June 25th, 2024 What’s New in OpenShift 4.16 OpenShift Product Management red.ht/whatsnew 1

What's New in OpenShift 4.16 Table of Contents 2 ● Introduction ● Spotlight ● Manage at Scale ● Observability ● Console ● Developer Tools Update ● Runtimes ● Platform Services ● Installer Flexibility ● CoreOS Updates ● Control Plane ● Networking & Routing ● Operator Framework ● Storage ● Telco 5G

What's New in OpenShift 4.16 3 Kubernetes & Cluster Services Install | Over-the-air updates | Networking | Ingress | Storage | Monitoring | Log forwarding | Registry | Authorization | Containers | VMs | Operators | Helm Linux (container host operating system) Physical Virtual Private cloud Public cloud Edge Integrated DevOps Services Service Mesh | Serverless | Builds | Pipelines | GitOps |Tracing | Log Management | Cost Management | Migration Tools Advanced Management & Security Multicluster Management | Cluster Security| Global Registry | Cluster Data Management Red Hat OpenShift on IBM Cloud Red Hat OpenShift Service on AWS Azure Red Hat OpenShift OpenShift Dedicated Self-Managed Platforms OpenShift Cloud Services Red Hat open hybrid cloud platform

What's New in OpenShift 4.16 Kubernetes 1.29 4 Product Manager: Karena Angell CRI-O 1.29 Kubernetes 1.29 OpenShift 4.16 ▸ Sidecar Containers [Beta] ▸ Node Lifecycle Taint Management [Beta] ▸ Signed Release Artifacts [Beta] ▸ Reduce secret-based service account tokens [Beta] ▸ Improve reliability of ingress connectivity serviced by Kube-proxy [Beta] Notable Features ▸ Gateway API reaches 1.0 [Stable] ▸ In-Place Update of Pod Resources [Alpha] ▸ Priority and Fairness for API Server Requests [Stable] ▸ nftables [Stable] ▸ ReadWriteOncePod (RWOP) [Stable] ▸ New Resource and Monitoring Metrics from the Kublet [Stable] ‘Mandala’

What's New in OpenShift 4.16 Notable Top RFEs and Components 5 Top Requests for Enhancement (RFEs) ▸ oc-mirror v2 automatically includes comprehensive list of necessary operators and images from oc-mirror v1 - RFE-3000 ▸ Simplify VM management with Automated Tagging for MachineAPI-Managed VMs on vSphere - RFE-1799, RFE-2176 ▸ In-place migration to Microsoft Entra Workload ID for self-managed OpenShift in Azure - RFE-4831 ▸ Enable EgressIP pods to serve as backends for services with ExternalTrafficPolicy=Local - RFE-3944 ▸ Day 1 update of host firmware directly from OpenShift via CRDs - RFE-3342 ▸ Approve / Deny node certificate signing requests from the OCP Console - RFE-5022 Product Manager: Karena Angell

6 OpenShift 4.16 Spotlight Features

Product Manager: Stephen Gordon Full Support Maintenance Support Additional Extended Update Support Term 1 Additional Extended Update Support Term 2 4 months EUS Release EUS Release EUS Release 6-8 months Full Support 12 months EUS (Term 2) 6 months EUS (Term 1) 10-12 months Maintenance Support 4.12 4.14 4.16 4.15 4.13 Lifecycle Updates 3 Year Lifecycle for EUS Releases Available as add-on for all platform-aligned operators included in OpenShift Kubernetes Engine Blog: https://red.ht/ocp-lifecycle-2024 7

What's New in OpenShift 4.16 Red Hat OpenShift Networking 8 Blog Post: https://www.redhat.com/en/blog/using-adminnetworkpolicy-api-to-secure-openshift-cluster-networking KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2091-admin-network-policy#user-stories ▸ Kubernetes Network Policy enhancement ▸ Administrator-privileged network security policies, with a cluster-wide scope, that override policies created at the namespace-scope level by application owners. ▸ Example uses: ･ Isolate tenants with cluster admin-privileged absolution ･ DNS namespace always allows specific ingress traffic ･ Admin control of any and all traffic egressing the cluster ･ Highly selective traffic filtering to sensitive namespaces ･ Delegate policy to namespace-scoped network policies ▸ OVN-Kubernetes, only Admin (Global) Network Policy - GA A comprehensive cluster-wide network security solution for cluster administrators Product Managers: Marc Curry, Deepthi Dharwar

What's New in OpenShift 4.16 Control Plane etcd Improvements 9 Improvements for dense and distributed clusters Latency Profiles (adjust for efficiency) Selectable validated profiles for etcd heartbeat intervals and election timers GA DB Size Profiles (adjust etcd db for density) Selectable validated etcd database size for dense clusters TP Product Manager: Ju Lim (speaking on behalf of William Caban)

Version number here V00000 What's New in OpenShift 4.16 Product Manager: Ju Lim (speaking on behalf of Anjali Telang) 10 What From OpenShift 4.16, the system:anonymous user and system:unauthenticated group will only be given a limited set of permissions by default. The "system:openshift:public-info-viewer" and "system:public-info-viewer" are necessary for OAuth2/OIDC workflow and providing insensitive information (such as version information) respectively. Who ▸ For use cases where anonymous access is desired, a cluster administrator needs to explicitly add the permissions. E.g., for webhooks used for BuildConfigs from external systems (GitHub) that do not support sending auth tokens via HTTP, a cluster administrator needs to explicitly add the system:webhook permissions. It is recommended to use local rolebindings in such scenarios. ▸ A cluster administrator can add back a ClusterRoleBinding for anonymous user if needed after fully evaluating the risks associated with it. Why Requests to the OpenShift Container Platform that present no authentication token or certificate are assigned the system:anonymous user and system:unauthenticated group. These users and groups are allowed ClusterRole Bindings that are a security concern for customers with stringent regulatory and compliance needs. Availability & Limitations ▸ This is available for new OpenShift 4.16 clusters. ▸ Upgraded clusters will not be affected. Reduced permission for Anonymous Access Reducing Unauthenticated User or Group Access

