What’s New in OpenShift 4.8 OpenShift Product Management 4

Cluster security Global registry Multicluster management Observability | Discovery | Policy | Compliance | Configuration | Workloads Image management | Security scanning | Geo-replication Mirroring | Image builds Declarative security | Container vulnerability management | Network segmentation | Threat detection and response * Red Hat OpenShift® includes supported runtimes for popular languages/frameworks/databases. Additional capabilities listed are from the Red Hat Application Services and Red Hat Data Services portfolios. • Developer CLI | IDE • Plugins and extensions • CodeReady workspaces • CodeReady containers Developer services Developer productivity • Databases | Cache • Data ingest and prep • Data analytics | AI/ML • Data management & resilience Data services Data-driven insights* • Languages and runtimes • API management • Integration • Messaging • Process automation Application services Build cloud-native apps* • Service mesh | Serverless • Builds | CI/CD pipelines • GitOps • Log management • Cost management Platform services Manage workloads Kubernetes cluster services Install | Over-the-air updates | Networking | Ingress | Storage | Monitoring | Logging | Registry | Authorization | Containers | VMs | Operators | Helm Physical* Linux (container host operating system) Kubernetes (orchestration) Virtual Private cloud Public cloud Edge Red Hat OpenShift Platform Plus

What's new in OpenShift 4.8 INSTALLER FLEXIBILITY NEXT-GEN DEVELOPER TOOLS FEATURE GRADUATION AWS use pre-existing IAM roles AWS use STS tokens Azure use existing resource group Kubernetes 1.21 & CRI-O 1.21 Vertical Pod Autoscaler (GA) Scheduling Profiles (TP) CronJobs (GA) PodDisruptionBudget (GA) IPv6 Single & Dual Stack (GA) OpenShift GitOps (GA) OpenShift Pipelines (GA) OpenShift Serverless functions (TP) OpenShift 4.8

What's new in OpenShift 4.8 Statistics ● 12 weeks (January 11 to April 8) ● 49 enhancements: ○ Stable: 13, Beta: 15, Alpha: 21 ● Contributions from: ○ 999 companies ○ 1279 individuals Major Themes and Features ● CronJobs graduate to stable ● Greater control over Node disruptions ○ Graceful Node Shutdown timer ○ PodDisruptionBudgets graduate to stable ● Required for IPv4/IPv6 dual stack support ● Better pod scheduling primitives ○ Memory Manager (alpha) ○ Storage Capacity (beta) CRI-O 1.21 Kubernetes 1.21 OpenShift 4.8 Blog: https://www.openshift.com/blog/kubernetes-1.21-grows-innovative-new-features 7 Kubernetes 1.21

What's new in OpenShift 4.8 OpenShift Roadmap APP DEV PLATFORM DEV ● OpenShift Builds v2 & Buildpacks GA ● Tekton Hub on OpenShift ● Customizable dashboards ● Unprivileged builds ● Image build cache ● Manual approval in pipelines ● OpenShift Serverless Functions GA ● Global Operators Model & new Operator API ● Operator Maturity increase via SDK ● Azure China & AWS China ● Alibaba, AWS Outposts, Equinix Metal, & Microsoft Hyper-V ● Utilize cgroups v2 ● Enable user namespaces Additional Windows Containers capabilities* ● Gateway API + Contour ● Network Topology and Analysis Tooling ● SmartNIC Integrations ● Network Policy v2 ● BGP Advertised Services (FRR) ● OVN no-overlay option HOSTED ● Application focused developer experience ● Developers can opt-in to Shipwright builds ● Save custom metrics ● Custom perspectives & customizable nav ● Kata containers in Pipelines ● Access to RHEL entitlements in builds ● Cost mgmt integration to Subs Watch, ACM 2022+ ● OpenShift Serverless Kafka Broker ● OpenShift Serverless cold start improvements ● Dynamic Plugins for the OCP Console ● MetalLB Support (L2) ● Azure Stack Hub ● RHEL 8 Server Compute/Infra Nodes ● AWS: Support for China Regions ● ARM Support (Dev Preview) in OCP 4.9 ● Single Node OpenShift ● Custom audit profiles by group ● OpenShift api compatibility level discovery tools ● API for Custom Route Name and Certificates ● SRO manages third party special devices ● Service Mesh on VMs ● Operator metering EOL (4.9) ● Additional Windows Containers capabilities* ● Disable case-sensitivity if user login by a case-insensitive IdP ● Improved Audit logging ● Multi Service-Serving-Certificates for Headless Statefulset ● ROSA AWS Console Integration ● ARO: Deploy from OpenShift Cluster Manager Q4 2021 PLATFORM APP DEV ● OpenShift Builds v2 TP with Buildpacks ● Community source kamelets in console ● Pipelines-as-code (Dev Preview) ● DevSecOps tasks in OpenShift Pipelines ● Export Application (Dev Preview) ● OpenShift Serverless mTLS using Service Mesh ● Application delivery dashboard in Dev Console ● Certified Helm Charts in Developer Catalog ● Operator SDK for Java (Tech Preview) ● OVN as default networking plugin ● Edge: Single node lightweight Kube cluster ● Azure: BYO Disk Encryption Keys ● Multi-Instance-GPU support ● SmartNIC support for perf., OVS hardware offload ● ACM scale to 2000 single node clusters ● CoreOS dynamic first boot images for fast scaling ● Windows with containerd and bring your own hosts ● Subject claim URI scheme for OIDC IdPs ● FIPS compliance for Kata Containers ● Service Mesh federation ● NetFlow/sFlow/IPFIX collector ● Cert-manager operator ● OpenId use claim as groups ● Suspend / Resume for managed clusters ● Support for OVN SDN ● AWS bring your own keys for storage encryption ● Shared VPC support for AWS ● AWS Spot instances Q3 2021 HOS PLATFORM APP

