What's New in OpenShift 4.8

What’s New in OpenShift 4.8
OpenShift Product Management
4

View Slide

Cluster security Global registry
Multicluster management
Observability | Discovery | Policy | Compliance
| Configuration | Workloads
Image management | Security scanning |
Geo-replication Mirroring | Image builds
Declarative security | Container vulnerability management |
Network segmentation | Threat detection and response
* Red Hat OpenShift® includes supported runtimes for popular languages/frameworks/databases. Additional capabilities listed are from the Red Hat Application Services and Red Hat Data Services portfolios.
• Developer CLI | IDE
• Plugins and extensions
• CodeReady workspaces
• CodeReady containers
Developer services
Developer productivity
• Databases | Cache
• Data ingest and prep
• Data analytics | AI/ML
• Data management & resilience
Data services
Data-driven insights*
• Languages and runtimes
• API management
• Integration
• Messaging
• Process automation
Application services
Build cloud-native apps*
• Service mesh | Serverless
• Builds | CI/CD pipelines
• GitOps
• Log management
• Cost management
Platform services
Manage workloads
Kubernetes cluster services
Install | Over-the-air updates | Networking | Ingress | Storage | Monitoring | Logging | Registry | Authorization | Containers | VMs | Operators | Helm
Physical*
Linux (container host operating system)
Kubernetes (orchestration)
Virtual Private cloud Public cloud Edge
Red Hat OpenShift Platform Plus

View Slide

What's new in OpenShift 4.8
INSTALLER
FLEXIBILITY
NEXT-GEN
DEVELOPER TOOLS
FEATURE
GRADUATION
AWS use pre-existing IAM roles
AWS use STS tokens
Azure use existing resource group
Kubernetes 1.21 & CRI-O 1.21
Vertical Pod Autoscaler (GA)
Scheduling Profiles (TP)
CronJobs (GA)
PodDisruptionBudget (GA)
IPv6 Single & Dual Stack (GA)
OpenShift GitOps (GA)
OpenShift Pipelines (GA)
OpenShift Serverless functions (TP)
OpenShift 4.8

View Slide

Statistics
● 12 weeks (January 11 to April 8)
● 49 enhancements:
○ Stable: 13, Beta: 15, Alpha: 21
● Contributions from:
○ 999 companies
○ 1279 individuals
Major Themes and Features
● CronJobs graduate to stable
● Greater control over Node disruptions
○ Graceful Node Shutdown timer
○ PodDisruptionBudgets graduate to stable
● Required for IPv4/IPv6 dual stack support
● Better pod scheduling primitives
○ Memory Manager (alpha)
○ Storage Capacity (beta)
CRI-O
1.21
Kubernetes
1.21
OpenShift
4.8
Blog: https://www.openshift.com/blog/kubernetes-1.21-grows-innovative-new-features
7
Kubernetes 1.21

View Slide

OpenShift Roadmap
APP DEV
PLATFORM DEV
● OpenShift Builds v2 & Buildpacks GA
● Tekton Hub on OpenShift
● Customizable dashboards
● Unprivileged builds
● Image build cache
● Manual approval in pipelines
● OpenShift Serverless Functions GA
● Global Operators Model & new Operator API
● Operator Maturity increase via SDK
● Azure China & AWS China
● Alibaba, AWS Outposts, Equinix Metal, & Microsoft
Hyper-V
● Utilize cgroups v2
● Enable user namespaces
Additional Windows Containers capabilities*
● Gateway API + Contour
● Network Topology and Analysis Tooling
● SmartNIC Integrations
● Network Policy v2
● BGP Advertised Services (FRR)
● OVN no-overlay option
HOSTED
● Application focused developer experience
● Developers can opt-in to Shipwright builds
● Save custom metrics
● Custom perspectives & customizable nav
● Kata containers in Pipelines
● Access to RHEL entitlements in builds
● Cost mgmt integration to Subs Watch, ACM
2022+
● OpenShift Serverless Kafka Broker
● OpenShift Serverless cold start improvements
● Dynamic Plugins for the OCP Console
● MetalLB Support (L2)
● Azure Stack Hub
● RHEL 8 Server Compute/Infra Nodes
● AWS: Support for China Regions
● ARM Support (Dev Preview) in OCP 4.9
● Single Node OpenShift
● Custom audit profiles by group
● OpenShift api compatibility level discovery tools
● API for Custom Route Name and Certificates
● SRO manages third party special devices
● Service Mesh on VMs
● Operator metering EOL (4.9)
● Additional Windows Containers capabilities*
● Disable case-sensitivity if user login by a
case-insensitive IdP
● Improved Audit logging
● Multi Service-Serving-Certificates for Headless
Statefulset
● ROSA AWS Console Integration
● ARO: Deploy from OpenShift Cluster Manager
Q4 2021
PLATFORM
APP DEV
● OpenShift Builds v2 TP with Buildpacks
● Community source kamelets in console
● Pipelines-as-code (Dev Preview)
● DevSecOps tasks in OpenShift Pipelines
● Export Application (Dev Preview)
● OpenShift Serverless mTLS using Service Mesh
● Application delivery dashboard in Dev Console
● Certified Helm Charts in Developer Catalog
● Operator SDK for Java (Tech Preview)
● OVN as default networking plugin
● Edge: Single node lightweight Kube cluster
● Azure: BYO Disk Encryption Keys
● Multi-Instance-GPU support
● SmartNIC support for perf., OVS hardware offload
● ACM scale to 2000 single node clusters
● CoreOS dynamic first boot images for fast scaling
● Windows with containerd and bring your own hosts
● Subject claim URI scheme for OIDC IdPs
● FIPS compliance for Kata Containers
● Service Mesh federation
● NetFlow/sFlow/IPFIX collector
● Cert-manager operator
● OpenId use claim as groups
● Suspend / Resume for managed clusters
● Support for OVN SDN
● AWS bring your own keys for storage encryption
● Shared VPC support for AWS
● AWS Spot instances
Q3 2021
HOS PLATFORM
APP