What's New in OpenShift 4.16 Expanders for Cluster Autoscaler 11 Priority expander for reliable capacity, least waste expander to minimize waste ▸ Priority expander gives the user control over which scaling group is used by cluster-autoscaler ConfigMap named “cluster-autoscaler-priority-expander,” that allows us to pass a list of node groups, selected using a regex, and assigned a weight. Higher numbers are considered higher priority. ▸ Least-waste expander selects the node group that will have the least idle CPU (if tied, unused memory) after scale-up Product Manager: Subin Modeel

What's New in OpenShift 4.16 12 Performance and Scale ∙ Tech Preview of safe memory overcommit ∙ Non-disruptive scaling VM performance with CPU hotplug ∙ Keep critical workloads segregated through live migration affinity ∙ Realtime VM workloads Ensure continuity of business critical applications ∙ Disaster Recovery with OpenShift Data Foundation ･ Metro-DR for all VM configurations ･ Regional-DR Support recovery of declarative GitOps VMs (Tech Preview) OpenShift Virtualization highlights Modernize your operations with comprehensive lifecycle and infrastructure management Product Manager: Peter Lauterbach Comprehensive Ecosystem red.ht/workswithvirt

What's New in OpenShift 4.16 The Solution 13 Migrating and Deploying VMs at Scale OpenShift Virtualization Reference Implementation Guide OpenShift Virtualization Reference Implementation Ansible Migration Factory Reference Implementation How to automate migrations with Red Hat Ansible Automation Platform Product Manager: Peter Lauterbach

What's New in OpenShift 4.16 Multi-cluster VM observability with ACM 14 ▸ Collect and quickly build reports for all virtual machines ▸ At an RHACM Hub, see all virtual machines across multiple OpenShift installations ▸ At a Global Hub using Global Hub Search, see all Virtual Machines across multiple hubs Product Manager: Peter Lauterbach (speaking on behalf of Christian Stark)

OpenShift-based Appliance Builder (Technology Preview) Build turnkey solutions with self-contained OpenShift with value added services on prescriptive hardware engineered at scale for rapid edge deployments Appliance Disk Builder OCP release + Partner images + Configuration Lab Disk image Factory Clone End User ✓ Boot ✓ Install Disk image Disk image Disk image 15 Lab Factory End Customer Create disk image with the agent-based installer and OpenShip release images payload. 1 Disk image written to disk on partner hardware. Same image can be used for multiple servers for multiple clusters. 2 End customer boots machine, mounts ISO to kick-off installation till completion 3 Source: OpenShift Appliance User Guide Product Manager: Ramon Acedo Rodriguez

What's New in OpenShift 4.16 16 Self-managed HCP AWS Provider [GA] Run Hosted Control Planes on AWS Product Manager: Adel Zaalouk

What's New in OpenShift 4.16 ROSA Hosted Control Plane Enhanced Authentication Bring Your Own Auth Server in ROSA Hosted Control Plane Plugin External OIDC for direct access to OpenShift/Kube API WHAT Enabling direct OIDC Authentication to APIs from external OIDC Compliant Identity Providers(IDP) ● Validated with Microsoft Entra ID and Keycloak providers ● OpenShift OAuth server disabled. Users and Groups managed by IDP ● CLI access requires use of kubectl exec plugin, oc provides oc-oidc plugin ● Usable also via Cluster API (CAPI) support on ROSA with Hosted Control Plane WHY ● Simplified Authentication: Seamless access to ROSA clusters using your existing corporate credentials. ● Unified Access Control: Centralized user and group management across your organization with a single interface. ● Streamlined Automation: Automate tasks across multi-cluster environments using your existing scripts and tools. Product Managers: Anjali Telang, Adel Zaalouk 17

What's New in OpenShift 4.16 Red Hat Device Edge and MicroShift Red Hat Device Edge with MicroShift is a Kubernetes distribution derived from OpenShift designed for small form factor devices and edge computing. Product Manager: Daniel Fröhlich Multus CNI for MicroShift ● Optional install ● Add secondary NICs to PODs using bridge, macvlan and ipvlan Direct EUS->EUS upgrades ● V4.14 -> V4.16 direct update supported ● Only a single reboot ● Incl. potential rollback with ostree GitOps at scale with MicroShift (TP) ● Lightweight gitops agent as optional install (docs / video) ● Pull from / sync with git when connected Edge Device Edge Device Edge Device Red Hat Enterprise Linux GitOps Agent MicroShift Application / Service Application / Service pull git MicroShift V4.14 RHEL 9.2/9.3 MicroShift V4.16 RHEL 9.4 18

What's New in OpenShift 4.16 Image-based Upgrade 19 Single Node OpenShift: Image-based Upgrade Minimize service downtime when upgrading nodes at the Far Edge, including when the CaaS or CNF fails after upgrade: Challenge Solution C W Shift left methodology: Pre-production image generation to speed upgrades including a fast rollback procedure on failure: Requirements and Benefits Minimize service downtime when upgrading Direct EUS->EUS upgrades (not n->n+1->n+2) Simple deployment/re-configuration at far edge site CNF etcd Backup/Restore for quick reinstantiation Seamless integration with existing ACM manageability and ZTP flows Image-based Install Developer Preview with 4.16, as well Product Manager: Robert Love