What's new in OpenShift 4.8 9 This Month! Red Hat offers utilities as well as migration service offerings focused on the migration from OpenShift 3 to OpenShift 4. https://www.openshift.com/learn/topics/migration Should you be in a migration from OpenShift 3 to OpenShift 4 and wish to purchase maintenance support until June, 2023 (default is June, 2022) please contract Red Hat. OpenShift 3 Public Life Cycle: https://access.redhat.com/support/policy/updates/openshift_noncurrent OpenShift 3.11 to OpenShift 4 PM: Mike Barrett

OpenShift 4.8 Spotlight Features 10

What's new in OpenShift 4.8 ● OpenShift Pipelines 1.5 GA on OCP 4.8 ● Auto-pruning PipelineRuns and TaskRuns ● Pipeline as code with GitHub (Dev Preview) ○ Event filtering ○ Task resolution ○ Trigger on approved users and groups ○ Pull-request commands ○ GitHub Checks API ○ GitHub and GitHub Enterprise ● Ability to customize default ClusterTasks and Pipeline templates ● Numerous enhancements in Dev Console OpenShift Pipelines PM: Siamak Sadeghianfar

What's new in OpenShift 4.8 OpenShift GitOps PM: Siamak Sadeghianfar ● OpenShift GitOps 1.2 GA on OCP 4.8 ● Argo CD auth integrated out-of-the-box with OpenShift via RH SSO ● Simplified Argo CD privilege configuration ● Enhanced environments view in Dev Console ● RHACM and Argo CD integrations ○ RHACM imports clusters to Argo CD’s ○ Argo CD application roll-up in RHACM ○ Argo CD application in RHACM Topology

What's new in OpenShift 4.8 PM: Adel Zaalouk OpenShift sandboxed containers apiVersion: kataconfiguration.openshift.io/v1 kind: KataConfig metadata: name: example-kataconfig spec: kataConfigPoolSelector: matchLabels: node-label-kata: test apiVersion: node.k8s.io/v2 kind: RuntimeClass metadata: name: my-kata-class Handler: kata apiVersion: v1 kind: Pod metadata: name: mypod spec: runtimeClassName: kata Installs and Life Cycles Kata Binaries (e.g., Kata 2.0) as an OS Extension Configures CRI-O runtime handlers + optimizations for Kata as a runtime Adds / Creates RuntimeClass for Kata + Scheduling Installs and Lifecycles QEMU as an OS Extension Exposes CRD (KataConfig) to manage configuration for Day 1 and Day2 tasks Availability in RH Operators Catalog / OperatorHub and enabled from console / CLI Cluster Admin Developer The Operator Kata Containers as as Service (Operator machinery) Usage Manual Admin creates KataConfig (optionally selects nodes that will have the Kata runtime enabled) Operator automagically enables Kata on the nodes and creates the RuntimeClass Developers defines the RuntimeClass at the Deployment / Pod level to use Kata ? Default Use-cases Normal Apps 1st Party Code When / Where Re-hosting Lift & Shift No existing image Re-architecting OCI Compliant Runtime Kernel Isolation 3rd Party / Untrusted Code Normal Containers OpenShift Virtualization OpenShift sandboxed containers

What's new in OpenShift 4.8 OpenShift Serverless functions Tech Preview 14 Create Build New Knative Service on the Cluster Source code Build Packs Knative CLI + Func Plugin Knative CLI + Func Plugin Java Node.js Go Deploy Cluster Container Registry Knative CLI + Func Plugin Create, Build, and Deploy Applications Quickly OpenShift Serverless Functions allows users to consume events via functions based APIs and provide a simplified programming model for developers and data scientists alike. ▸ Simplified deployments ▸ Reduced programming complexity ▸ Secure, consistent programming models ▸ Quarkus, Node.js, Python, Go and Spring Boot. ▸ Kafka Event source for Event driven Serverless apps PM: Naina Singh

What's new in OpenShift 4.8 IPv6 Single / Dual Stack Support PM: Marc Curry, Deepthi Dharwar ● IPv6 single/dual stack is supported in OpenShift 4.8 (k8s 1.21) with OVN. ● Single Stack ○ Either an IPv4 or IPv6 address is assigned to the pod interface ● Dual Stack ○ Both IPv4 and IPv6 addresses assigned to the interface ● Simple install-time configuration ○ Modify “install-config.yaml” to specify IPv6 subnets in addition to IPv4. ● Post-install configuration: ○ Edit “network.config.openshift.io ” config to add secondary “(machine|cluster|service)Network ” values, and they will get rolled out correctly. ● Restrictions / Caveats / Notes ○ OVN only, no plans to support in openshift-sdn ○ Supported platform at GA: Bare Metal IPI (other platforms TBD) pod eth0 192.168.12.3 2001:db8:0:12 IPv4 IPv6 IPv4 Host IPv6 Host

What's new in OpenShift 4.8 API Graduations to GA PM: Gaurav Singh ● VerticalPodAutoscaler ○ Vertical Pod Autoscaling (VPA in short) provides an automatic way to set Container’s resource requests and limits. ○ It uses historic CPU and memory usage data to fine-tune ○ Prevents under and over utilization of resources ● CronJob ○ CronJobs are useful for creating periodic and recurring tasks, like running backups ○ CronJobs can also schedule individual tasks for a specific time ○ Cron is setup using time zone of master node ● PodDisruptionBudget ○ Avoid application outage by using PodDisruptionBudgets ○ A PDB limits the number of Pods of a replicated application that are down simultaneously from voluntary disruptions ○ Whenever a disruption to the pods in a service is calculated to cause the service to drop below the budget, the operation is paused until it can maintain the budget.

