Node Selector Value not Set in Kubernetes CR

[dunnderr]

Describe the bug
The default value for the node selector label in the CR:

is set to an empty string. When following the instructions to install confidential containers on a vanilla kubernetes cluster, there is an expectation that we are meant to wait for runtime pods to appear on all nodes marked with the label selector:

spec:
ccNodeSelector:
matchLabels:
node.kubernetes.io/worker: ""

If someone has labeled the nodes with a satisfying criteria that this is set to true, confidential container pods will not be created an the runtime class will not be created. If however, I edit this value using:

kubectl edit -k github.com/confidential-containers/operator/config/samples/ccruntime/default?ref=v0.14.0

spec:
ccNodeSelector:
matchLabels:
node.kubernetes.io/worker: "true"

:wq

pods are created as expected. There is value in not using a null string for the node labels because it allows people to change the label value from true to false if they want to only install confidential containers on some nodes.

To Reproduce
Steps to reproduce the behavior:

1. Follow the instructions to install cc here:
   2. Click on '....'
2. Apply the Custom Resource as shown : kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/default?ref=v0.14.0
3. Execute the watch to wait for pods. Only the controller pod will be observable in the confidential-containers-system namespace. No obvious errors are displayed at the command line.
4. Tail the logs of the controller pod and you will see: 2025-06-05T15:31:56Z ERROR Reconciler error {"controller": "ccruntime", "controllerGroup": "confidentialcontainers.org", "controllerKind": "CcRuntime", "CcRuntime": {"name":"ccruntime-sample"}, "namespace": "", "name": "ccruntime-sample", "reconcileID": "3c5d8bdd-da47-42b5-9dc6-2a9423492c58", "error": "no suitable worker nodes found for runtime installation. Please make sure to label the nodes with labels specified in CcNodeSelector"}
5. If you edit the CR as described above, the installation will continue as expected.

Describe the results you expected
A clear and concise description of what you expected to happen.
If the CR was not able to create successfully, I would have expected a more obvious error at the command line. I think that either the label field should be changed to "true" for the node selector label, or an immediate error should be returned at the command line.
Describe the results you received:
Installation hung and no runtime class was created.

Additional context
Add any other context about the problem here.

[ldoktor]

Hello @dunnderr, if I understand your message correctly, you'd like the default node selector to be node.kubernetes.io/worker=true rather than node.kubernetes.io/worker=?

The node.kubernetes.io/worker= is currently described in documentation and is widely used, there is no need to set the worker to true or false, simply having the tag is enough for kata to pick this node up.

[dunnderr]

Hi @ldoktor,
I understand your answer, but the installation did not work for me with RHEL 8.10. The CR did not create pods due to the errors above. I can see how it would work with a null string, but this also means that we would need to label only those nodes that we want to run CoCo. I think that it would be nice for user to label some nodes with something other than a null string to enable selective CoCo runs on some nodes and other types of runs on other nodes. If I understand your response, the way to do this would be to only label some nodes as workers and not label others. This seems less flexible to me than being able to set them all to true, run a job on an entire worker pool, then set this label to false afterward so that someone else could run an non-CoCo job.

All this said, what I am really looking for is an error to appear that informs the user that the CR apply was not successful. In the documentation, there is a kubectl get pods -n confidential-containers-system --watch method to wait for pods to appear on all the nodes. If the node labels are not correct, then the user will wait forever.

[mythi]

I think that it would be nice for user to label some nodes with something other than a null string to enable selective CoCo runs on some nodes and other types of runs on other nodes.

The use-case makes a lot of sense and I think that's been the idea for this functionality to exist. The cluster may deploy a node labeler (e.g., node-feature-discovery) and CcRuntime would just rely on those. For example, install CoCo on nodes that have "TDX enabled" label.

what I am really looking for is an error to appear that informs the user that the CR apply was not successful.

the operator itself cannot error so I don't think we have any place where to show this. However, operator maintains status for its operands we could document: kubectl get ccruntime ccruntime-sample -o=jsonpath='{.status.installationStatus}'

[dunnderr]

Hi @mythi ,

This sounds like a great thing to document. I think that it will help people triage and debug installs.