Red Hat ACS cloud services is graduates from Limited Availability to General Availability Get more value from your cloud investment with Red Hat ACS Cloud Service Hybrid Cloud Flexibility Protect the hybrid cloud giving you the choice and ease of use and choose the offering that best fits your needs Reduce complexity With the new release, customer will be able to use ACS CS default email service to directly send notifications without integration with 3rd party tools ACS Cloud Service On Latest 4.5 release All the new features of ACS 4.5 including new Vuln Management capabilities and Compliance is now available as a Service Focus on innovation Simplify the security operations so your teams can refocus on innovation, not managing infrastructure 20 Red Hat Advanced Cluster Security for Kubernetes Product Manager: Doron Caspin

What's New in OpenShift 4.16 Upcoming Openstack Services On Openshift (OSP18) GA - OCP 4.16 21 Product Manager: Gil Rosenberg RHOSO 18 is coming with OCP 4.16 ○ Based on Openshift Go operators and pure ansible ○ New Podified Control Plane deploys in minutes ○ New data plane deployment architecture rapid deployment and scalability ○ Based on upstream Openstack Antilope release ○ Leveraging native-to-openshift infrastructure: ACM, ACS, Quay, OD, SSO, GitOps and more ○ TF Free - Supporting Openshift on openstack CAPI (CAPO) installer GA 2x Faster Deployment time compared to Red Hat OpenStack Platform 17.1 director-based deployment* * As measured in Red Hat labs, April 2024 OpenStack Control Services Pods OpenStack Compute Nodes OpenShift / OpenStack Bare Metal Resources For more information, check out the RHOSO Beta release notes.

Virtualization ▸ Metro DR with Advanced Cluster Management and OpenShift Data Foundation ▸ Hot-plug CPU ▸ Safe memory overcommit (Tech Preview) ▸ Multi-cluster VM monitoring with Advanced Cluster Management ▸ CSI RWX block and snapshot support Telco and Edge ▸ Image-based updates for Single Node OpenShift ▸ OpenShift Appliance Builder ▸ Multus CNI and GitOps for MicroShift ▸ MicroShift direct EUS updates ▸ OpenStack Services On OpenShift 18.0 (GA) Core ▸ EUS 3 year lifecycle for OpenShift 4.14+ ▸ Self-managed Hosted Control Planes in AWS (GA) ▸ Selectable etcd tuning profiles (GA) ▸ Expander configurations for cluster autoscaler Security ▸ Admin (global) network policy (GA) ▸ Reduced permissions for anonymous users and groups ▸ BYO OIDC in ROSA with Hosted Control Planes ▸ Advanced Cluster Security Cloud Services (GA) Red Hat OpenShift 4.16 highlights Product Manager: Daniel Messer

Manage at Scale 23

What's New in OpenShift 4.16 ▸ Expedited troubleshooting of Policy non-compliance reasons ･ Visualize the “diff”-erence between the current state of configured resources vs. the desired state of the Policy in the UI & API. ▸ GitOps-ified operator management with OperatorPolicy (GA) ･ Painless “manual” mode operator upgrades with fine-grained control of install plan approvals by just specifying a new version for upgrade. ･ Thorough uninstall support including configurability to clean up leftover artifacts such as the operator’s installed CRDs. ･ Non-compliance configurability to include when new upgrades are available, unhealthy deployments, or unhealthy catalog sources. ▸ Gatekeeper operator uplift to 3.15.1 ･ Alignment with upstream community; added constraint enforcement exclusion support for default namespaces (e.g. openshift-*). RHACM 2.11 - Policy-based Governance 24 Product Managers: Christian Stark (speaking on behalf of Scott Berens, Bradd Weidenbenner, Sho Weimer) What’s New in RHACM 2.11 - Policy-based Governance Red Hat Advanced Cluster Management for Kubernetes Resource current state Policy desired state Policy desired state (values missing)

What's New in OpenShift 4.16 ▸ Cluster Lifecycle enhancements: ･ Easily scale nodes for the RHACM hub local-cluster ･ Automated ROSA discovery and import (DP) ･ Management of Red Hat Device Edge including Observability (DP) ･ Allow Cluster upgrades between OCP EUS to EUS releases ▸ Observability at scale enhancements: ･ Fine grained RBAC for RHACM Observability (TP) ･ OpenShift Virtualization (CNV) Observability ･ OCP Update Risks in RHACM Fleet view UI ･ T-Shirt-Sizing (DP) of RHACM’s Observability Stack RHACM 2.11 - Fleet management 25 What’s New in RHACM 2.11: Enhanced Support for Kubernetes Providers, Right-size recommendations for namespaces Red Hat Advanced Cluster Management for Kubernetes ▸ Search helps you quickly identify issues in your environments ･ Enhanced Search Capabilities for Virtual Machines Product Managers: Christian Stark (speaking on behalf of Scott Berens, Bradd Weidenbenner, Sho Weimer)

What's New in OpenShift 4.16 Red Hat Quay 26 Product Managers: Quiana Berry Boosting Security and Efficiency Red Hat Quay 3.12 Global Registry Wide Image Pruning Apply policies globally to automatically manage old or unused images ensuring efficient storage management and organization in your registry environment Image Expiration Alerting Notifies users with timely alerts on upcoming expirations,preventing unexpected pull failures and ensuring uninterrupted access to essential resources. API Token Ownership Transfer Enhance security with controlled access and accurate user attribution. This reduces unauthorized use and improves audit trails, ensuring compliance and system integrity. Enable Ownership Change of API Token

What's New in OpenShift 4.15 Enhancements and new features 27 ● Scanner V4: (Tech Preview → GA) ● VM 2.0 GA ○ Vulnerability exception management ○ Workload CVEs ○ Default filters (Fixable, Critical & Important) ○ Enhanced API for CVE export Compliance 2.0 Tech Preview Vulnerability Management and Security ● Schedule Compliance Operator (CO) scans from ACS UI and API ● View CO results by standard, profile ● View CO controls & rules ● Export compliance reports Platform ● ACS CS: Default email service ● Extend GitHub Action support in roxctl ● CO-RE BPF default collection method ● ACS on ROSA Hosted Control Plane ● UI Wizard to add secured cluster ● ACS integration with Paladin Cloud 4.5 Highlights Red Hat Advanced Cluster Security for Kubernetes Product Managers: Doron Caspon (speaking on behalf of ACS PM Team)