What's new in OpenShift 4.8 Vertical Pod Autoscaling (GA) PM: Gaurav Singh Description ● Recommends values for CPU and memory requests based on historical trends Things to remember ● VPA required pod eviction for applying recommended resource setting ● Default set to minimum of 2 pod deployment but can be configured to 1 pod Modes ● Off : Recommendation mode ● Initial : Assigns resource requests on pod creation and never changes them later. ● Recreate : Applies recommended changes to the pod by evicting them when the requested resources differ significantly ● Auto : Same as recreate .

Console 18

What's new in OpenShift 4.8 Console routes supports custom & wildcard certificates PM: Ali Mobrem New Day 2 Operations ● Single point of configuration for custom domains and certificates ● Implemented to use the new ingress route configuration API ○ Console ○ Downloads (CLI) ○ Auth For security reasons many customers do not allow wildcard certs in production environments apiVersion: config.openshift.io/v1 kind: Ingress metadata: name: cluster spec: componentRoutes: - name: console namespace: openshift-console hostname: servingCertKeyPairSecret: name:

What's new in OpenShift 4.8 Easy import for App artifacts PM: Ali Mobrem & Serena Chechiile Nichols Import Multi-doc YAML Drag and drop feature to upload local fat JARs

What's new in OpenShift 4.8 Expanded UI for Serverless PM: Serena Chechile Nichols ● Make Serverless ● Cloud Functions in Topology ● Enhanced Scaling options for Knative Services ○ Concurrency utilization ○ Autoscale window

What's new in OpenShift 4.8 Improved onboarding & Quick Start features OpenShift Quick Starts now provide support for both a copy and execute feature. The execute feature provides an ability for the user to execute the CLI in our Command line terminal. The Web Terminal Operator is required for execute. Format to enable copy `https://github.com/sclorg/ru by-ex.git`{{copy}} Format to enable copy & execute `oc new-app ruby~https://github.com/sclor g/ruby-ex.git`{{execute}}` PM: Serena Chechile Nichols Quick Starts now support copy & execute New Getting Started card for Admins & Devs

What's new in OpenShift 4.8 More ways to customize the Developer Experience PM: Serena Chechile Nichols Modify the available roles in the Project Access flow Hide individual features from the Add page spec: customization: projectAccess: availableClusterRoles: - admin - edit - view - registry-admin spec: customization: addPage: disabledActions: - import-from-dockerfile

What's new in OpenShift 4.8 Certified Helm Charts PM Console: Serena Chechile Nichols, Helm: Stevan Le Meur ● Certified Helm Charts from partners are now available ● A badge indicates the Chart is Certified Link to Helm Certification program announcement

Installer Flexibility 25

What's new in OpenShift 4.8 4.8 Supported Providers Generally Available Full Stack Automation (IPI) Pre-existing Infrastructure (UPI) Bare Metal Product Manager(s): Marcos Entenza (AWS, Azure, GCP), Maria Bracho (VMware), Peter Lauterbach (RHV & OCP Virtualization), Anita Tragler (OSP), Ramon Acedo Rodriguez (BM), & Duncan Hardie (IBM Z & Power) IBM Power Systems Bare Metal

What's new in OpenShift 4.8 Install OpenShift to an existing Azure Resource Group Limit permissions to a Resource Group ● Allows an OpenShift cluster to be deployed to an existing Azure Resource Group with the installer-provisioned infrastructure deployment method ● Configured using the `platform.azure.resourceGroupName` field in the install-config.yaml file. ● Resource Group must be empty and dedicated for use by a single OpenShift cluster ○ Cluster assumes ownership of all resources in the resource group ● If you limit the service principal scope of the installation program to this resource group (and not the subscription), you must ensure the proper permissions are provided to all other resources needed for cluster installation such as the public DNS zone and virtual network (VNet) ● Destroying the cluster deletes the user-defined Resource Group Generally Available PM: Marcos Entenza apiVersion: v1 baseDomain: example.com controlPlane: hyperthreading: Enabled name: master platform: azure: osDisk: diskSizeGB: 1024 type: Standard_D8s_v3 replicas: 3 compute: - hyperthreading: Enabled name: worker platform: azure: type: Standard_D2s_v3 osDisk: diskSizeGB: 512 zones: - "1" - "2" - "3" replicas: 5 metadata: name: test-cluster networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: - cidr: 10.0.0.0/16 networkType: OpenShiftSDN serviceNetwork: - 172.30.0.0/16 platform: azure: baseDomainResourceGroupName: resource_group region: centralus resourceGroupName: existing_resource_group networkResourceGroupName: network_resource_group outboundType: Loadbalancer cloudName: AzurePublicCloud pullSecret: '{"auths": ...}' fips: false sshKey: ssh-ed25519 AAAA...

What's new in OpenShift 4.8 Use pre-existing Route 53 hosted private zones with shared VPC Leverage pre-existing private zones with shared VPC environments ● Adds support to specify an existing Route 53 private hosted zone in cases where OpenShift is being deployed to a shared VPC ● Configured using the `platform.aws.hostedZone` field in the install-config.yaml file ● For situations where the VPC is owned by a different account than the private hosted zone ○ Account A: Route 53 hosted private zone ○ Account B: VPC/subnets that has been shared with Account A ● You can only use a pre-existing hosted private zone when also providing your own VPC (subnets), and the hosted zone must be associated with the shared VPC ● https://aws.amazon.com/premiumsupport/knowledge-center/priv ate-hosted-zone-different-account/ ● Backported to 4.7.12+ Generally Available % ./openshift-install explain installconfig.platform.aws.hostedZone KIND: InstallConfig VERSION: v1 RESOURCE: HostedZone is the ID of an existing hosted zone into which to add DNS records for the cluster's internal API. An existing hosted zone can only be used when also using existing subnets. The hosted zone must be associated with the VPC containing the subnets. Leave the hosted zone unset to have the installer create the hosted zone on your behalf. % ./openshift-install create install-config --dir katherine ; cat katherine/install-config,yaml apiVersion: v1 baseDomain: devcluster.openshift.com compute: - architecture: amd64 hyperthreading: Enabled name: worker replicas: 3 controlPlane: architecture: amd64 hyperthreading: Enabled name: master replicas: 3 metadata: creationTimestamp: null name: katherine networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: - cidr: 10.0.0.0/16 networkType: OpenShiftSDN serviceNetwork: - 172.30.0.0/16 platform: aws: region: us-east-2 hostedZone: Z044446215ZXNECV7BLQF subnets: - subnet-1 PM: Marcos Entenza