View Slide

9
This Month!
Red Hat offers utilities as well as migration
service offerings focused on the migration
from OpenShift 3 to OpenShift 4.
https://www.openshift.com/learn/topics/migration
Should you be in a migration from OpenShift 3
to OpenShift 4 and wish to purchase
maintenance support until June, 2023 (default
is June, 2022) please contract Red Hat.
OpenShift 3 Public Life Cycle: https://access.redhat.com/support/policy/updates/openshift_noncurrent
OpenShift 3.11 to OpenShift 4
PM: Mike Barrett

View Slide

OpenShift 4.8 Spotlight Features
10

View Slide

● OpenShift Pipelines 1.5 GA on OCP 4.8
● Auto-pruning PipelineRuns and TaskRuns
● Pipeline as code with GitHub (Dev Preview)
○ Event filtering
○ Task resolution
○ Trigger on approved users and groups
○ Pull-request commands
○ GitHub Checks API
○ GitHub and GitHub Enterprise
● Ability to customize default ClusterTasks and Pipeline templates
● Numerous enhancements in Dev Console
OpenShift Pipelines
PM: Siamak Sadeghianfar

View Slide

OpenShift GitOps
PM: Siamak Sadeghianfar
● OpenShift GitOps 1.2 GA on OCP 4.8
● Argo CD auth integrated out-of-the-box with
OpenShift via RH SSO
● Simplified Argo CD privilege configuration
● Enhanced environments view in Dev Console
● RHACM and Argo CD integrations
○ RHACM imports clusters to Argo CD’s
○ Argo CD application roll-up in RHACM
○ Argo CD application in RHACM Topology

View Slide

PM: Adel Zaalouk
OpenShift sandboxed containers
apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
name: example-kataconfig
spec:
kataConfigPoolSelector:
matchLabels:
node-label-kata: test
apiVersion: node.k8s.io/v2
kind: RuntimeClass
metadata:
name: my-kata-class
Handler: kata
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
runtimeClassName: kata
Installs and Life Cycles
Kata Binaries (e.g., Kata 2.0)
as an OS Extension
Configures CRI-O runtime handlers +
optimizations for Kata as a runtime
Adds / Creates RuntimeClass
for Kata + Scheduling
Installs and Lifecycles QEMU
as an OS Extension
Exposes CRD (KataConfig) to
manage configuration for Day 1
and Day2 tasks
Availability in RH Operators Catalog /
OperatorHub and enabled from console / CLI
Cluster Admin
Developer
The Operator
Kata Containers as as Service (Operator machinery)
Usage Manual
Admin creates KataConfig (optionally selects nodes
that will have the Kata runtime enabled)
Operator automagically enables Kata on the nodes and
creates the RuntimeClass
Developers defines the RuntimeClass at the Deployment /
Pod level to use Kata
?
Default Use-cases
Normal Apps
1st Party Code
When / Where Re-hosting
Lift & Shift
No existing image
Re-architecting
OCI Compliant Runtime
Kernel Isolation
3rd Party / Untrusted Code
Normal Containers
OpenShift Virtualization
OpenShift sandboxed
containers

View Slide

OpenShift Serverless functions Tech Preview
14
Create
Build
New Knative Service on the Cluster
Source code
Build Packs
Knative CLI +
Func Plugin
Knative CLI +
Func Plugin
Java
Node.js
Go
Deploy
Cluster
Container
Registry
Knative CLI +
Func Plugin
Create, Build, and Deploy Applications Quickly
OpenShift Serverless Functions allows users to consume
events via functions based APIs and provide a simplified
programming model for developers and data scientists alike.
▸ Simplified deployments
▸ Reduced programming complexity
▸ Secure, consistent programming models
▸ Quarkus, Node.js, Python, Go and Spring Boot.
▸ Kafka Event source for Event driven Serverless apps
PM: Naina Singh

View Slide

IPv6 Single / Dual Stack Support
PM: Marc Curry, Deepthi Dharwar
● IPv6 single/dual stack is supported in OpenShift 4.8 (k8s 1.21)
with OVN.
● Single Stack
○ Either an IPv4 or IPv6 address is assigned to the pod
interface
● Dual Stack
○ Both IPv4 and IPv6 addresses assigned to the interface
● Simple install-time configuration
○ Modify “install-config.yaml” to specify IPv6 subnets in addition to IPv4.
● Post-install configuration:
○ Edit “network.config.openshift.io
” config to add secondary
“(machine|cluster|service)Network
” values, and they will get rolled out correctly.
● Restrictions / Caveats / Notes
○ OVN only, no plans to support in openshift-sdn
○ Supported platform at GA: Bare Metal IPI (other platforms TBD)
pod eth0
192.168.12.3
2001:db8:0:12
IPv4
IPv6
IPv4 Host
IPv6 Host

View Slide

API Graduations to GA
PM: Gaurav Singh
● VerticalPodAutoscaler
○ Vertical Pod Autoscaling (VPA in short) provides an automatic way to set Container’s
resource requests and limits.
○ It uses historic CPU and memory usage data to ﬁne-tune
○ Prevents under and over utilization of resources
● CronJob
○ CronJobs are useful for creating periodic and recurring tasks, like running backups
○ CronJobs can also schedule individual tasks for a speciﬁc time
○ Cron is setup using time zone of master node
● PodDisruptionBudget
○ Avoid application outage by using PodDisruptionBudgets
○ A PDB limits the number of Pods of a replicated application that are down
simultaneously from voluntary disruptions
○ Whenever a disruption to the pods in a service is calculated to cause the service to
drop below the budget, the operation is paused until it can maintain the budget.