What's New in OpenShift 4.16 Vulnerability Management 2.0 & Scanner V4 28 Red Hat Advanced Cluster Security for Kubernetes Product Manager: Shubha Badve Improves efficiency & ease of use, enhances exception management & reporting Now GA

What's New in OpenShift 4.16 Compliance 2.0 powered by Compliance Operator 29 Red Hat Advanced Cluster Security for Kubernetes Product Manager: Maria Simon Marcos Improves reporting & ease of use, Allow scheduling and reporting

What's New in OpenShift 4.16 Certificate and Secret Management Enabling secure credential management for applications Product Manager: Anjali Telang Validated Secrets mgmt with Secret Store CSI Validation of Red Hat OpenShift Secret Store CSI Driver with the Vault Provider Automated cert-mgmt for Routes Inject certificates directly into Routes instead of Ingress 30 ... tls: externalCertificate: name: mytest ...

Observability

What's New in OpenShift 4.16 32 Observability What’s new for OpenTelemetry? ▸ Observe OpenShift with Kubernetes receivers ･ Objects, Events, Stats, cluster and host metrics ▸ Receive logs with filelog and journald receivers ▸ Cache data with file storage extension ▸ Connect observability pipelines with forward connector ▸ Export at scale with the load-balancing exporter and experiment with the developer preview of the Loki exporter Product Manager: Jose Gomez-Selles Product Manager: Jose Gomez-Selles Read more at: https://www.redhat.com/en/blog/announcing-red-hat-build-opentelemetry-and-distributed-tracing-3.2-release

What's New in OpenShift 4.16 33 Observability ▸ Tempo Monolithic deployment in tech preview, as the drop in replacement for Jaeger all-in-one, without the need of attached storage. What’s new for Distributed Tracing? Product Manager: Jose Gomez-Selles ▸ Developer preview, for the first time of Tracing UI in the OCP web console ･ Coexists with Jaeger UI shipped in Tempo ･ First showing spans bubble chart ･ Next step: Gantt chart

What's New in OpenShift 4.16 34 Monitoring Observability Troubleshooting Journey Product Manager: Vanessa Martini https://www.redhat.com/en/blog/introducing-cluster-observability-operator Enhanced Dev Preview Observability Signal Correlation for Red Hat OpenShift ● Troubleshooting panel in OCP web console ● Expanded supported signals, incl. netflows ● Reduced MTTD & MTTR Cluster Observability Operator 0.3.0

What's New in OpenShift 4.16 35 Monitoring What’s new is OpenShift Monitoring 4.16? Product Manager: Roger Floren https://www.redhat.com/en/blog/introducing-cluster-observability-operator New Features Improvements ▸ Cluster Observability Operator - enable Red Hat monitoring stack with initial set of features (Tech Preview update 0.3) ▸ Switch to metrics server (GA) ▸ Scrape Profiles (TP) ▸ Getting VPAs metrics in OCP Prometheus / kube-state-metrics ▸ Export tables in Observe>Metrics UI as CSV ▸ Improved scrape sample alerts ▸ Added monitoring-alertmanager-view role ▸ ClusterMonitoringOperatorDeprecatedConfig to monitor when the cluster monitoring operator configuration uses a deprecated field. ▸ PrometheusOperatorStatusUpdateErrors to monitor when the Prometheus operator fails to update object status. ▸ Monitoring stack components updated

36 Observability Logging 6.0 What’s new for Logging? Product Manager: Jamie Parker ▸ OTLP Log Forwarder will allow logs to be forwarded to an OTLP endpoint ▸ Refreshed APIs in Cluster Logging Operator for additional Log Collection flexibility ▸ Logging 6.0 will be the first release without support for Elastic, Fluentd, and Kibana ▸ This deprecation was announced with the release of Logging 5.8 ▸ Elastic, Fluentd, and Kibana will be supported with Logging 5.8 until November 2025, and with Logging 5.9 until October 2025 Features Important Information

What's New in OpenShift 4.16 37 Observability ▸ Workloads Advisor: Easily identify workload configuration issues and obtain recommendations on how to proceed Red Hat Insights - updates ▸ Update risks - multicluster view: Identify clusters with existing update risks by and easy to see label. Product Manager: Tomas Dosek https://console.redhat.com/openshift/insights

What's New in OpenShift 4.16 38 Observability What’s new in Red Hat Insights cost management? Product Manager: Pau Garcia Quiles All features of Cost Management, available for x86-64, ARM, POWER and Z, including resource optimization. Excel and Power BI sample reports Cost Management for ARM, POWER and Z Quickstart to producing your own cost and usage reports in your favorite tools. Implements token authentication, data storage, split data fetch and other good practices. Resource Optimization for OpenShift GA CPU & RAM request & limit recommendations Profile-based recommendations (cost/perf) 1, 7, 14-day timeframes Self-diagnostics page to visualize when cost and usage data was read from each cluster/cloud, processed and made available in Cost Management. Custom platform costs Cluster information page Select any number of namespaces “platform cross-services” to share their costs across the rest of the tenants. Tag mapping Combine and reconcile tags and labels from OCP, AWS, Azure, GCP and OCI to simplify and consolidate your cost reports. THIS IS AVAILABLE ON ANY SUPPORTED VERSION OF OPENSHIFT