What's new in OpenShift 4.8 Use pre-existing instance IAM roles on AWS Define instance IAM roles for VM instances ● Leverage pre-existing Amazon Web Services (AWS) IAM role for your VM instance profiles ● Configured in the install-config.yaml using the `compute.platform.aws.iamRole` and `controlPlane.platform.aws.iamRole` fields ○ Note: The bootstrap instance shares the control plane role ● Documented list of permissions remains the same, but allows for unique naming schemes and predefined permissions boundaries to be included for your IAM roles for clusters installed on AWS ● Backported to 4.7.10+ Generally Available % ./openshift-install explain installconfig.controlPlane.platform.aws.iamRole KIND: InstallConfig VERSION: v1 RESOURCE: IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave unset to have the installer create the IAM Role on your behalf. % ./openshift-install explain installconfig.compute.platform.aws.iamRole KIND: InstallConfig VERSION: v1 RESOURCE: IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave unset to have the installer create the IAM Role on your behalf. % ./openshift-install create install-config --dir katherine ; cat katherine/install-config,yaml apiVersion: v1 baseDomain: devcluster.openshift.com compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: aws: iamRole: katherine-gk26f-worker-role replicas: 3 controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: aws: iamRole: katherine-gk26f-master-role replicas: 3 metadata: creationTimestamp: null name: katherine networking: clusterNetwork: - cidr: 10.128.0.0/14 PM: Marcos Entenza

What's new in OpenShift 4.7 AWS Security Token Service The AWS Security Token Service (STS) enables an authentication flow allowing a client to assume an IAM Role resulting in short-lived credentials. OCP 4.8 - GA ● Support for AWS STS natively with OCP on AWS Installer ● Tooling to automate the pre-installation configuration ● Documentation ● New deployments only OCP 4.9 + ● Automate the upgrade path ● Migration in-place to AWS STS support from manual credentials to STS $ oc get secrets -n kube-system aws-creds Error from server (NotFound): secrets "aws-creds" not found $ oc get secrets -n openshift-image-registry installer-cloud-credentials -o json | jq -r .data.credentials | base64 -d [default] role_arn = arn:aws:iam::125931421481:role/image-registry-role web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token ● No “root” AWS secret ● Components are assuming the IAM Role specified in the Secret manifests (instead of creds minted by the cloud-credential-operator) PM: Maria Bracho

What's new in OpenShift 4.8 PM: Tushar Katarki 32 Update manager for your clusters in restricted networks ● OpenShift Update Service (OSUS) is the on-premise release of Red Hat’s hosted update service ● Supports the publishing of upgrade graph information to clusters in restricted networks ● Provides clusters with a list of next recommended update versions based on the current version installed on the cluster ● Comprised of two services: ○ Graph Builder: Fetches OpenShift release payload information (primary metadata) from any container registry (compatible with Docker registry V2 API) and builds a directed acyclic graph (DAG) representing valid upgrade edges ○ Policy Engine: Responsible for selectively serving updates to every cluster by altering a client’s view of the graph with a set of filters Local Container Registry in Restricted Network OpenShift Update Service Graph Builder Policy Engine OpenShift Cluster in Restricted Network Cluster Version Operator (CVO) Scrape Release Images from Registry Read graph data (secondary metadata) Edge Add/Remove Cluster Version Operator (CVO) OpenShift Cluster in Restricted Network OpenShift Update Service

What's new in OpenShift 4.8 Bare Metal IPI workflow can enable UEFI Secure Boot hosts: - name: openshift-master-0 role: master bmc: address: redfish:// username: password: bootMACAddress: rootDeviceHints: deviceName: "/dev/sda" bootMode: UEFISecureBoot Easily protect your bare metal nodes against malicious code being loaded and executed early in the boot process. Simply ask the OpenShift installer to enable Secure Boot in your nodes PM: Ramon Acedo Rodriguez 33

What's new in OpenShift 4.8 Schedule pods based on bare metal hardware attributes $ oc get pods -n openshift-nfd NAME READY STATUS RESTARTS AGE nfd-master-25xc2 1/1 Running 0 10s nfd-master-2z2cl 1/1 Running 0 10s nfd-master-t97rh 1/1 Running 0 10s nfd-operator-bb595bc6c-drvmr 0/1 Running 0 17s nfd-worker-5h2r2 1/1 Running 0 10s nfd-worker-jfr4k 1/1 Running 0 10s $ oc describe nodes/worker-1 | grep pstate feature.node.kubernetes.io/cpu-pstate.status=active feature.node.kubernetes.io/cpu-pstate.turbo=true $ oc describe nodes/master-0 | grep pstate Do you need to know hardware attributes to decide where to run your pods? New hardware attributes in the Node-Feature-Discovery operator commonly required by various edge cloud deployment types for real time or maximum performance worker-1 has CPU P-State active and master-0 doesn’t NFD is installed apiVersion: v1 kind: Pod metadata: name: feature-dependent-pod spec: containers: - image: k8s.gcr.io/pause name: pause nodeSelector: # Select a valid feature feature.node.kubernetes.io/cpu-pstate.status: 'active' Pods can request hardware with P-State active PM: Ramon Acedo Rodriguez 34