View Slide

Vertical Pod Autoscaling (GA)
PM: Gaurav Singh
Description
● Recommends values for CPU and memory requests based on
historical trends
Things to remember
● VPA required pod eviction for applying recommended resource
setting
● Default set to minimum of 2 pod deployment but can be
conﬁgured to 1 pod
Modes
● Off : Recommendation mode
● Initial : Assigns resource requests on pod creation and never
changes them later.
● Recreate : Applies recommended changes to the pod by
evicting them when the requested resources differ signiﬁcantly
● Auto : Same as recreate .

View Slide

Console
18

View Slide

Console routes supports custom & wildcard certificates
PM: Ali Mobrem
New Day 2 Operations
● Single point of configuration
for custom domains and
certificates
● Implemented to use the new
ingress route configuration
API
○ Console
○ Downloads (CLI)
○ Auth
For security reasons many customers do not allow wildcard certs
in production environments
apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
componentRoutes:
- name: console
namespace: openshift-console
hostname:
servingCertKeyPairSecret:
name:

View Slide

Easy import for App artifacts
PM: Ali Mobrem & Serena Chechiile Nichols
Import Multi-doc YAML Drag and drop feature to upload local fat JARs

View Slide

Expanded UI for Serverless
PM: Serena Chechile Nichols
● Make Serverless
● Cloud Functions in
Topology
● Enhanced Scaling options
for Knative Services
○ Concurrency
utilization
○ Autoscale window

View Slide

Improved onboarding & Quick Start features
OpenShift Quick Starts now provide support
for both a copy and execute feature.
The execute feature provides an ability for
the user to execute the CLI in our Command
line terminal. The Web Terminal Operator is
required for execute.
Format to enable copy
`https://github.com/sclorg/ru
by-ex.git`{{copy}}
Format to enable copy & execute
`oc new-app
ruby~https://github.com/sclor
g/ruby-ex.git`{{execute}}`
Quick Starts now support copy & execute
New Getting Started card for Admins & Devs

View Slide

More ways to customize the Developer Experience
Modify the available roles in the Project Access flow Hide individual features from the Add page
spec:
customization:
projectAccess:
availableClusterRoles:
- admin
- edit
- view
- registry-admin
spec:
customization:
addPage:
disabledActions:
- import-from-dockerfile

View Slide

Certified Helm Charts
PM Console: Serena Chechile Nichols, Helm: Stevan Le Meur
● Certified Helm Charts
from partners are now
available
● A badge indicates the
Chart is Certified
Link to Helm Certiﬁcation program announcement

View Slide

Installer Flexibility
25

View Slide

4.8 Supported Providers
Generally Available
Full Stack Automation (IPI) Pre-existing Infrastructure (UPI)
Bare Metal
Product Manager(s): Marcos Entenza (AWS, Azure, GCP), Maria Bracho (VMware), Peter Lauterbach (RHV & OCP Virtualization), Anita Tragler (OSP), Ramon Acedo Rodriguez (BM), & Duncan Hardie (IBM Z & Power)
IBM Power Systems
Bare Metal

View Slide

Install OpenShift to an existing Azure Resource Group
Limit permissions to a Resource Group
● Allows an OpenShift cluster to be deployed to an existing
Azure Resource Group with the installer-provisioned
infrastructure deployment method
● Configured using the
`platform.azure.resourceGroupName` field in the
install-config.yaml file.
● Resource Group must be empty and dedicated for use by a
single OpenShift cluster
○ Cluster assumes ownership of all resources in the resource group
● If you limit the service principal scope of the installation
program to this resource group (and not the subscription),
you must ensure the proper permissions are provided to all
other resources needed for cluster installation such as the
public DNS zone and virtual network (VNet)
● Destroying the cluster deletes the user-defined Resource
Group Generally Available
PM: Marcos Entenza
apiVersion: v1
baseDomain: example.com
controlPlane:
hyperthreading: Enabled
name: master
platform:
azure:
osDisk:
diskSizeGB: 1024
type: Standard_D8s_v3
replicas: 3
compute:
- hyperthreading: Enabled
name: worker
platform:
azure:
type: Standard_D2s_v3
osDisk:
diskSizeGB: 512
zones:
- "1"
- "2"
- "3"
replicas: 5
metadata:
name: test-cluster
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OpenShiftSDN
serviceNetwork:
- 172.30.0.0/16
platform:
azure:
baseDomainResourceGroupName: resource_group
region: centralus
resourceGroupName: existing_resource_group
networkResourceGroupName: network_resource_group
outboundType: Loadbalancer
cloudName: AzurePublicCloud
pullSecret: '{"auths": ...}'
fips: false
sshKey: ssh-ed25519 AAAA...

View Slide

Use pre-existing Route 53 hosted private zones with shared VPC
Leverage pre-existing private zones with shared VPC
environments
● Adds support to specify an existing Route 53 private
hosted zone in cases where OpenShift is being deployed
to a shared VPC
● Configured using the `platform.aws.hostedZone` field in
the install-config.yaml file
● For situations where the VPC is owned by a different
account than the private hosted zone
○ Account A: Route 53 hosted private zone
○ Account B: VPC/subnets that has been shared with Account A
● You can only use a pre-existing hosted private zone when
also providing your own VPC (subnets), and the hosted
zone must be associated with the shared VPC
● https://aws.amazon.com/premiumsupport/knowledge-center/priv
ate-hosted-zone-different-account/
● Backported to 4.7.12+
Generally Available
% ./openshift-install explain installconfig.platform.aws.hostedZone
KIND: InstallConfig
VERSION: v1
RESOURCE:
HostedZone is the ID of an existing hosted zone into which to add DNS records for the
cluster's internal API. An existing hosted zone can only be used when also using existing
subnets. The hosted zone must be associated with the VPC containing the subnets. Leave the
hosted zone unset to have the installer create the hosted zone on your behalf.
% ./openshift-install create install-config --dir katherine ; cat katherine/install-config,yaml
apiVersion: v1
baseDomain: devcluster.openshift.com
compute:
- architecture: amd64
name: worker
replicas: 3
controlPlane:
architecture: amd64
name: master
replicas: 3
metadata:
creationTimestamp: null
name: katherine
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OpenShiftSDN
serviceNetwork:
- 172.30.0.0/16
platform:
aws:
region: us-east-2
hostedZone: Z044446215ZXNECV7BLQF
subnets:
- subnet-1
PM: Marcos Entenza