Console 39

What's New in OpenShift 4.16 40 Console What’s new for Dynamic Plugin Framework? ▸ Checkout the Plugin Overview Page ▸ New Console & SDK Compatibility Table ▸ New Console & PatternFly Compatibility Table ▸ PatternFly 4 to 5 Migration\Upgrade Guide ▸ New Local Plugin Development Section ▸ Updated Shared Modules Section & Deprecation Notices ･ Deprecation of PF4 & ReactRouter5 Product Manager: Ali Mobrem Read more at: https://github.com/openshift/console/tree/master/frontend/packages/console-dynamic-plugin-sdk Knowing is half the battle! Dynamic Plugin Framework Docs have been Upgraded… Dynamic Plugins are the best way to build native experiences directly into the OCP console

What's New in OpenShift 4.16 41 Console Console RFEs “Customer Happiness” ▸ CONSOLE-3986: Support for French & Spanish ▸ CONSOLE-3972: Publish Previous Pod Exit Status ▸ CONSOLE-3910: QuickStart for Impersonating ▸ CONSOLE-4010: Display kube-apiserver Warnings Product Manager: Ali Mobrem

Developer Tools Update 42

What's New in OpenShift 4.16 OpenShift Developer Experience IDE Extensions and Cloud Developer Environment 43 IDE Portfolio ▸ Red Hat OpenShift Dev Spaces 3.14.0 is out ▸ Add initContainer for initializing persistent home when $HOME persistence is enabled. ▸ Work with ollama devfile and Dev Spaces ▸ devfile v1 is deprecated and is not supported anymore. OpenShift Toolkit IDE extension Quarkus and EAP OpenShift Dev Spaces Product Manager: Mohit Suman ▸ Provision any OpenShift cluster using sandbox, directly from VS Code ▸ Creating routes, port forwarding for connected OCP from IDE ▸ OpenShift Serveless & Helm Chart Management within IDE ▸ Available here: VS Code, IntelliJ ▸ JBoss EAP 8.x support in VS Code and IntelliJ ▸ NEW Quarkus Plugin for IntelliJ ▸ Full Support for Java 22 in VS Code extension

What's New in OpenShift 4.16 44 Red Hat Developer Hub Red Hat Developer Hub Fully integrated with Red Hat OpenShift Leverages several technologies that come with OpenShift Serverless Service Mesh GitOps Quarkus Pipelines Distributed Tracing Product Manager: Mohit Suman ▸ New UI for managing RBAC controls ▸ GA release of the Red Hat Developer Hub Operator ▸ Support for Backstage project v1.23.4 ▸ Support for EKS and AKS ▸ RHDH 1.2 release is now available

Introducing: Podman AI Lab ● Get inspired by AI use cases ● Learn how to integrate AI in an optimal way ● Experiment with different compatible Models Discover GenAI ● Run models with an inference server running in UBI image ● Get OpenAI compatible API ● Use code snippets Run Models Locally ● Experiment with models and prompts ● Configure settings and system prompts ● Test and validate prompt workflows before using in your application Playground Environment Your developer environment for working with GenAI ● Leverage a curated list of open source large language models available out of the box ● Import your own models Model Catalog 45 Podman Desktop Product Manager: Stevan Le Meur

Runtimes 46

47 ▸ A new 3 year life-cycle based on major version ▸ New OpenSearch/Elasticsearch Dev Service ▸ Support for Java 21 ▸ Support for Virtual Threads ▸ Support for ARM64 (both JVM and Native) Red Hat build of Quarkus What’s New in 3.8 (April 29) PMM: Jeff Beck

What's New in OpenShift 4.16 48 Red Hat build of Keycloak ▸ New for Red Hat build of Keycloak 24 GA ▸ User profile and progressive profiling ▸ Multi-Site active-passive deployments ▸ User Account Management Console GA ▸ OAuth/OIDC improvements ■ Lightweight access tokens support ■ OAuth 2.1 support ▸ Passkeys support (Tech Preview) ▸ Maximum authentication time as password policy ▸ Group scalability ▸ Enhanced Keycloak CR for Operator ▸ Container images and zip distros available ▸ Migration guide & tooling for prior versions PMM: Jeff Beck User Account Management Console User-friendly CLI

Platform Services 49

What's New in OpenShift 4.16 50 OpenShift Service Mesh ▸ OpenShift Service Mesh 2.6: ▸ Based on Istio 1.20 ▸ GA of Kubernetes Gateway API support for cluster-wide meshes ▸ Distributed Tracing integration updates: ■ OpenTelemetry Collector and Tempo distributed tracing integration is GA ■ Jaeger and Elasticsearch are no longer installed by default ▸ OpenShift Service Mesh 3.0 Technology Preview: ▸ A new service mesh operator based on community Istio - the “Sail Operator” ▸ Calling all early adopters! PM: Jamie Longmuir

What's New in OpenShift 4.16 51 OpenShift GitOps ▸ OpenShift GitOps 1.13 is coming next week ▸ Includes Argo CD 2.11 ▸ Argo Rollouts GA ▸ Applications in any namespace GA ▸ Customer RFEs: ■ Default instance of argo-cd will use reencrypt for TLS termination ■ Support for using socks5 proxies for SSH repo access ■ Host attribute added to the SSO provider spec PM: Harriet Lawrence

What's New in OpenShift 4.16 52 OpenShift Pipelines Product Manager: Koustav Saha OpenShift Pipelines 1.15 released ▸ Red Hat Tekton Catalog GA Curated list of supported Tekton tasks/pipelines for various Red Hat product portfolios ▸ Includes tasks for OpenShift Virtualization cleanup VM, Windows UEFI installer, Maven, Buildah, etc. ▸ Available in https://artifacthub.io/ with Red Hat as publisher ▸ Some preinstalled in OpenShift Pipelines namespace to use with cluster resolver ▸ Manual Approval workflow in Tekton (Technology Preview) ▸ Use ApprovalTask in Tekton pipeline and assign Openshift users ▸ Integration with console to view/approve/reject workflow ▸ ChatOps Support in Pipelines As Code (Technology Preview) Passing parameters to GitOps commands as arguments to trigger and test pipeline for debugging/testing multiple scenarios

