cluster is restored to the state prior to the installation process.
diff --git a/modules/sandboxed-containers-viewing-workloads-from-cli.adoc b/modules/sandboxed-containers-viewing-workloads-from-cli.adoc
new file mode 100644
index 0000000000..1fed0137a6
--- /dev/null
+++ b/modules/sandboxed-containers-viewing-workloads-from-cli.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-viewing-workloads-from-cli_{context}"]
+
+= Viewing sandboxed containers workloads from the CLI
diff --git a/modules/sandboxed-containers-viewing-workloads-from-web-console.adoc b/modules/sandboxed-containers-viewing-workloads-from-web-console.adoc
new file mode 100644
index 0000000000..88db81b5c4
--- /dev/null
+++ b/modules/sandboxed-containers-viewing-workloads-from-web-console.adoc
@@ -0,0 +1,7 @@
+//Module included in the following assemblies:
+//
+// * sandboxed_containers/deploying_sandboxed_containers.adoc
+
+[id="sandboxed-containers-viewing-workloads-from-web-console_{context}"]
+
+= Viewing sandboxed containers workloads from the web console
diff --git a/sandboxed_containers/deploying-sandboxed-container-workloads.adoc b/sandboxed_containers/deploying-sandboxed-container-workloads.adoc
new file mode 100644
index 0000000000..3443ccaa43
--- /dev/null
+++ b/sandboxed_containers/deploying-sandboxed-container-workloads.adoc
@@ -0,0 +1,16 @@
+[id="deploying-sandboxed-containers-workloads"]
+= Deploying OpenShift sandboxed containers workloads
+include::modules/common-attributes.adoc[]
+:context: deploying-sandboxed-containers
+
+toc::[]
+
+include::modules/sandboxed-containers-installing-operator.adoc[leveloffset=+1]
+include::modules/sandboxed-containers-preparing-openshift-cluster.adoc[leveloffset=+2]
+include::modules/sandboxed-containers-installing-operator-web-console.adoc[leveloffset=+2]
+include::modules/sandboxed-containers-installing-operator-cli.adoc[leveloffset=+2]
+include::modules/sandboxed-containers-triggering-installation-kata-runtime.adoc[leveloffset=+2]
+include::modules/sandboxed-containers-selecting-nodes.adoc[leveloffset=+2]
+include::modules/sandboxed-containers-scheduling-workloads.adoc[leveloffset=+1]
+include::modules/sandboxed-containers-viewing-workloads-from-web-console.adoc[leveloffset=+1]
+include::modules/sandboxed-containers-viewing-workloads-from-cli.adoc[leveloffset=+1]
diff --git a/sandboxed_containers/disabling-sandboxed-container-workloads.adoc b/sandboxed_containers/disabling-sandboxed-container-workloads.adoc
new file mode 100644
index 0000000000..cc531e7a63
--- /dev/null
+++ b/sandboxed_containers/disabling-sandboxed-container-workloads.adoc
@@ -0,0 +1,8 @@
+[id="disabling-sandboxed-containers-workloads"]
+= Disabling OpenShift sandboxed containers workloads
+include::modules/common-attributes.adoc[]
+:context: disabling-sandboxed-containers
+
+toc::[]
+
+include::modules/sandboxed-containers-uninstalling-kata-runtime.adoc[leveloffset=+1]
diff --git a/sandboxed_containers/modules b/sandboxed_containers/modules
new file mode 120000
index 0000000000..464b823aca
--- /dev/null
+++ b/sandboxed_containers/modules
@@ -0,0 +1 @@
+../modules
\ No newline at end of file
diff --git a/sandboxed_containers/understanding-sandboxed-containers.adoc b/sandboxed_containers/understanding-sandboxed-containers.adoc
new file mode 100644
index 0000000000..1d10eb4056
--- /dev/null
+++ b/sandboxed_containers/understanding-sandboxed-containers.adoc
@@ -0,0 +1,28 @@
+[id="understanding-sandboxed-containers"]
+= Understanding OpenShift sandboxed containers
+include::modules/common-attributes.adoc[]
+
+:context: understanding-sandboxed-containers
+
+toc::[]
+
+[role="_abstract"]
+
+{sandboxed-containers-first} support for {product-title} provides users with built-in support for running Kata Containers as an additional optional runtime. This is particularly useful for users who are wanting to perform the following tasks:
+
+- Run privileged or untrusted workloads.
+- Ensure kernel isolation for each workload.
+- Share the same workload across tenants.
+- Ensure proper isolation and sandboxing for testing software.
+- Ensure default resource containment through VM boundaries.
+
+Furthermore, {sandboxed-containers-first} provide an additional option for users to choose from the type of workload they want to run to cover a wide variety of use cases.
+
+Sandboxed containers are only supported on bare metal.
+
+{op-system-first} is the only supported operating system for {product-title} 4.8.
+
+include::modules/sandboxed-containers-about-sandboxing.adoc[leveloffset=+1]
+include::modules/sandboxed-containers-building-blocks.adoc[leveloffset=+1]
+include::modules/sandboxed-containers-os-extensions.adoc[leveloffset=+1]
+include::modules/sandboxed-containers-limitations.adoc[leveloffset=+1]