What's Next in OpenShift (Q2 CY2023)

What’s Next in OpenShift
Q2CY2023
OpenShift Product Management
1
View the recording at: https://www.youtube.com/live/fa-3uKYS5CU
Previous sessions: https://red.ht/nextandnew

View Slide

Red Hat Enterprise Linux
Red Hat OpenShift
Taking a hybrid cloud approach
Management and automation systems
Private cloud
Virtual Public cloud
Bare metal Edge
Development tools
Traditional
N-tier apps
Cloud-native
microservices
Data, analytics,
and AI/ML
ISV packaged
apps

View Slide

What's Next in OpenShift Q2CY2023
IDC Survey of 200 US-based $1B companies actively using two
or more “infrastructure clouds” for production applications
81%
Challenges with Hybrid Cloud Management
3
Source:
IDC Multicloud Management Survey, 2019: Special Study, Doc # US45020919, April 2019
*IDC Survey of 200 US-based $1B companies actively using two or more “infrastructure clouds” for production applications
As organizations deploy more clusters
across multiple clouds, new challenges
arise.
▸ Difficult and error prone
to manage at scale
▸ Inconsistent security controls
across environments
▸ Overwhelming to verify
components, configurations,
policies, and compliance
Using multiple infrastructure clouds*
93%
Using multiple public clouds and
one or more private/dedicated
clouds*

View Slide

Reality of enterprise IT environments
Mixed infrastructure environments, diverse app portfolios, & limited automation
Source: Red Hat detail. “The State of Enterprise Open Source,” Feb. 2021.
People & Processes
Applications
Cloud-native and
microservices
AI/ML Analytics Serverless
Infrastructure
Bare metal Virtualization Edge
Private cloud Public cloud Java™ .Net
ISV
Developer
tools
Pipeline and
processes
People and
policies
The right
skills

View Slide

CONFIDENTIAL designator
• Service mesh | Serverless
• Builds | CI/CD pipelines
• GitOps | Distributed Tracing
• Log management
• Cost management
• Languages and runtimes
• API management
• Integration
• Messaging
• Process automation
• Databases | Cache
• Data ingest and preparation
• Data analytics
• AI/ML
• Developer CLI
• Kubernetes-native IDE
• Kubernetes on laptop
• Plugins and extensions
Developer services
Developer productivity
Kubernetes cluster services
Install | Over-the-air updates | Networking | Ingress | Storage | Monitoring | Log forwarding | Registry | Authorization | Containers | VMs | Operators | Helm
Linux (container host operating system)
Kubernetes (orchestration)
Physical Virtual Private cloud Public cloud Edge
Cluster security Global registry
Multicluster management
Data services*
Data-driven insights
Application services*
Build cloud-native apps
Platform services
Manage workloads
* Red Hat OpenShift® includes supported runtimes for popular languages/frameworks/databases. Additional capabilities listed are from the Red Hat Application Services and Red Hat Data Services portfolios.
** Disaster recovery, volume and multicloud encryption, key management service, and support for multiple clusters and off-cluster workloads requires OpenShift Data Foundation Advanced
Observability | Discovery | Policy | Compliance |
Configuration | Workloads
Image management | Security scanning |
Geo-replication Mirroring | Image builds
Declarative security | Container vulnerability
management | Network segmentation |
Threat detection and response
RWO, RWX, Object | Efficiency |
Performance | Security | Backup |
DR Multicloud gateway
Cluster data management
5
Red Hat Hybrid Cloud Platform

View Slide

6
Red Hat OpenShift
Available as self-managed platform or fully managed cloud service
Red Hat OpenShift Dedicated2
Red Hat OpenShift
service on
Amazon Web Services1
Microsoft Azure
Red Hat OpenShift
Red Hat OpenShift on
IBM Cloud1
Managed Red Hat OpenShift services
Self-managed Red Hat OpenShift
On public cloud, or on-premises on
physical or virtual infrastructure3
Source:
2 Red Hat managed service running on user-supplied GCP infrastructure
3 See docs.openshift.com for supported infrastructure options and configurations
Start quickly, we manage it for
you
Cloud managed
You manage it, for control and
flexibility
Customer managed

View Slide

Software supply chain
security
7
Edge computing with Red Hat OpenShift
What’s Next in OpenShift Q2CY2023

View Slide

Software supply chain attacks:
a matter of when, not if
Ransom paid but a mere fraction to the overall
downtime and recovery costs of a data breach
Red Hat Trusted Software Supply Chain
742% 45%
1 in 5
average annual increase in
software supply chain
attacks over the past 3 years1
of organizations worldwide
will experience supply
chain attacks by 20252
data breaches are due
to a software supply
chain compromise3
71%
YoY increase in cost
of average ransom
payment4
[1] State of the Software Supply Chain | [2] 7 Top Trends in Cybersecurity for 2022 | [3] Cost of a Data Breach 2022 - IBM Report | [4] Average Ransom Payment Up 71% This Year, Approaches $1 Million |

