Failed to trigger remote attestation against latest Trustee #1278
Description
Describe the bug
I failed to trigger remote attestation when using confidential container I have deployed a trustee using docker on my local enviroment and try to force the pod to do remote attestation. But the kbs receive nothing from the pod. Here is my config:
yj2124@milan2:~/cc_quark_christo$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
77bc3456b2ec kbs-builtin-as:latest "/usr/local/bin/kbs …" 22 hours ago Up 4 hours 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp trustee-kbs-1
fc6615c15fae ghcr.io/confidential-containers/coco-keyprovider:latest "coco_keyprovider --…" 2 days ago Up 4 hours 0.0.0.0:50000->50000/tcp, [::]:50000->50000/tcp trustee-keyprovider-1
977284dca6ef ghcr.io/confidential-containers/staged-images/coco-as-grpc:latest "grpc-as --socket 0.…" 2 days ago Up 4 hours 50004/tcp trustee-as-1
46dc8ef9c883 ghcr.io/confidential-containers/staged-images/rvps:latest "rvps --address 0.0.…" 2 days ago Up 4 hours 0.0.0.0:50003->50003/tcp, [::]:50003->50003/tcp trustee-rvps-1
my deployment file
apiVersion: v1
kind: Pod
metadata:
name: confidential-pod-snp
annotations:
io.katacontainers.config.hypervisor.kernel_params: "agent.aa_kbc_params=cc_kbc::http://127.0.0.1:8080/"
spec:
runtimeClassName: kata-qemu-snp
containers:
- name: app
image: docker.io/library/nginx:latest
my container config
yj2124@milan2:~/cc_quark_christo$ kubectl describe pod
Name: confidential-pod-snp
Namespace: default
Priority: 0
Runtime Class Name: kata-qemu-snp
Service Account: default
Node: milan2/146.179.4.33
Start Time: Sun, 25 Jan 2026 20:40:05 +0000
Labels: <none>
Annotations: io.katacontainers.config.hypervisor.kernel_params: agent.aa_kbc_params=cc_kbc::http://146.179.4.33:8080/
Status: Running
IP: 10.244.0.17
IPs:
IP: 10.244.0.17
Containers:
app:
Container ID: containerd://81fa54e9442b79bd7565e40491b6ce77e4e3c326d4bffc93ac0930264459ba35
Image: docker.io/library/nginx:latest
Image ID: docker.io/library/nginx@sha256:c881927c4077710ac4b1da63b83aa163937fb47457950c267d92f7e4dedf4aec
Port: <none>
Host Port: <none>
State: Running
Started: Sun, 25 Jan 2026 20:40:17 +0000
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-5rqp2 (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-5rqp2:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: katacontainers.io/kata-runtime=true
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 62s default-scheduler Successfully assigned default/confidential-pod-snp to milan2
Normal Pulling 54s kubelet Pulling image "docker.io/library/nginx:latest"
Normal Pulled 54s kubelet Successfully pulled image "docker.io/library/nginx:latest" in 626ms (626ms including waiting). Image size: 62870438 bytes.
Normal Created 53s kubelet Created container: app
Normal Started 50s kubelet Started container app
yj2124@milan2:~/cc_quark_christo$ kubectl logs pod confidential-pod-snp
error: error from server (NotFound): pods "pod" not found in namespace "default"
yj2124@milan2:~/cc_quark_christo$ kubectl logs confidential-pod-snp
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2026/01/25 20:40:16 [notice] 1#1: using the "epoll" event method
2026/01/25 20:40:16 [notice] 1#1: nginx/1.29.4
2026/01/25 20:40:16 [notice] 1#1: built by gcc 14.2.0 (Debian 14.2.0-19)
2026/01/25 20:40:16 [notice] 1#1: OS: Linux 6.16.7
2026/01/25 20:40:16 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2026/01/25 20:40:16 [notice] 1#1: start worker processes
2026/01/25 20:40:16 [notice] 1#1: start wo
I tried both server ip 146.179.4.33 and 127.0.0.1 for kbs. none of these trigger remote attestation
How to reproduce
see above
CoCo version information
lasted trustee and confidentia container confidential-containers-0.17.1
What TEE are you seeing the problem on
Snp