What's new in OpenShift 4.8 Add new nodes to bare metal clusters via PXE-booting apiVersion: metal3.io/v1alpha1 kind: Provisioning metadata: name: enable-provisioning-nw spec: description: Enables a provisioning network. Properties: provisioningNetwork:Managed provisioningOSDownloadURL:http:///rhcos.qcow2.gz ?sha256=323e7ba4ba3448e340946543c963823136e1367ed0b229d2 provisioningIP: 192.168.0.10 provisioningNetworkCIDR: 192.168.0.1/24 provisioningDHCPRange: 192.168.0.64, 192.168.0.253 provisioningInterface: eno2 watchAllNameSpaces: false If you provisioned your bare metal cluster using Virtual Media or the Assisted Installer and you need to add new nodes via PXE booting now, the Cluster Bare Metal Operator will enable everything you need: a provisioning network and a DHCP/TFTP environment with the Red Hat CoreOS image PM: Ramon Acedo Rodriguez 35 Worker Nodes Master Nodes Provisioning bridge eno2 Provisioning network

Zero Touch Provisioning PM: Moran Goldboim ● Integrates and leverages existing technology stack - RHACM/Hive/Metal3/Assisted Installer ● Minimal prerequisites- Enables untrained technician installation flow (Barcode scan to trigger install). ● Highly customized deployment - Fits Connected/Disconnected, IPv4/IPv6, DHCP/Static, UPI/IPI deployment topologies ● Edge focused - no additional bootstrap node or external services needed for deployment. ● GitOps enabled - managed with kube-native declarative API Aimed at regional distributed on-prem deployment. Enabling customer’s automated path from uninstalled infrastructure to application running on an OpenShift cluster. Site Plan Manifests in Git Existing Infrastructure (Regional Data Center) ZTP Deployed Infrastructure Site 1 - DU Site 2 - DU Site 3 - DU S W W W Tech-Preview in Advanced Cluster Management 2.3

What's new in OpenShift 4.8 Zero Touch Provisioning - Ingredients PM: Moran Goldboim Using Kubernetes CRs/GitOps practices to manage infrastructure Standardize Clusters Config At Scale Utilizing GitOps and RHACM policies or ArgoCD integration to provide configuration as code. Infrastructure Provisioning Cluster Configuration Put applications anywhere RHACM App-Subs functions for automated application lifecycle Application Rollout Central provisioning of OpenShift Clusters Infrastructure As Code Configuration As Code Application Placement As Code

Control Plane Updates 39

What's new in OpenShift 4.8 ● Single Service-Serving-Certificates for Headless Statefulset ○ Provide automatic certificate generation and rotation for direct pod-to-pod communication similar to the service-serving-certificates operator. ○ Generate a service serving certificate for headless services now includes a wildcard subject in the format of *...svc. This allows for TLS-protected connections to individual stateful set pods without having to manually generate certificates for these pods. ● Support subject claim URI scheme of the OpenID Connect IdPs ○ Problem: Users of OIDC systems are unable to log in to OpenShift in case when the OIDC IdPs use `sub` claims adhering to the URI scheme ○ Why this is important: The oauth-server rejects logins from users of OIDC IdPs that are quite popular, even though these follow the RFC requirements for the `sub` claim that the oauth-server finds problematic. ○ Now in 4.8, users of identity providers that use URI scheme (which should be possible given the RFC: https://tools.ietf.org/html/rfc7519#section-4.1.2) in their `sub` claims will be able to log in to OpenShift Control Plane Updates PM: Anand Chandramohan

What's new in OpenShift 4.6 The Default audit log policy now logs request bodies for OAuth access token creation (login) and deletion (logout) requests. Previously, deletion request bodies were not logged. Background on Node Audit log policy (introduced in OpenShift 4.6) Control the amount of information that is logged to the node audit logs by choosing the audit log policy profile to use. ● Default: Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. This is the default policy. ● WriteRequestBodies: In addition to logging metadata for all requests, logs request bodies for every write request to the API servers (create, update, patch). This profile has more resource overhead than the Default profile. ● AllRequestBodies: In addition to logging metadata for all requests, logs request bodies for every read and write request to the API servers (get, list, create, update, patch). This profile has the most resource overhead. apiVersion: config.openshift.io/v1 kind: APIServer metadata: ... spec: audit: profile: WriteRequestBodies Improved customization of Audit Config 41 PM: Anand Chandramohan

What's new in OpenShift 4.6 Alerts and information on APIs in use that will be removed in the next release OpenShift Container Platform 4.8 introduces two new alerts that fire when an API that will be removed in the next release is in use: ● APIRemovedInNextReleaseInUse - for APIs that will be removed in the next OpenShift Container Platform release. ● APIRemovedInNextEUSReleaseInUse - for APIs that will be removed in the next OpenShift Container Platform Extended Update Support (EUS) release. You can use the new APIRequestCount API to track what is using the deprecated APIs. This allows you to plan whether any actions are required in order to upgrade to the next release. $ oc get apirequestcount 42 PM: Anand Chandramohan NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24H alertmanagerconfigs.v1alpha1. monitoring.coreos.com 19 21 alertmanagers.v1.monitoring.c oreos.com 64 64 ingresses.v1beta1.extensions 1.22 22 26

What's new in OpenShift 4.8 Cluster Infrastructure - Use Enhancements PM: Duncan Hardie ● User defined tags for AWS, useful for ○ Cost allocation ○ Automation ○ Operations support ○ Security risk management ● Support for Azure DiskEncryptionSets ○ Safeguard your data ○ Meet organizational security and compliance requirements ● vSphere autoscaling from zero ○ Save on resources when you don’t need them ○ Catch up with other cloud providers

