This skill helps diagnose and troubleshoot Confidential Containers (CoCo) deployments on Azure Red Hat OpenShift (ARO), particularly when following the workshop.
The skill systematically checks your ARO cluster for common CoCo configuration issues:
- ✅ Trustee operator installation and configuration
- ✅ OpenShift Sandboxed Containers (OSC) operator setup
- ✅ Attestation configuration and reference values
- ✅ PCR8 hash consistency (most common failure point)
- ✅ Image signature verification policies
- ✅ Sealed secrets configuration
- ✅ Pod-specific debugging for failed CoCo workloads
coco-aro-diagnostics.md- Main Claude Code skill definitioncoco-diagnostics.sh- Automated diagnostic helper scriptREADME.md- This file
-
Copy
coco-aro-diagnostics.mdto your Claude Code skills directory:mkdir -p ~/.claude/skills cp coco-aro-diagnostics.md ~/.claude/skills/
-
In Claude Code, invoke the skill:
/coco-aro-diagnostics
The helper script can run independently for quick checks:
# Full diagnostics
./coco-diagnostics.sh
# Check only Trustee operator
./coco-diagnostics.sh --trustee
# Check only OSC operator
./coco-diagnostics.sh --osc
# Check PCR8 consistency (most common issue)
./coco-diagnostics.sh --pcr8
# Diagnose specific pod
./coco-diagnostics.sh --pod default/my-coco-podoc(OpenShift CLI) - installed and logged into clusterjq- JSON processorbase64,gunzip- for decoding initdatasha384sum- for PCR hash calculations
You need access to the OpenShift cluster via one of:
-
Kubeconfig file:
export KUBECONFIG=/path/to/kubeconfig -
Username/password:
oc login https://api.cluster.example.com:6443 -u username -p password
-
Already logged in - just run the diagnostics
Your user needs read access to:
trustee-operator-systemnamespace (Trustee)openshift-sandboxed-containers-operatornamespace (OSC)- Application namespaces (for pod debugging)
./coco-diagnostics.sh --fullThis runs all checks and provides a complete health report.
Most attestation failures are due to PCR8 mismatches:
# Check if PCR8 matches
./coco-diagnostics.sh --pcr8If mismatch detected, the script shows exact commands to fix it.
# Check why my CoCo pod is stuck
./coco-diagnostics.sh --pod fraud-detection/sealed-fraud-detectionShows pod status, events, container states, and recent logs.
In Claude Code:
You: /coco-aro-diagnostics
Claude: I'll help diagnose your CoCo deployment. First, I need to connect to your cluster.
Are you already logged into OpenShift, or should I use credentials?
You: Already logged in
Claude: [Runs systematic diagnostics and provides detailed report with fixes]
Symptom: Pod stuck in Init state, Trustee logs show "reference value mismatch"
Fix:
# 1. Get initdata hash
INITDATA=$(oc get cm peer-pods-cm -n openshift-sandboxed-containers-operator -o jsonpath='{.data.INITDATA}')
HASH=$(echo "$INITDATA" | base64 -d | gunzip | sha384sum | awk '{print $1}')
# 2. Update reference values
REFVAL_CM=$(oc get kbsconfig -n trustee-operator-system -o json | jq -r '.items[0].spec.kbsRvpRefValuesName')
oc edit configmap "$REFVAL_CM" -n trustee-operator-system
# Update pcr8 value with $HASH
# 3. Restart Trustee
oc rollout restart deployment/trustee-deployment -n trustee-operator-systemSymptom: Pod logs show "Failed to fetch secret"
Fix:
# 1. Create secret in Trustee namespace
oc create secret generic my-secret --from-literal=key=value -n trustee-operator-system
# 2. Add to KbsConfig
oc patch kbsconfig trusteeconfig-kbs-config -n trustee-operator-system \
--type=json -p='[{"op": "add", "path": "/spec/kbsSecretResources/-", "value": "my-secret"}]'
# 3. Restart Trustee
oc rollout restart deployment/trustee-deployment -n trustee-operator-systemSymptom: Pod fails to start, Trustee logs show policy violation
Fix:
# Check and update image policy
oc edit configmap trustee-image-policy -n trustee-operator-system
# Add your registry to allowed list, then restart
oc rollout restart deployment/trustee-deployment -n trustee-operator-systemSymptom: oc exec fails even though pod is running
This is expected! Default initdata disables exec for security. Use logs instead:
oc logs <pod-name> -n <namespace>To enable exec (NOT recommended for production):
- Modify initdata in peer-pods-cm to allow exec
- Recalculate PCR8 and update Trustee reference values
- Restart peer-pods daemonset and Trustee deployment
Understanding the architecture helps with troubleshooting:
┌─────────────────────────────────────────────────────────────┐
│ Trusted Environment │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Trustee Operator (trustee-operator-system) │ │
│ │ - Remote attestation service │ │
│ │ - Stores reference values (PCR hashes) │ │
│ │ - Stores secrets │ │
│ │ - Validates CoCo pods before releasing secrets │ │
│ └────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
▲
│ Attestation
│ (HTTPS)
▼
┌─────────────────────────────────────────────────────────────┐
│ Untrusted Environment │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ OSC Operator (openshift-sandboxed-containers-operator)│ │
│ │ - Manages peer-pod VMs │ │
│ │ - Provides kata-remote runtime │ │
│ │ - Contains initdata (measured in PCR8) │ │
│ └────────────────────────────────────────────────────────┘ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ CoCo Pod (runs in separate confidential VM) │ │
│ │ - Uses kata-remote runtime │ │
│ │ - Performs attestation at startup │ │
│ │ - Fetches sealed secrets from Trustee │ │
│ └────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Key Points:
- Trustee (trusted) validates CoCo pods (untrusted) via attestation
- Initdata is measured and becomes PCR8 - if it changes, PCR8 must be updated in Trustee
- CoCo pods run in separate confidential VMs, not on worker nodes
- Sealed secrets are "pointers" that get replaced with real secrets after attestation
- Connection - Ensure you can connect to the cluster
- Trustee Health - Check Trustee operator is running and configured
- OSC Health - Check OSC operator and peer-pods are working
- PCR8 Consistency - Verify initdata hash matches Trustee reference values (CRITICAL)
- Pod Specific - If a pod is failing, check its logs and events
- Attestation Flow - Trace the complete attestation process in Trustee logs
This skill is based on the official workshop:
- Workshop site: https://confidential-devhub.github.io/workshop-on-ARO-showroom/
- GitHub repo: https://github.com/confidential-devhub/workshop-on-ARO-showroom
- Theory chapter: Understanding CoCo architecture
- Setup phases: Trustee setup → OSC setup → Application deployment
For issues with this skill:
- Check the workshop documentation first
- Review Trustee and OSC operator logs
- Ensure PCR8 consistency (most common issue)
- Verify initdata configuration
For workshop issues:
- Refer to workshop GitHub issues
- Check Red Hat documentation for Trustee and OSC operators
To extend this skill:
- Add new checks to
coco-diagnostics.sh - Update diagnostic workflow in
coco-aro-diagnostics.md - Test against a real ARO cluster with CoCo deployed
- Submit improvements via PR
This skill is provided as-is for helping users debug Confidential Containers deployments on ARO.