View Slide

Use pre-existing instance IAM roles on AWS
Define instance IAM roles for VM instances
● Leverage pre-existing Amazon Web Services (AWS) IAM
role for your VM instance profiles
● Configured in the install-config.yaml using the
`compute.platform.aws.iamRole` and
`controlPlane.platform.aws.iamRole` fields
○ Note: The bootstrap instance shares the control plane role
● Documented list of permissions remains the same, but
allows for unique naming schemes and predefined
permissions boundaries to be included for your IAM roles
for clusters installed on AWS
● Backported to 4.7.10+
Generally Available
% ./openshift-install explain installconfig.controlPlane.platform.aws.iamRole
KIND: InstallConfig
VERSION: v1
RESOURCE:
IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave
unset to have the installer create the IAM Role on your behalf.
% ./openshift-install explain installconfig.compute.platform.aws.iamRole
KIND: InstallConfig
VERSION: v1
RESOURCE:
IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave
unset to have the installer create the IAM Role on your behalf.
% ./openshift-install create install-config --dir katherine ; cat katherine/install-config,yaml
apiVersion: v1
baseDomain: devcluster.openshift.com
compute:
- architecture: amd64
name: worker
platform:
aws:
iamRole: katherine-gk26f-worker-role
replicas: 3
controlPlane:
architecture: amd64
name: master
platform:
aws:
iamRole: katherine-gk26f-master-role
replicas: 3
metadata:
creationTimestamp: null
name: katherine
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
PM: Marcos Entenza

View Slide

AWS Security Token Service
The AWS Security Token Service (STS) enables an
authentication flow allowing a client to assume an IAM Role
resulting in short-lived credentials.
OCP 4.8 - GA
● Support for AWS STS natively with OCP on AWS
Installer
● Tooling to automate the pre-installation configuration
● Documentation
● New deployments only
OCP 4.9 +
● Automate the upgrade path
● Migration in-place to AWS STS support from manual
credentials to STS
$ oc get secrets -n kube-system aws-creds
Error from server (NotFound): secrets "aws-creds" not found
$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o json |
jq -r .data.credentials | base64 -d
[default]
role_arn = arn:aws:iam::125931421481:role/image-registry-role
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
● No “root” AWS secret
● Components are assuming the IAM Role specified in the
Secret manifests (instead of creds minted by the
cloud-credential-operator)
PM: Maria Bracho

View Slide

PM: Tushar Katarki
32
Update manager for your clusters in restricted networks
● OpenShift Update Service (OSUS) is the on-premise release of
Red Hat’s hosted update service
● Supports the publishing of upgrade graph information to clusters
in restricted networks
● Provides clusters with a list of next recommended update
versions based on the current version installed on the cluster
● Comprised of two services:
○ Graph Builder: Fetches OpenShift release payload information
(primary metadata) from any container registry (compatible with
Docker registry V2 API) and builds a directed acyclic graph (DAG)
representing valid upgrade edges
○ Policy Engine: Responsible for selectively serving updates to
every cluster by altering a client’s view of the graph with a set of
filters
Local Container
Registry in
Restricted Network
OpenShift
Update
Service
Graph Builder
Policy Engine
OpenShift Cluster
in Restricted Network
Cluster Version
Operator (CVO)
Scrape Release
Images from
Registry
Read graph data
(secondary
metadata)
Edge
Add/Remove
Cluster Version
Operator (CVO)
OpenShift Cluster
in Restricted Network
OpenShift Update Service

View Slide

Bare Metal IPI workflow can enable UEFI Secure Boot
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://
username:
password:
bootMACAddress:
rootDeviceHints:
deviceName: "/dev/sda"
bootMode: UEFISecureBoot
Easily protect your bare metal nodes against
malicious code being loaded and executed early in
the boot process.
Simply ask the OpenShift installer to enable Secure
Boot in your nodes
PM: Ramon Acedo Rodriguez
33

View Slide

Schedule pods based on bare metal hardware attributes
$ oc get pods -n openshift-nfd
NAME READY STATUS RESTARTS AGE
nfd-master-25xc2 1/1 Running 0 10s
nfd-master-2z2cl 1/1 Running 0 10s
nfd-master-t97rh 1/1 Running 0 10s
nfd-operator-bb595bc6c-drvmr 0/1 Running 0 17s
nfd-worker-5h2r2 1/1 Running 0 10s
nfd-worker-jfr4k 1/1 Running 0 10s
$ oc describe nodes/worker-1 | grep pstate
feature.node.kubernetes.io/cpu-pstate.status=active
feature.node.kubernetes.io/cpu-pstate.turbo=true
$ oc describe nodes/master-0 | grep pstate
Do you need to know hardware attributes to
decide where to run your pods?
New hardware attributes in the
Node-Feature-Discovery operator
commonly required by various edge cloud
deployment types for real time or maximum
performance
worker-1 has CPU
P-State active and
master-0 doesn’t
NFD is installed
apiVersion: v1
kind: Pod
metadata:
name: feature-dependent-pod
spec:
containers:
- image: k8s.gcr.io/pause
name: pause
nodeSelector:
# Select a valid feature
feature.node.kubernetes.io/cpu-pstate.status: 'active'
Pods can request
hardware with
P-State active
34