What's New in OpenShift 4.16 OpenShift Serverless 53 Key Features & Updates ▸ Serverless 1.33 : Update to Knative 1.12 ▸ Serverless on Arm64- TP ▸ Eventing for Event Driven apps ▸ Monitoring Dashboard in ODC Developer view ▸ New Trigger filter to specify filter expression - TP ▸ Integration with Custom Metrics Autoscaler - TP ▸ GA -Serverless Logic ▸ orchestrate functions/services, events with low code/no code approach PM: Naina Singh

Installer Flexibility 54

and IBM LinuxONE OpenShift 4.16 Supported Providers Installation Experiences Automated Full Control Interactive – Connected - Auto-provisions infrastructure - *KS like - Enables self-service - Bring your own hosts - You choose infrastructure automation - Full flexibility - Integrate ISV solutions - Hosted web-based guided experience - Agnostic, bare metal, vSphere and Nutanix - ISO driven - Restricted network (disconnected / air -gapped) - Automatable installations via CLI - Bare metal, vSphere, SNO - ISO driven Installer Provisioned Infrastructure User Provisioned Infrastructure Assisted Installer Agent-based Installer Local – Disconnected Azure Stack Hub Bare Metal IBM Power Systems Product Manager(s): Marcos Entenza (AWS, Azure, GCP, IBM Cloud), Ju Lim (Alibaba, Oracle), Ramon Acedo (BM, Nutanix, VMware), Peter Lauterbach (OCP Virtualization), Gil Rosenberg (OpenStack), Duncan Hardie (IBM Z & Power), Adel Zaalouk (HCP) 55 What's New in OpenShift 4.16 Outposts Wavelength Local Zones (Tech Preview)

What's New in OpenShift 4.16 56 Product Manager: Marcos Entenza ▸ Self-managed Hosted Control Planes in AWS ▸ ca-west-1 (Calgary) region added ▸ BYO IPv4 public IPs ▸ IPI deployment (Tech Preview) removed ▸ Assisted Installer deployment (Tech Preview) added ▸ me-central2 (Damman) and africa-south1 (Johannesburg) regions added ▸ NVIDIA H100 instance types ▸ In-place migration to Microsoft Entra Workload ID ▸ Volume cloning for Azure File (Tech Preview) ▸ Confidential Compute Attestation Operator (Tech Preview) ▸ OpenShift on Oracle Cloud Infrastructure with Virtual Machines GA on OpenShift 4.14+ Installation Highlights for Cloud Providers Cloud

What's New in OpenShift 4.16 Installation Highlights for On-premises Providers 57 On-premises ▸ Simplify add nodes on day 2 with Agent-based Installer (Dev Preview) ▸ Upgrade/downgrade host firmware ▸ BMC address modification post installation ▸ Attach non-bootable ISO ▸ Control plane nodes on different subnets ▸ SDN to OVN-Kubernetes migration ▸ Control plane nodes on different subnets ▸ MachineSet VM Tagging ▸ ControlPlaneMachineSet (GA) ▸ Static IP assignments (GA) ▸ Simplify add nodes on day 2 with Agent-based Installer (Dev Preview) ▸ Control plane nodes on different subnets ▸ Make max vSphere snapshot per volume configurable (storage) ▸ Secure boot for IBM Z systems, zVM and LPARs ▸ Ingress node firewall for IBM Power and IBM Z systems ▸ CPU Manager support for IBM Power and IBM Z systems Bare Metal IBM Power Systems and IBM LinuxONE Product Managers: Ramon Acedo Rodriguez, Duncan Hardie

What's New in OpenShift 4.16 oc-mirror v2 (Technology Preview) ▸ Caching, deletion control, improved code maintainability, and more (see release notes). oc-mirror v2 enclaves (Technology Preview) ▸ Mirror images to and from disconnected environments (enclaves). ▸ Save time, effort and bandwidth by mirroring images centrally and only transferring the necessary ones to each enclave. 58 OpenShift oc-mirror v2 (Technology Preview) Product Manager: Ramon Acedo Rodriguez https://docs.openshift.com/container-platform/4.16/installing/disconnected_install/about-installing-oc-mirror-v2.html

What's New in OpenShift 4.16 59 Updates oc adm upgrade status (Tech Preview) Product Manager: Subin Modeel Tech Preview in OpenShift 4.16 Update Status Command ▸ Troubleshooting problematic OpenShift updates ▸ Monitoring OpenShift updates for standalone OpenShift

60 Multi-architecture Cluster ● Allow more flexibility in a cluster, use different cloud platforms o------------------------------o ● Multi-architecture compute now supports Arm control plane with x86 compute nodes as a day 2 configuration ● Agent Installer parity for multi-payload IBM Power and zSystems ● Run OpenShift on highly available, highly secure, scalable hardware o-----------------------------o ● Ingress Node Firewall Operator ● Secure Boot on IBM Z Systems for z/VM and LPARS ● CPU Manager ● Agent Based Installer ISO support for IBM Z Systems Multi-arch Tuning ● Less admin with a tool that will place guardrails around where your mixed architecture applications will run o-----------------------------o ● Tech Preview in this release ● Inspects the container images ● Derives architectures supported by pods ● Makes sure workloads run on matching architecture nodes PM: Duncan Hardie Systems Enablement - latest highlights