Networking & Routing 44

What's new in OpenShift 4.8 Ingress / Egress Enhancements PM: Marc Curry, Deepthi Dharwar HAProxy upgrade to 2.2 LTS: ● Performance ● Security hardening ● Health checks ● Observability, debugging and syslog over TCP ● SSL/TLS capabilities ○ 2048 bit ○ Dynamic SSL certificate storage HAProxy Customization Enhancements: ● Supported HAProxy configuration parameters ○ ROUTER_USE_PROXY_PROTOCOL ○ ROUTER_BACKEND_PROCESS_ENDPOINTS ○ tune.maxrewrite [default = 8192 ] ○ tune.bufsize [ default = 32768] ● Customizable number of router threads (nbthread) Ingress Router (HAProxy) IP Failover support (keepalived) for OpenShift HA. Gateway API Developer Preview ● Ingress unifying technology ● Support for Contour as primary Ingress Controller for Gateway API traffic along with HAproxy ● Improved integration with Envoy / Service Mesh Global Access option for GCP Ingress Internal LB to facilitate communication across cross-region shared VPC deployments. EgressIP load-balancing enhancement for OpenShiftSDN to spread traffic across cluster nodes ● Removed single node “choke point” ● OVN enhancement in a future version Ingress / Egress Updates

What's new in OpenShift 4.8 General Networking Enhancements PM: Marc Curry, Deepthi Dharwar Network Observability ● Flows Tracking and Monitoring for Network Analytics ● Added NetFlow/sFlow/IPFIX collector to ovn-kubernetes ● A supported way to monitor and analyze flow traffic: ○ Monitor traffic in and out the cluster ○ Troubleshoot performance issues ○ Capacity planning ○ Security audits ● Support for enabling audit logging of Network Policy Events for regulatory and security policy compliance. Network Observability SR-IOV NIC Support Enhancements ● Mellanox MT28800 Family CX-5 Ex ● Intel Columbiaville E810 ● HPE Ethernet 10Gb 2-port 562SFP+ Adaptor Hardware Enablement CoreDNS ● Update to v1.8.z ● Control openshift-dns Pod Placement DNS OpenShift SDN to OVN Kubernetes CNI migration ● Support for all platforms ● IPI and now UPI ● Rollback capability ● Reboot required of all nodes Migration Audit Logging of Network Policy Events ● Optionally audit Network Policy events (accept / deny) ● Present to built-in logging stack and custom Kibana dashboards ● IDS or post-mortem analysis Security

Specialized Workloads 47

What's new in OpenShift 4.8 container-m 48 CoreOS host (kubelet, cri-o, ...) br-ex Min/Max Ingress/Egress Min/Max Egress PF VFn VF0 VF1 container-0 etho net1 net0 NIC sharing and guaranteed bandwidth Leverage OVS QoS capabilities to effectively share NICs between: ● worker host networking (kubelet, cri-o, ...) ● Default CNI (OVN) ● Multus secondary interfaces PM: Franck Baudin

What's new in OpenShift 4.8 49 49 Problem statement: ● Performance Add On (PAO) configuration is complex ● One PAO profile per type of worker node hardware is necessary (grouped under one MCP) Solution: collect must-gather and run-performance-profile-creator.sh --disable-ht Disable Hyperthreading --mcp-name string MCP name corresponding to the target machines ( required) --power-consumption-mode string The power consumption mode. [Values: default, low-latency, ultra-low-latency] (default "default") --profile-name string Name of the performance profile to be created (default "performance") --reserved-cpu-count int Number of reserved CPUs ( required) --rt-kernel Enable Real Time Kernel ( required) (default true) --split-reserved-cpus-across-numa Split the Reserved CPUs across NUMA nodes --topology-manager-policy string Kubelet Topology Manager Policy of the performance profile to be created [...] PM: Franck Baudin Upstream demo and documentation Performance Profile Creator

OpenShift Virtualization PM: Peter Lauterbach Enhanced storage capabilities ● Instant storage cloning golden-image VMs across projects ● Improved VM provisioning with storage profiles automating the best storage type and access mode. Handle compute intensive workloads ● Accelerate compute intensive AI/ML and rendering workloads with GPU support Easier operations ● Better observability for memory, network, and storage ● Live Migration for VMs with SR-IOV Learn more at Red Hat Summit ● Lockheed Martin Takes Flight with Amazing Superpowers VMs + Dev Pipelines + GitOps ● Ask the experts about OpenShift Virtualization Expertise from Eng, Tech Marketing, Product Management Modernized workloads, support mixed applications with VMs, containers, and serverless 50

What's new in OpenShift 4.8 VM Migration GA PM: Miguel Pérez Colino Migration Toolkit for Virtualization 2.0 GA ● Easy to use UI ● Mass migration of VMs from VMware to OpenShift ● VM data pre-copied before shutdown (Warm Migration) ● VM validation service (Tech Preview) ○ Run checks on VM configuration to avoid migration issues ● Parallelized VM conversion ○ Maximize throughput ● Migration Network Selection ○ Avoid impact on other running workloads

What's new in OpenShift 4.8 Red Hat OpenShift Container Platform NVIDIA Multi-instance GPU (MIG) PM: Erwan Gallen ● Optimize GPU utilization and cost ● Supported with GPU Operator 1.7+ and OCP 4.6/4.7/4.8 ● Supported by the NVIDIA A30 and NVIDIA A100 GPU accelerators. ● MIG partitions a single NVIDIA A100 GPU into up to seven independent GPU instances with guaranteed Quality of Service. ● MIG speeds up both development and deployment of AI models ● Small GPU instances are good for Notebooks and biggest instances for training ● Advertisement strategy: single (homogeneous) or mixed (heterogeneous, diagram example) GPU GPU mem GPU GPU mem GPU GPU mem GPU GPU mem GPU GPU mem GPU GPU mem GPU GPU mem 1 2 3 4 5 6 7 Bare metal server MIG enablement with OpenShift ... MIG Device name Maximum Number of GPU instances Fraction of Streaming Multiprocessor Fraction of memory Target workload 1g.5gb 7 1/7 1/8 = 5GB Jupyter Notebooks, development, Model Tuning, Inference, Light HPC 2g.10gb 3 2/7 2/8 = 10 GB Inference, Light HPC 3g.20gb 2 3/7 4/8= 20 GB Light Training, Inference, HPC 7g.40gb 1 7/7 8/8 = 40 GB Training HPC 1g.5gb 2g.10gb Profiles example for the A100-40GB 1g.5gb 1g.5gb 1g.5gb 1g.5gb Pods with GPUs Red Hat OpenShift Container Platform