View Slide

Add new nodes to bare metal clusters via PXE-booting
apiVersion: metal3.io/v1alpha1
kind: Provisioning
metadata:
name: enable-provisioning-nw
spec:
description: Enables a provisioning network.
Properties:
provisioningNetwork:Managed
provisioningOSDownloadURL:http:///rhcos.qcow2.gz
?sha256=323e7ba4ba3448e340946543c963823136e1367ed0b229d2
provisioningIP: 192.168.0.10
provisioningNetworkCIDR: 192.168.0.1/24
provisioningDHCPRange: 192.168.0.64, 192.168.0.253
provisioningInterface: eno2
watchAllNameSpaces: false
If you provisioned your bare metal cluster using
Virtual Media or the Assisted Installer and you
need to add new nodes via PXE booting now,
the Cluster Bare Metal Operator will enable
everything you need: a provisioning network and
a DHCP/TFTP environment with the Red Hat
CoreOS image
35
Worker Nodes
Master Nodes
Provisioning bridge
eno2
Provisioning network

View Slide

Zero Touch Provisioning
PM: Moran Goldboim
● Integrates and leverages existing technology stack -
RHACM/Hive/Metal3/Assisted Installer
● Minimal prerequisites- Enables untrained technician installation
ﬂow (Barcode scan to trigger install).
● Highly customized deployment - Fits Connected/Disconnected,
IPv4/IPv6, DHCP/Static, UPI/IPI deployment topologies
● Edge focused - no additional bootstrap node or external services
needed for deployment.
● GitOps enabled - managed with kube-native declarative API
Aimed at regional distributed on-prem deployment.
Enabling customer’s automated path from uninstalled infrastructure to
application running on an OpenShift cluster.
Site Plan
Manifests in Git
Existing Infrastructure (Regional Data Center)
ZTP Deployed Infrastructure
Site 1 - DU Site 2 - DU Site 3 - DU
S
W W W
Tech-Preview in Advanced Cluster Management 2.3

View Slide

Zero Touch Provisioning - Ingredients
PM: Moran Goldboim
Using Kubernetes
CRs/GitOps practices to
manage infrastructure
Standardize Clusters
Config At Scale
Utilizing GitOps and RHACM
policies or ArgoCD integration
to provide configuration as
code.
Infrastructure Provisioning Cluster Conﬁguration
Put applications
anywhere
RHACM App-Subs functions for
automated application lifecycle
Application Rollout
Central provisioning of
OpenShift Clusters
Infrastructure
As Code Configuration
As Code Application Placement
As Code

View Slide

Control Plane Updates
39

View Slide

● Single Service-Serving-Certificates for Headless Statefulset
○ Provide automatic certificate generation and rotation for direct pod-to-pod communication similar to
the service-serving-certificates operator.
○ Generate a service serving certificate for headless services now includes a wildcard subject in the
format of *...svc. This allows for TLS-protected connections to
individual stateful set pods without having to manually generate certificates for these pods.
● Support subject claim URI scheme of the OpenID Connect IdPs
○ Problem: Users of OIDC systems are unable to log in to OpenShift in case when the OIDC IdPs use
`sub` claims adhering to the URI scheme
○ Why this is important: The oauth-server rejects logins from users of OIDC IdPs that are quite popular,
even though these follow the RFC requirements for the `sub` claim that the oauth-server finds
problematic.
○ Now in 4.8, users of identity providers that use URI scheme (which should be possible given the RFC:
https://tools.ietf.org/html/rfc7519#section-4.1.2) in their `sub` claims will be able to log in to
OpenShift
Control Plane Updates
PM: Anand Chandramohan

View Slide

The Default audit log policy now logs request bodies for OAuth access token creation (login) and deletion (logout)
requests. Previously, deletion request bodies were not logged.
Background on Node Audit log policy (introduced in OpenShift 4.6)
Control the amount of information that is logged to the node audit logs by choosing the audit log policy profile to use.
● Default: Logs only metadata for read and write requests; does not log request bodies except for OAuth access
token requests. This is the default policy.
● WriteRequestBodies: In addition to logging metadata for all requests, logs request bodies for every write request
to the API servers (create, update, patch). This profile has more resource overhead than the Default profile.
● AllRequestBodies: In addition to logging metadata for all requests, logs request bodies for every read and write
request to the API servers (get, list, create, update, patch). This profile has the most resource overhead.
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
...
spec:
audit:
profile: WriteRequestBodies
Improved customization of Audit Config
41

View Slide

Alerts and information on APIs in use that will be removed in the next release
OpenShift Container Platform 4.8 introduces two new alerts that fire when an API that will be removed in the next release is in use:
● APIRemovedInNextReleaseInUse - for APIs that will be removed in the next OpenShift Container Platform release.
● APIRemovedInNextEUSReleaseInUse - for APIs that will be removed in the next OpenShift Container Platform Extended
Update Support (EUS) release.
You can use the new APIRequestCount API to track what is using the deprecated APIs. This allows you to plan whether any actions
are required in order to upgrade to the next release.
$ oc get apirequestcount
42
NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24H
alertmanagerconfigs.v1alpha1.
monitoring.coreos.com
19 21
alertmanagers.v1.monitoring.c
oreos.com
64 64
ingresses.v1beta1.extensions 1.22 22 26

View Slide

Cluster Infrastructure - Use Enhancements
PM: Duncan Hardie
● User defined tags for AWS, useful for
○ Cost allocation
○ Automation
○ Operations support
○ Security risk management
● Support for Azure DiskEncryptionSets
○ Safeguard your data
○ Meet organizational security and compliance
requirements
● vSphere autoscaling from zero
○ Save on resources when you don’t need them
○ Catch up with other cloud providers