What's New in OpenShift 4.16 Disconnected Support ▸ Install OpenShift in data centers that do not have access to the Internet, even via proxy servers. ▸ Particularly important in secure environments o----------------------------------------o ▸ Preparation: ssh server should be running on Windows Instance/VM ▸ Same process: steps are the same as those for RHCOS based instances (you can even use oc-mirror) ▸ Private Registry: support to access registry with password/username, secrets or certificates Improved Monitoring ▸ Keep an eye on key metrics via the OpenShift Console ▸ Useful to keep track of the key areas around pod resource utilization o----------------------------------------o ▸ Metrics for CPU, Memory, Networking and File systems now displayed in the OpenShift console ▸ Now we have both pod and node metrics Windows Containers on OpenShift 61 PM: Duncan Hardie

CoreOS Updates 62

What's New in OpenShift 4.16 63 ▸ Deprecation notice for package-based RHEL Worker nodes ▸ Rendered MachineConfig garbage collection via oc adm prune ▸ iSCSI root disk support ▸ Tech Preview On cluster Layering ▸ Tech Preview Admin-defined node disruption policies ▸ Tech Preview Updated boot images for GCP RHEL CoreOS & MCO & RHEL Workers Product Manager: Mark Russell

Control Plane 64

Version number here V00000 What's New in OpenShift 4.16 65 What Schedule vertical pod autoscaler pods on Infra/worker node Who Cluster administrator specifies the node types for VPA pods, ensuring that resource adjustments are handled efficiently and don’t interfere with critical workloads running on other nodes. Why Prior to OpenShift 4.16, VPA could only be scheduled on the Control Plane nodes. Availability Available on both standalone OpenShift and Hosted Control Planes clusters. Limitations Applies to new clusters from OpenShift 4.16+. Schedule Vertical Pod Autoscaler (VPA) pods on Infra/worker node Cluster resource optimization Product Manager: Ju Lim (speaking on behalf of Gaurav Singh)

Version number here V00000 What's New in OpenShift 4.16 Terminate Pods in Job Controller (Tech Preview) Effective resource management Job Controller waits for Pods to be fully terminate before creating replacement Pods when podReplacementPolicy: Failed is used Product Manager: Gaurav Singh 66

Version number here V00000 What's New in OpenShift 4.16 oc and must-gather Enhancements 67 Delete confirmation (Tech Preview) Must-gather ▸ Provides warning message and requests confirmation prior to deleting a cluster resource ▸ Added an interactive (-i) flag, which displays a preview of which cluster resource(s) will be deleted; if user presses “y”, the cluster resource(s) will be deleted ▸ collect must-gather based on a relative timestamp, e.g. since a particular time or recent 2 hours ○ -–since-time ○ --since=2h ▸ OpenShift CLI (oc) binary version used Product Manager: Ju Lim (speaking on behalf of Gaurav Singh)

Version number here V00000 What's New in OpenShift 4.16 68 What Starting with OpenShift 4.16, the image pull secret generated for service account no longer uses a legacy service account API token. Instead, the image pull secret now uses a bound service account token that is automatically refreshed before it expires. Benefits ▸ Tokens are time and audience bound which makes usage more secure ▸ Aligned with regulatory requirement for customers Why ▸ Using long lived credentials is a security risk as this poses a chance for exfiltration attack where a malicious actor can extract these credentials and use them until they are revoked. ▸ In OpenShift 4.15, we added capability to not auto-generate long-lived tokens used for image pull secrets when the image registry is disabled. Availability & Limitations ▸ In OpenShift 4.16, we ensure the builder service account is not auto-created in OpenShift namespaces when the Build capability has been disabled. ▸ In OpenShift 4.15, we had introduced similar capability where the “deployer” service account is not available if the DeploymentConfig capability was disabled. Use Bound Service Account tokens for Image Pull Secrets No Auto-generated Long Lived Tokens Product Manager: Ju Lim (speaking on behalf of Anjali Telang)

Networking & Routing 69

What's new in OpenShift 4.16 Red Hat OpenShift Networking Enhancements Product Managers: Marc Curry, Deepthi Dharwar SDN 70 HAProxy Ingress ● HAProxy upgraded to v2.8 ● Azure: Multiple CIDR blocks per Network Security Group in load balancer-type services On-Premises OpenShift Networking ● Tech Preview: configure-ovs alternative ○ OpenShift deployers now have the ability to explicitly configure the br-ex bridge to their exact specifications at install-time, and can modify it after deployment using standard networking tools. ● Mechanism to change Infrastructure values ○ Add IPv6 VIPs to existing dual stack clusters OVN-Kubernetes CNI ● Support install/post-install modification of the internal CIDRs used by: ○ v4InternalSubnet / v6InternalSubnet ○ transit switch subnet Reminder: openshift-sdn CNI plug-in Deprecation ● No longer available in 4.17 ● No new installs at 4.15+ ● Upgrades allowed to 4.16 ● Limited live migration and cold migration options Network Edge On-Prem Networking

What's new in OpenShift 4.16 Network Observability Operator v1.6 Product Managers: Marc Curry, Deepthi Dharwar Network Observability 71 Network Observability Operator ● New release: v1.6 ● No longer requires Loki for the majority of its features (including Topology view), simplifying its installation and reducing resource requirements ● Tech Preview: on-demand observability CLI ● New CRD-based metrics API so customers can define their own metrics ● eBPF modernization: replace TC hook with TCX when using RHEL 9.4+ kernel ● Reduced logs (deduper merge mode as default) ● Control of where eBPF agents deploy ● Configurable eBPF flow capture for reduced resource consumption (filter by IP, port, protocol, etc.)