View Slide

9
Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Sec. 2. Removing Barriers to Sharing Threat Information.
(vii) providing a purchaser a Software Bill of Materials
(SBOM) for each product directly or by publishing it on a
public website;
Sec. 2. Removing Barriers to Sharing Threat Information.
(f) Within 60 days of the date of this order, the Secretary of
Commerce, in coordination with the Assistant Secretary for
Communications and Information and the Administrator of
the National Telecommunications and Information
Administration, shall publish minimum elements for an SBOM.
Software supply chain security
Executive Order on Improving The Nation’s Cybersecurity
May 12, 2021

View Slide

10
Software Supply Chain Security with Openshift
Supply Chain Security
Development
Staging
Production
> >
Build Test Quality Security Signing Provenance Compliance Continuous Delivery
Productivity

View Slide

▸ Pipelines As Code
● Integration with Enterprise Contract policy and
Tekton Chains
● Validation of signatures on PR
▸ Security tasks/pipelines hosting with
Red Hat Tekton Catalog
▸ Leverage k8s User Namespace to
mitigate running PipelineRuns with
elevated privileges
Product Manager: Koustav Saha, Harriet Lawrence
▸ Tenant isolation
▸ Certificate management improvements
▸ ESO and SSCSID integration evaluation
▸ Manifest signing support
CI/CD & GitOps
OpenShift Pipelines OpenShift GitOps
11

View Slide

12
Red Hat Quay & Quay.io
Hybrid Cloud and OpenShift Platform Plus
Product Manager: Daniel Messer, Quiana Berry
Increased CVE reporting coverage
Support for NodeJS, RubyGem and Golang via Quay’s static
security analysis of container images (Clair) adopting OSV.dev
Richer and more accurate CVE findings
CSAF and VEX support in Clair
Security artifacts linked to images
Linking SBOMs, attestations and signatures to registry images
for easy discovery and mirroring via OCI 1.1 (referrers API)
Integration into Trusted Application
Pipelines
RHTAP customers and users will have their own place in Quay.io

View Slide

13
Red Hat Trusted Application Pipeline (RHTAP)
▸ Secure, SLSA level 3 container application builds in minutes
▸ Signed attestations generated by Tekton Chains
▸ Auto-generated Software-Bill-of-Materials (SBOM)
▸ Automated QE testing with Github integration
▸ Gitops powered deployment with no gitops experience
necessary
▸ Policy-as-code features provide security guardrails across
pipelines
Try now: https://red.ht/trusted
Build
Image
Scanning
Deployment
Gates
Artifact
Building
Image
Building
New

View Slide

14
Near term
● Self service workspace creation, user
management and RBAC
● Support for building and testing operators
● User can add more environments
● Control for promotion order and strategy
between environments
● Easier setup from bring-your-own-cluster
environments
Longer Term
● Explore single-tenant deployments
● More language support for hermetic
builds
● Advanced release strategies (blue/green,
canary deployments, etc.)
RHTAP Roadmap on Supply Chain Security

View Slide

15
Red Hat Advanced Cluster Security Cloud Service (RHACSCS)
Integration into Red Hat Trusted Application Pipeline (RHTAP)
▸ Scan images with RHACS OpenShift Pipelines (Tekton) tasks
▸ Detect and respond to suspicious activity at runtime
▸ Runtime vulnerability scanning and management
▸ Audit for compliance across hundreds of controls
▸ Expedite incident response to reduce down times
▸ Visualize allowed versus active network traffic
Build Monitor
Image
Scanning
Deployment
Gates
Artifact
Building
Image
Building
OSS
Risk
Profiles
Images
Containers
Clusters
Network
Protecting cloud-native apps across
full lifecycle - Build, Deploy & Run
New

View Slide

Multicluster management,
governance and security
16
Edge computing with Red Hat OpenShift

View Slide

Enhancements in workload
right-sizing and fine-grained
RBAC provide platform
engineers with the necessary
tools to reduce cap-ex and
quickly deliver new dev-ex.
17
Red Hat Advanced Cluster Management
Use policies to harden cluster
security.
Store compliance history.
Advanced features with
templatized policies and
progressive policy rollouts.
Governance
Consistency at scale for edge
use cases across all verticals
from telco to retail, industrial,
and healthcare. Leverage API/
CLI/UI methods to standardize
cluster and application
lifecycle everywhere.
Scale
Observability
Product Manager: Jeff Brent, Bradd Weidenbenner, Sho Weimer, Scott Berens, Christian Stark
Protect your investment Embrace growth
Unified Kubernetes experience