View Slide

Networking & Routing
44

View Slide

Ingress / Egress Enhancements
HAProxy upgrade to 2.2 LTS:
● Performance
● Security hardening
● Health checks
● Observability, debugging and syslog over TCP
● SSL/TLS capabilities
○ 2048 bit
○ Dynamic SSL certificate storage
HAProxy Customization Enhancements:
● Supported HAProxy configuration parameters
○ ROUTER_USE_PROXY_PROTOCOL
○ ROUTER_BACKEND_PROCESS_ENDPOINTS
○ tune.maxrewrite [default = 8192 ]
○ tune.bufsize [ default = 32768]
● Customizable number of router threads (nbthread)
Ingress Router (HAProxy)
IP Failover support (keepalived) for OpenShift HA.
Gateway API Developer Preview
● Ingress unifying technology
● Support for Contour as primary Ingress Controller
for Gateway API traffic along with HAproxy
● Improved integration with Envoy / Service Mesh
Global Access option for GCP Ingress Internal LB to
facilitate communication across cross-region shared VPC
deployments.
EgressIP load-balancing enhancement for
OpenShiftSDN to spread traffic across cluster nodes
● Removed single node “choke point”
● OVN enhancement in a future version
Ingress / Egress Updates

View Slide

General Networking Enhancements
Network Observability
● Flows Tracking and Monitoring for Network Analytics
● Added NetFlow/sFlow/IPFIX collector to ovn-kubernetes
● A supported way to monitor and analyze flow traffic:
○ Monitor traffic in and out the cluster
○ Troubleshoot performance issues
○ Capacity planning
○ Security audits
● Support for enabling audit logging of Network Policy
Events for regulatory and security policy compliance.
Network Observability
SR-IOV NIC Support Enhancements
● Mellanox MT28800 Family CX-5 Ex
● Intel Columbiaville E810
● HPE Ethernet 10Gb 2-port 562SFP+ Adaptor
Hardware
Enablement
CoreDNS
● Update to v1.8.z
● Control openshift-dns Pod Placement
DNS
OpenShift SDN to OVN Kubernetes CNI migration
● Support for all platforms
● IPI and now UPI
● Rollback capability
● Reboot required of all nodes
Migration
Audit Logging of Network Policy Events
● Optionally audit Network Policy events (accept / deny)
● Present to built-in logging stack and custom Kibana
dashboards
● IDS or post-mortem analysis
Security

View Slide

Specialized Workloads
47

View Slide

container-m
48
CoreOS host
(kubelet, cri-o, ...)
br-ex
Min/Max Ingress/Egress Min/Max Egress
PF VFn
VF0 VF1
container-0
etho net1
net0
NIC sharing and guaranteed bandwidth
Leverage OVS QoS capabilities to effectively share NICs between:
● worker host networking (kubelet, cri-o, ...)
● Default CNI (OVN)
● Multus secondary interfaces
PM: Franck Baudin

View Slide

49
49
Problem statement:
● Performance Add On (PAO) configuration is complex
● One PAO profile per type of worker node hardware is necessary (grouped under one MCP)
Solution: collect must-gather and run-performance-profile-creator.sh
--disable-ht Disable Hyperthreading
--mcp-name string MCP name corresponding to the target machines (
required)
--power-consumption-mode string The power consumption mode.
[Values: default, low-latency, ultra-low-latency] (default "default")
--profile-name string Name of the performance profile to be created (default "performance")
--reserved-cpu-count int Number of reserved CPUs (
required)
--rt-kernel Enable Real Time Kernel (
required) (default true)
--split-reserved-cpus-across-numa Split the Reserved CPUs across NUMA nodes
--topology-manager-policy string Kubelet Topology Manager Policy of the performance profile to be created
[...]
PM: Franck Baudin Upstream demo and documentation
Performance Profile Creator

View Slide

PM: Peter Lauterbach
Enhanced storage capabilities
● Instant storage cloning golden-image VMs across projects
● Improved VM provisioning with storage profiles
automating the best storage type and access mode.
Handle compute intensive workloads
● Accelerate compute intensive AI/ML and
rendering workloads with GPU support
Easier operations
● Better observability for memory, network, and storage
● Live Migration for VMs with SR-IOV
Learn more at Red Hat Summit
● Lockheed Martin Takes Flight
with Amazing Superpowers
VMs + Dev Pipelines + GitOps
● Ask the experts about
Expertise from Eng, Tech Marketing,
Product Management
Modernized workloads, support mixed applications with VMs, containers, and serverless
50

View Slide

VM Migration GA
PM: Miguel Pérez Colino
Migration Toolkit for Virtualization 2.0 GA
● Easy to use UI
● Mass migration of VMs from VMware to OpenShift
● VM data pre-copied before shutdown (Warm
Migration)
● VM validation service (Tech Preview)
○ Run checks on VM configuration to avoid
migration issues
● Parallelized VM conversion
○ Maximize throughput
● Migration Network Selection
○ Avoid impact on other running workloads

View Slide

Red Hat OpenShift Container Platform
NVIDIA Multi-instance GPU (MIG)
PM: Erwan Gallen
● Optimize GPU utilization and cost
● Supported with GPU Operator 1.7+ and OCP 4.6/4.7/4.8
● Supported by the NVIDIA A30 and NVIDIA A100 GPU accelerators.
● MIG partitions a single NVIDIA A100 GPU into up to seven
independent GPU instances with guaranteed Quality of Service.
● MIG speeds up both development and deployment of AI models
● Small GPU instances are good for Notebooks and biggest instances
for training
● Advertisement strategy: single (homogeneous) or mixed
(heterogeneous, diagram example)
GPU
GPU
mem
GPU
GPU
mem
GPU
GPU
mem
GPU
GPU
mem
GPU
GPU
mem
GPU
GPU
mem
GPU
GPU
mem
1 2 3 4 5 6 7
Bare metal server
MIG enablement with OpenShift
...
MIG
Device
name
Maximum
Number of
GPU
instances
Fraction of
Streaming
Multiprocessor
Fraction of
memory
Target
workload
1g.5gb 7 1/7 1/8 = 5GB Jupyter Notebooks, development,
Model Tuning, Inference, Light HPC
2g.10gb 3 2/7 2/8 = 10 GB Inference, Light HPC
3g.20gb 2 3/7 4/8= 20 GB Light Training, Inference, HPC
7g.40gb 1 7/7 8/8 = 40 GB Training HPC
1g.5gb
2g.10gb
Profiles example for the A100-40GB
1g.5gb 1g.5gb 1g.5gb 1g.5gb
Pods
with GPUs
Red Hat OpenShift Container Platform

