fix: use kata-remote runtime class for cloud peer-pods

butler54 · claude · butler54 · commit f53261d2b069 · 2026-04-21T11:07:12.000+09:00
The kata runtime class runs a local QEMU VM without CDH. Cloud
peer-pods require kata-remote to spawn a VM in Azure/AWS with CDH
available at 127.0.0.1:8006. Also add kata-remote to the Kyverno
ClusterPolicy match list.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml b/charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml
@@ -28,7 +28,7 @@ spec:
         all:
           - key: "{{ "{{" }}request.object.spec.runtimeClassName || '' {{ "}}" }}"
             operator: AnyIn
-            value: ["kata", "kata-cc"]
+            value: ["kata", "kata-cc", "kata-remote"]
           - key: "{{ "{{" }}request.object.metadata.annotations.\"coco.io/initdata-configmap\" || '' {{ "}}" }}"
             operator: NotEquals
             value: ""
diff --git a/charts/coco-supported/hello-openshift/templates/_helpers.tpl b/charts/coco-supported/hello-openshift/templates/_helpers.tpl
@@ -52,11 +52,11 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{/*
 Determine runtime class name based on cluster platform.
-Cloud (Azure/AWS) uses "kata" for peer-pods; baremetal uses "kata-cc" for confidential containers.
+Cloud (Azure/AWS) uses "kata-remote" for peer-pods; baremetal uses "kata-cc" for confidential containers.
 */}}
 {{- define "hello-openshift.runtimeClassName" -}}
 {{- if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") -}}
-kata
+kata-remote
 {{- else -}}
 kata-cc
 {{- end -}}
diff --git a/charts/coco-supported/kbs-access/templates/secure-deployment.yaml b/charts/coco-supported/kbs-access/templates/secure-deployment.yaml
@@ -20,7 +20,7 @@ spec:
         io.katacontainers.config.hypervisor.default_memory: {{ .Values.defaultMemory | quote }}
         {{- end }}
     spec:
-      runtimeClassName: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}kata{{ else }}kata-cc{{ end }}
+      runtimeClassName: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}kata-remote{{ else }}kata-cc{{ end }}
       containers:
         - name: python-access
           image: ghcr.io/butler54/kbs-access-app:latest