Quay 53

What's new in OpenShift 4.8 Bootstrap registry for disconnected clusters Solving the chicken-egg problem for mirroring OCP content PM: Daniel Messer $ quay-install --all-in-one Production/Infra Cluster OCP Payload OperatorHub Online Mirror Samples + + + ▸ We prefer customers to run Quay on top of OCP ▸ But: disconnected clusters need a registry to store OCP release images and Operators before deployment ▸ Solution: a quick install variant of Quay helping customers to get a mirror registry up and running quickly, mirroring is carried out via oc ▸ Local all-in-one Quay instance on RHEL provided at no additional cost* as part of every OCP subscription ▸ Released after 4.8 GA, supported on RHEL 8, downloadable as a binary from OCP mirror * restricted to the use case of OpenShift payload mirroring, not general purpose container image storage Air-gapped Mirror OCP Payload OperatorHub Samples + + + Air gap or

What's new in OpenShift 4.8 Nested repository support Simplifying mass-mirroring and organization of registry content PM: Daniel Messer ▸ Audience: Quay user / OpenShift administrator ▸ Use Cases: ･ Mirror content of multiple upstream registries into a single Quay* organization ･ Organize images into “subfolders” inside a single Quay organization ▸ Benefit: Eases skopeo mass mirroring, OpenShift Operator catalog mirroring ▸ Caveat: no hierarchical permission management Regular container image reference: quay.local/organization/repository:tag Nested container image references: quay.local/organization/collection/repository:tag quay.local/organization/folder/v1/repository:tag quay.local/ocp/v4/redhat-pipelines/operator:v4.9 quay.local/ocp/v4/redhat-pipelines/tekton:v4.9 * available in Quay 3.6 past OCP 4.8 GA, quay.io will get this towards the end of 2021

RHEL CoreOS 56

What's new in OpenShift 4.8 RHCOS 4.8 PM: Mark Russell RHCOS 4.8 - RHEL 8.4 kernel and user space - Butane (formerly Fedora CoreOS Config Transpiler, FCCT) translates human readable Butane Configs into more complex machineconfigs and ignition configs. It also helps catch machineconfig spec errors. variant: openshift version: 4.8.0 metadata: name: create-etc-sample labels: machineconfiguration.openshift.io/role: - worker storage: files: - path: /etc/sampleconf.d/99-mysetting contents: inline: | key=pair genre=experimental BUTANE FEATURES ● Simpler inlining of config files (see left) ● Consolidated workflow for complex storage scenarios (LUKS TPM, LUKS Tang, boot mirroring) ● Ability to import directory trees of files

Storage 58

What's new in OpenShift 4.8 OpenShift Storage - Journey to CSI PM: Duncan Hardie ● CSI Migration - allow easy move from using existing intree drivers to new CSI drivers ○ OpenStack Cinder (Tech Preview) ○ AWS EBS (Tech Preview) ● CSI Operators - plugable, better upgrade, more functionality ○ GCE Disk (GA) ○ Azure Disk (Tech Preview) ○ vSphere (Tech preview) ● Other ○ AWS Storage user defined tags CSI Operators Operator target Migration Driver OpenStack Cinder Tech Preview Tech Preview AWS EBS Tech Preview Tech Preview GCE Disk - GA Azure Disk - Tech Preview vSphere - Tech preview Remember support for all of the above currently available via intree drivers

What's new in OpenShift 4.8 OpenShift Data Foundation PM: Eran Tamir ● Data protection ○ Metro-DR Stretch (2 DC) ○ Regional DR (Dev Preview) ○ Cluster wide encryption and PV encryption ● Compact mode ● Flexibility in components deployment ● Multus support ● Free MCG for Quay ● Data Segregation per hosts group (Dev Preview) Out of the box support Block, File, Object Platforms AWS/Azure Google Cloud (Tech Preview) ARO - Self managed OCS IBM ROKS & Satellite - Managed OCS (Tech preview) RHV OSP (Tech Preview) Bare metal/IBM Z/Power VMWare Thin/Thick IPI/UPI Deployment modes Disconnected environment and Proxied environments

Multi-Architecture 61

What's new in OpenShift 4.8 Multi-Architecture PM: Duncan Hardie ● OpenShift Core (CVO Operators) ● UPI installer ● OVS/OVN (networking) ● RHEL7 Based container support ● RHEL CoreOS (host nodes) ● Ansible Engine ● Red Hat Software Collections ● AdoptOpenJDK with OpenJ9 ● Single Sign-On Supported ● OpenShift Cluster Monitoring (Prometheus, Grafana) ● Node Tuning Operator ● OpenShift Jenkins ● OpenShift Logging (elasticSearch, kibana) ● Machine Configuration Operator (used in IPI installs) ● Node Feature Discovery Operator ● Red Hat Runtimes ● Odo ● CodeReady Workspaces ● OpenShift Container Storage Extra content ported ● IBM Power and IBM Z Features ○ Cluster log forwarding - choose other log aggregators ○ Converged 3-node cluster - make more use of control plane (important for Z) ○ Encryption of data store for etcd - best security practice ● New for IBM Z only ○ 4K FCP Disk Support - finish off the choice of storage you can use ● New for IBM Power only ○ Multus Plugins (SR-IOV) - present multiple devices and gain more performance