View Slide

Quay
53

View Slide

Bootstrap registry for disconnected clusters
Solving the chicken-egg problem for mirroring OCP content
PM: Daniel Messer
$ quay-install --all-in-one
Production/Infra Cluster
OCP Payload
OperatorHub
Online Mirror
Samples
+
+
+
▸ We prefer customers to run Quay on top of OCP
▸ But: disconnected clusters need a registry to store
OCP release images and Operators before
deployment
▸ Solution: a quick install variant of Quay helping
customers to get a mirror registry up and running
quickly, mirroring is carried out via oc
▸ Local all-in-one Quay instance on RHEL provided at
no additional cost* as part of every OCP subscription
▸ Released after 4.8 GA, supported on RHEL 8,
downloadable as a binary from OCP mirror
* restricted to the use case of OpenShift payload mirroring, not
general purpose container image storage
Air-gapped Mirror
OCP Payload
OperatorHub
Samples
+
+
+
Air gap
or

View Slide

Nested repository support
Simplifying mass-mirroring and organization of registry content
PM: Daniel Messer
▸ Audience: Quay user / OpenShift administrator
▸ Use Cases:
･ Mirror content of multiple upstream registries
into a single Quay* organization
･ Organize images into “subfolders” inside a single
Quay organization
▸ Benefit: Eases skopeo mass mirroring, OpenShift
Operator catalog mirroring
▸ Caveat: no hierarchical permission management
Regular container image reference:
quay.local/organization/repository:tag
Nested container image references:
quay.local/organization/collection/repository:tag
quay.local/organization/folder/v1/repository:tag
quay.local/ocp/v4/redhat-pipelines/operator:v4.9
quay.local/ocp/v4/redhat-pipelines/tekton:v4.9
* available in Quay 3.6 past OCP 4.8 GA, quay.io
will get this towards the end of 2021

View Slide

RHEL CoreOS
56

View Slide

RHCOS 4.8
PM: Mark Russell
RHCOS 4.8
- RHEL 8.4 kernel and user space
- Butane (formerly Fedora CoreOS Config Transpiler, FCCT) translates human readable Butane
Configs into more complex machineconfigs and ignition configs. It also helps catch
machineconfig spec errors.
variant: openshift
version: 4.8.0
metadata:
name: create-etc-sample
labels:
machineconfiguration.openshift.io/role:
- worker
storage:
files:
- path: /etc/sampleconf.d/99-mysetting
contents:
inline: |
key=pair
genre=experimental
BUTANE FEATURES
● Simpler inlining of config files (see left)
● Consolidated workflow for complex storage
scenarios (LUKS TPM, LUKS Tang, boot
mirroring)
● Ability to import directory trees of files

View Slide

Storage
58

View Slide

OpenShift Storage - Journey to CSI
PM: Duncan Hardie
● CSI Migration - allow easy move from using existing
intree drivers to new CSI drivers
○ OpenStack Cinder (Tech Preview)
○ AWS EBS (Tech Preview)
● CSI Operators - plugable, better upgrade, more
functionality
○ GCE Disk (GA)
○ Azure Disk (Tech Preview)
○ vSphere (Tech preview)
● Other
○ AWS Storage user defined tags
CSI Operators
Operator target Migration Driver
OpenStack Cinder Tech Preview Tech Preview
AWS EBS Tech Preview Tech Preview
GCE Disk - GA
Azure Disk - Tech Preview
vSphere - Tech preview
Remember support for all of the above currently available via
intree drivers

View Slide

OpenShift Data Foundation
PM: Eran Tamir
● Data protection
○ Metro-DR Stretch (2 DC)
○ Regional DR (Dev Preview)
○ Cluster wide encryption and PV encryption
● Compact mode
● Flexibility in components deployment
● Multus support
● Free MCG for Quay
● Data Segregation per hosts group (Dev Preview)
Out of the box support
Block, File, Object
Platforms
AWS/Azure Google Cloud (Tech Preview)
ARO - Self managed OCS IBM ROKS & Satellite -
Managed OCS (Tech preview)
RHV OSP (Tech Preview)
Bare metal/IBM Z/Power VMWare Thin/Thick IPI/UPI
Deployment modes
Disconnected environment and Proxied environments

View Slide

Multi-Architecture
61

View Slide

Multi-Architecture
PM: Duncan Hardie
● OpenShift Core (CVO
Operators)
● UPI installer
● OVS/OVN (networking)
● RHEL7 Based container
support
● RHEL CoreOS (host nodes)
● Ansible Engine
● Red Hat Software Collections
● AdoptOpenJDK with OpenJ9
● Single Sign-On
Supported
● OpenShift Cluster Monitoring
(Prometheus, Grafana)
● Node Tuning Operator
● OpenShift Jenkins
● OpenShift Logging
(elasticSearch, kibana)
● Machine Configuration
Operator (used in IPI installs)
● Node Feature Discovery
Operator
● Red Hat Runtimes
● Odo
● CodeReady Workspaces
● OpenShift Container Storage
Extra content ported
● IBM Power and IBM Z Features
○ Cluster log forwarding - choose other log
aggregators
○ Converged 3-node cluster - make more use of
control plane (important for Z)
○ Encryption of data store for etcd - best security
practice
● New for IBM Z only
○ 4K FCP Disk Support - finish off the choice of
storage you can use
● New for IBM Power only
○ Multus Plugins (SR-IOV) - present multiple
devices and gain more performance