Operator Framework 72

What's New in OpenShift 4.16 OLM 1.0 Tech Preview III One step closer to the GA of the next generation operator management experience. ”ClusterExtension” API offers enhanced status reporting, including the installed bundle's name, version, additional transition statuses, and deprecation information from the packages. 73 Operator Framework Existing custom update edge configurations (“replaces“, “skips“, and “skipRanges“) are now supported to ensure the version upgrade sequences defined in the current catalog image continue to function as expected. “Operators” are now known as “ClusterExtensions” within the API to reflect a more accurate representation of their functionality in extending the capabilities of your OpenShift cluster. Improved Status Reporting Custom Update Edge Support Terminology Shift Product Manager: Tony Wu

Storage 74

What's New in OpenShift 4.16 OpenShift Storage PM: Gregory Charot CSI Operators Operator Migration Driver AWS EBS GA GA AWS EFS n/a GA Azure Disk GA GA Azure File GA GA Azure Stack Hub n/a GA GCE Disk GA GA GCP Filestore n/a GA IBM Cloud n/a GA RH-OSP Cinder GA GA RH-OSP Manila n/a GA vSphere GA GA SecretStore n/a TP SMB/CIFS n/a TP Operators & Drivers ● CIFS/SMB ■ Tech Preview ● AliCloud Disk ■ Removed ● vSphere ■ Set max snapshots per volume ● Azure File ■ Volume Cloning, Tech Preview ● LVMS ■ Thick Provisioning ■ At-rest encryption ■ Resource usage reduction Misc ● RWOP Access Mode GA ● PV Last transition phase time, Tech Preview … 75

CIFS/SMB CSI Driver (Tech Preview) ● Day 2 operator via Operator Hub ● Connects to an existing CIFS/SMB backend ● RWX support ● Two Provisioning modes ○ Dynamic: One subfolder per PV ○ Static: Mount an existing share ● FIPS is not supported # Dynamic Provisioning kind: PersistentVolumeClaim metadata: name: pvc_name spec: accessModes: - ReadWriteMany resources: requests: storage: 10Gi storageClassName: my_class # Static provisioning kind: PersistentVolume metadata: annotations: pv.kubernetes.io/provisioned-by: smb.csi.k8s.io name: pv_name spec: (...) csi: driver: smb.csi.k8s.io volumeHandle: smb-server.default.svc.cluster.local/share/ volumeAttributes: source: /// # Share path nodeStageSecretRef: name: # Secret to mount the share namespace: PM: Gregory Charot 76

What's New in OpenShift 4.16 OpenShift Data Foundation 4.16 updates Out of the box support Block, File, Object, NFS Platforms AWS/Azure Google Cloud (GA) OpenShift Virtualization OSP (Tech Preview) Bare metal/IBM Z/Power VMWare Thin/Thick IPI/UPI ARO (GA), ROSA HCP (TP) with Self managed ODF IBM ROKS & Satellite - Managed ODF (GA) Any platform using agnostic deployment mode for self managed OpenShift deployments. Deployment modes Disconnected environment and Proxied environments 77 Product Manager: Eran Tamir ▸ Disaster recovery ○ Recovering to a replacement cluster for Regional-DR ○ Support for ACM-discovered applications ○ Multicloud Object Gateway - Bucket logging support and object replication optimization (TP) ▸ Security ○ Automatic Key rotation support for cluster wide encryption ○ Azure Key Vault support (TP) ▸ Ephemeral storage support ▸ Support for OSD expansion

Telco 5G 78

What's New in OpenShift 4.16 79 When using static routes isn’t effective Product Manager: Franck Baudin OCP nodes route learning via BGP ▸ OCP4.16 - Tech Preview - based on a new upstream component: frr-k8s ･ MetalLB is now using frr-k8s and do not include frr anymore ▸ Depending on the route failure detection requirements, BFD may be used instead of BGP timeouts ▸ Active/Backup & Active/Active (ECMP) Kernel stack DCGW/ Fabric VRFs VLANs VLAN0 VLAN1 VLAN2 OCP node BGP routes BGP BGP frr-k8s

What's New in OpenShift 4.16 80 Bandwidth Aware Scheduling kind: Pod spec: resources: Limits: openshift.io/nics0-bw: 8Gi # Will be done automatically - specs WIP oc patch --subresource=status node node0 --type json -p '[{ "op": "add", "path": "/status/capacity/openshift.io~1nics0-bw", "value": "25Gi" }]' Problem statement: how to avoid NIC overcommitment? Solution: Expose NIC Bandwidth as a Kubernetes extended ressources for a node oc describe node node0 | grep --slide-filter Allocated resources: Resource Requests Limits openshift.io/nics0-bw 24Gi 25Gi Detailed procedure: https://access.redhat.com/articles/7068494 Product Manager: Franck Baudin

What's New in OpenShift 4.16 Image Based Install (IBI) 81 Accelerate RAN vDU Installations on Single Node OpenShift Goals: ● Reduce the time it takes to finish new installations of DU-configured OpenShift deployments by utilizing existing Telecom pre-staging facilities What we plan to do: ● Replace existing installation procedure with an image-based installation procedure STEP 1 A seed-image generated from DU-configured Single Node OpenShift installation STEP 2 The seed-image is then installed to any number of Far Edge servers STEP 3 A Far Edge server is shipped to Far Edge site STEP 4 Image Based Install Operator and Lifecycle Agent Operator orchestrate site-specific configuration for the SNO STEP 5 Reboot to updated OpenShift version, finalize install and instantiate CNF Steps to install a DU-configured Single Node OpenShift using Image Based Install (IBI) Product Manager: Robert Love Developer Preview with OCP 4.16 - Knowledge Base Article to be Published

What's New in OpenShift 4.16 Dual NIC PTP BC HA 82 Dual NIC PTP Highly Available Boundary Clock Product Manager: Robert Love NIC B System Clock Far Edge Hardware Platform NIC A PTP Time Source Time available on both NICs. System Clock set from time received on NIC A. NIC B System Clock Far Edge Hardware Platform NIC A PTP Time Source Time lost on NIC A, but available on NIC B.. System Clock set from time received on NIC B.

Thank you for joining! 83 Guided demos of new features on a real cluster learn.openshift.com OpenShift info, documentation and more try.openshift.com OpenShift Commons: Where users, partners, and contributors come together commons.openshift.org