Advanced Cluster Security 63

What's new in OpenShift 4.8 Designed for OpenShift Security PM: Jamie Scott Increasing the credibility of your security program as a Red Hat Certified Vulnerability Scanner ● Reduce program costs by reducing false positives improving fix data quality and applying the appropriate severity for Red Hat packages Improving visibility into industry standard OpenShift security configurations for security and compliance ● Measure and report on compliance status across your clusters ● Report on opportunities to improve security posture Aligning with the OpenShift experience ● Accelerate operationalization of security use cases with a new operator ● Create a consistent user interface experience 3 week release cycles accelerate time to customer value

Advanced Cluster Management 65

What's new in OpenShift 4.8 Red Hat Advanced Cluster Management for Kubernetes Enhanced Multi-Cluster Deployments ● UI Refresh. Inline with OCP UI look and feel ● Import and manage Red Hat OpenShift on Amazon (ROSA) & OpenShift IBM Power ● ACM Hub on IBM Power TechPreview ● Provision OCP on Red Hat OpenStack ● Expanded Cluster Lifecycle Support ○ ClusterPools- TechPreview ○ Hibernate and Resume Clusters / Cluster Pools ○ Worker Pool Scale Up / Down - TechPreview ● ClusterSets to help group clusters and assign RBAC permissions - TechPreview ● UI Support for Submariner deployment and configuration - TechPreview ● Discover & Import Clusters from cloud.redhat.com (OCM) - TechPreview ● Update cluster version channels on managed clusters to allow easier OCP upgrades What’s new in RHACM 2.3 Product Managers: Jeff Brent, Scott Berens, Bradd Weidenbenner, Christian Stark

What's new in OpenShift 4.8 67 Red Hat Advanced Cluster Management for Kubernetes What’s new in RHACM 2.3 Expand Portfolio and Embrace Open Source ● RHACM is now Fully Open Source ○ http://open-cluster-management.io/ ● Red Hat Ansible Integration is now GA ○ Cluster Lifecycle pre/post hook ○ Governance Risk and Compliance (GRC) ■ Trigger remediation based on policy violations ■ Run once, or continuously ○ Application Lifecycle pre/post hook ● RH OpenShift GitOps (Argo CD) full integration with Application Lifecycle ● More GRC policies! ○ Operator Install Policy - Black Duck Operator ○ FIPS Policy ○ Policy to install Scribe (data replication) ○ And many more. Available in GitHub Repo Product Managers: Jeff Brent, Scott Berens, Bradd Weidenbenner, Christian Stark

What's new in OpenShift 4.8 68 Red Hat Advanced Cluster Management for Kubernetes What’s new in RHACM 2.3 Multi-Cluster Observability ● CCX Insights Integration with cloud.redhat.com (Customer Connected eXperience) ● Advanced configuration for long term metrics ● Automatically configure Alert Forwarding from Managed Clusters to the ACM Hub Cluster ● Recording Rules support for Customized Metrics Product Managers: Jeff Brent, Scott Berens, Bradd Weidenbenner, Christian Stark

Cost Management for Red Hat OpenShift 69

New features in Cost management for OpenShift ● New navigation ○ Cost management is now accessible from OCM ● Google Cloud as a new source ○ Add your GCP sources to cost management ○ OCP on GCP still being developed ● New view (cost explorer) ○ View your data grouped by different concepts, in time ○ Line items for the reports readily available ● Child accounts in AWS ○ You no longer need to provide the parent account for cost management, if your account can provide CUR files ○ Refine what data is shared with cost management 70 PM: Sergio Ocón-Cárdenas

PM: Sergio Ocón-Cárdenas ● Certified Operator ○ Now it is possible to use the certified version of the operator ○ You can install both in parallel to upgrade ● Improvements in performance ○ New big data processing for better UX ● Integration to OpenShift Cluster Manager ○ Now you can see your cluster costs in OCM Certified Operator Koku metrics operator Naming Cost management metrics operator Cost management metrics operator Support Supported by Red Hat Upstream (community support) Location In Cluster Operator Hub In Cluster Operator Hub Availability Today Today New features in Cost management for OpenShift

Observability 72

What's new in OpenShift 4.8 New enhancement inside the OpenShift Console PM: Christian Heidenreich Enhanced capabilities to improve working with the OpenShift Console Monitoring dashboards ● Group dependent charts in various dashboards together. ● New “All” drop down option on various charts that support that to show multiple data points in one view. ● Zoom into individual charts and all other charts update automatically. ● Allow filtering for absolute time ranges instead of using relative ranges. ● Display dashboard labels to better identify to which group a single dashboard belongs to. ● Show colour mapping on single value charts, if available. Note: Alertmanager + Grafana link is not available anymore through the UI. Users can still use the Route. Labels Groups Time Range

What's new in OpenShift 4.8 New features in Logging for OpenShift Available with OpenShift Logging 5.1 (mid-July) PM: Christian Heidenreich ● Increase discoverability of critical logs by parsing JSON logs into objects so that users can query by individual fields. ○ Configure what container logs you want to parse and forward to either a third party solution or our managed Elasticsearch. ○ Red Hat’s Elasticsearch stores JSON logs into individual indices per defined schema to reduce possible field explosion scenarios. ○ Query individual fields via Kibana. ● More flexibility to select and filter certain logs to forward. ○ Extend our Log Forwarding API to allow users to select and forward certain logs based on any pod label. apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: pipelines: - inputRefs: [ myAppLogData ] outputRefs: [ default ] parse: json inputs: - name: myAppLogData application: selector: matchLabels: app: nginx outputDefaults: - elasticsearch: structuredTypeKey: kubernetes.labels.app Define a pipeline to match what logs should be parsed into JSON Only select logs from pods that match “app: nginx”. Configure our managed Elasticsearch to index JSON records based on the label “app”.

linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat 75 Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you