View Slide

Advanced Cluster
Security
63

View Slide

Designed for OpenShift Security
PM: Jamie Scott
Increasing the credibility of your security program as
a Red Hat Certified Vulnerability Scanner
● Reduce program costs by reducing false positives
improving fix data quality and applying the
appropriate severity for Red Hat packages
Improving visibility into industry standard OpenShift
security configurations for security and compliance
● Measure and report on compliance status across your
clusters
● Report on opportunities to improve security posture
Aligning with the OpenShift experience
● Accelerate operationalization of security use
cases with a new operator
● Create a consistent user interface experience
3 week release cycles accelerate time to customer value

View Slide

Advanced Cluster
Management
65

View Slide

Red Hat Advanced Cluster Management for Kubernetes
Enhanced Multi-Cluster Deployments
● UI Refresh. Inline with OCP UI look and feel
● Import and manage Red Hat OpenShift on Amazon
(ROSA) & OpenShift IBM Power
● ACM Hub on IBM Power TechPreview
● Provision OCP on Red Hat OpenStack
● Expanded Cluster Lifecycle Support
○ ClusterPools- TechPreview
○ Hibernate and Resume Clusters / Cluster Pools
○ Worker Pool Scale Up / Down - TechPreview
● ClusterSets to help group clusters and assign RBAC
permissions - TechPreview
● UI Support for Submariner deployment and
configuration - TechPreview
● Discover & Import Clusters from cloud.redhat.com
(OCM) - TechPreview
● Update cluster version channels on managed clusters
to allow easier OCP upgrades
What’s new in RHACM 2.3
Product Managers: Jeff Brent, Scott Berens, Bradd Weidenbenner, Christian Stark

View Slide

67
Expand Portfolio and Embrace Open Source
● RHACM is now Fully Open Source
○ http://open-cluster-management.io/
● Red Hat Ansible Integration is now GA
○ Cluster Lifecycle pre/post hook
○ Governance Risk and Compliance (GRC)
■ Trigger remediation based on
policy violations
■ Run once, or continuously
○ Application Lifecycle pre/post hook
● RH OpenShift GitOps (Argo CD) full integration
with Application Lifecycle
● More GRC policies!
○ Operator Install Policy - Black Duck Operator
○ FIPS Policy
○ Policy to install Scribe (data replication)
○ And many more. Available in GitHub Repo

View Slide

68
Multi-Cluster Observability
● CCX Insights Integration with cloud.redhat.com
(Customer Connected eXperience)
● Advanced configuration for long term metrics
● Automatically configure Alert Forwarding from
Managed Clusters to the ACM Hub Cluster
● Recording Rules support for Customized Metrics

View Slide

Cost Management for
Red Hat OpenShift
69

View Slide

New features in Cost management for OpenShift
● New navigation
○ Cost management is now accessible from OCM
● Google Cloud as a new source
○ Add your GCP sources to cost management
○ OCP on GCP still being developed
● New view (cost explorer)
○ View your data grouped by different concepts,
in time
○ Line items for the reports readily available
● Child accounts in AWS
○ You no longer need to provide the parent
account for cost management, if your account
can provide CUR ﬁles
○ Reﬁne what data is shared with cost
management
70
PM: Sergio Ocón-Cárdenas

View Slide

PM: Sergio Ocón-Cárdenas
● Certified Operator
○ Now it is possible to use the certified
version of the operator
○ You can install both in parallel to upgrade
● Improvements in performance
○ New big data processing for better UX
● Integration to OpenShift Cluster Manager
○ Now you can see your cluster costs in OCM
Certified Operator Koku metrics operator
Naming Cost management metrics operator Cost management metrics operator
Support Supported by Red Hat Upstream (community support)
Location In Cluster Operator Hub In Cluster Operator Hub
Availability Today Today
New features in Cost management for OpenShift

View Slide

Observability
72

View Slide

New enhancement inside the OpenShift Console
PM: Christian Heidenreich
Enhanced capabilities to improve working with the
OpenShift Console Monitoring dashboards
● Group dependent charts in various dashboards
together.
● New “All” drop down option on various charts that
support that to show multiple data points in one
view.
● Zoom into individual charts and all other charts
update automatically.
● Allow ﬁltering for absolute time ranges instead of
using relative ranges.
● Display dashboard labels to better identify to
which group a single dashboard belongs to.
● Show colour mapping on single value charts, if
available.
Note: Alertmanager + Grafana link is not available
anymore through the UI. Users can still use the Route.
Labels
Groups
Time Range

View Slide

New features in Logging for OpenShift
Available with OpenShift Logging 5.1 (mid-July)
PM: Christian Heidenreich
● Increase discoverability of critical logs by
parsing JSON logs into objects so that users can
query by individual fields.
○ Configure what container logs you want to
parse and forward to either a third party
solution or our managed Elasticsearch.
○ Red Hat’s Elasticsearch stores JSON logs
into individual indices per defined schema to
reduce possible field explosion scenarios.
○ Query individual fields via Kibana.
● More flexibility to select and filter certain logs to
forward.
○ Extend our Log Forwarding API to allow
users to select and forward certain logs
based on any pod label.
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
pipelines:
- inputRefs: [ myAppLogData ]
outputRefs: [ default ]
parse: json
inputs:
- name: myAppLogData
application:
selector:
matchLabels:
app: nginx
outputDefaults:
- elasticsearch:
structuredTypeKey: kubernetes.labels.app
Define a pipeline to
match what logs
should be parsed
into JSON
Only select logs from
pods that match
“app: nginx”.
Configure our
managed
Elasticsearch to
index JSON records
based on the label
“app”.

View Slide

linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
75
Red Hat is the world’s leading provider of enterprise
open source software solutions. Award-winning
support, training, and consulting services make
Red Hat a trusted adviser to the Fortune 500.
Thank you

View Slide

What's New in OpenShift 4.8

What's New in OpenShift 4.8

Red Hat Livestreaming

More Decks by Red Hat Livestreaming

Other Decks in Technology

Featured

Transcript