View Slide

Fleet Observability and Governance
Red Hat Advanced Cluster Management for Kubernetes
18
Fleet Observability supports app developers, central
operations and platform engineering teams delivering
across a variety of needs:
● Application Developer: needs Fine-grained RBAC
● Platform Engineering: needs Capacity Management
● Central Operations: needs Fleet Alert Trends
● Global Hub: Aggregate management cross domains
Product Manager: Jeff Brent, Bradd Weidenbenner, Sho Weimer, Scott Berens, Christian Stark
Fleet Governance incorporates security compliance
and enforcement across clusters:
● Advanced Compliance History for policies
● Tighter integration with TALM for selective policy
enforcement in high scale fleet management
● Enhanced policy based OLM Integration
● Out of the box policies for the OpenShift Security
Guide

View Slide

19
Red Hat Advanced Cluster Security for Kubernetes
● Vulnerability scanning support for images
stored in mirror registries to support OpenShift
customers using mirror registries, mostly in
air-gapped environments
● One consolidated Clair v4 scanner across Red
Hat products (ACS & Quay) ensures accurate
and consistent scan results.
● Mapping OCP to ACS RBAC Supporting direct
mapping of RBAC from OCP into ACS for faster
user onboarding
● Reuse collections defined across the platform in
views and filters.
Unified
Experience
Increase Return on Investment
Product Managers: Shubha Badve, Doron Caspin, Boaz Michael, Kirsten Newcomer, Maria Simon Marcos Anjali Telang

View Slide

20
● Downloadable reports for vulnerability
management
● GitOps approach managing ACS policies.
● Ensure your workloads meet networking guardrails
defined by your organization with network
system policies.
● Namespace scoped ACS workflows Supporting
namespace-admin compatible workflows in ACS
● Focus attention on riskier deployments for
remediation with heat maps in network graph.
Security
Everywhere
Reduce security risk

View Slide

21
● CO-RE BPF as a new runtime collection allows
to run ACS secured cluster on a wider set of
Linux OS kernels.
● ACS secured cluster on IBM ROKS/RHOIC.
● Auto-renewal of Internal Certificates eases
meeting compliance and security requirements
for customers
● Manage and schedule Compliance Operator
scans with RHACS. Store historical compliance
data. Easily product compliance reports for
auditors.
Platform
Consistency
Reduce complexity

View Slide

Red Hat Cloud Services
22

View Slide

Red Hat OpenShift
cloud services
A turnkey application platform with
management and support from
Red Hat and leading cloud
providers
Focus on innovation
Simplify operations so your teams can refocus
on innovation, not managing infrastructure.
Operational efficiency
Enhance operational consistency, efficiency and
security with proactive management and support.
Accelerate time to value
Quickly build, deploy, and run applications
that scale as needed.
Hybrid cloud flexibility
Deliver a consistent experience on premises
and in the cloud.
Cloud services
Product Managers: Aaren de Jong, Bala Chandrasekaran, Jerome Boutaud, Oren Kashi, Shreyans Mulkutkar, Will Gordon

View Slide

Cloud services
Red Hat OpenShift cloud services
Azure Red Hat OpenShift
● Short term credentials with managed identities
● Hosted Control Planes
● Custom NSGs
● Improving alerts with Azure Monitor Signals
● Expanding cluster sizes
● Expanding regions
● Cluster wide proxy
Red Hat OpenShift Service on AWS
● Working on FedRAMP offering
● Terraform provider & module
● Region Expansion
● Compute configuration QoL improvements

View Slide

Cloud services
Red Hat OpenShift cloud services
OpenShift Dedicated
● Google Cloud:
○ OSD Purchase through GCP Marketplace
○ Shared VPC (xPN)
○ Private Service Connect
○ New, standard instances - E2, N2, M3, C2 machine series
○ New regions - Chile, Milan, Sydney, Melbourne, Paris, Tel Aviv, Turin
○ Shielded VM policy
○ Workload Identity Federation
● AWS
○ Allow newly created machine pool to be set as a default machine pool
○ Managed Ingress improvements
○ OCM Service Log notifications for platform events

View Slide

ACS Cloud Service Roadmap
H2 2023 - General
Availability
1. General availability
2. 60 days trial
3. Provide default email
notifications
ACS Cloud Service
26
May 2023 - Limited Availability
1. Availability on NA and EU
2. Suport secured clusters EKS,
AKS, GKE, OCP, ROSA, ARO
3. Fully support by RH with SLA
4. Available on AWS
Marketplace
5. Connectivity for local registry
H1 2024
1. APAC Region
2. Azure availability
3. Industry standard
compliance

View Slide

Workloads and developer
experience
27

View Slide

28
Increase the ease of use
Reduce exposure and risk
Increased productivity
● Multi-Tenancy for services and events through ServiceMesh
● End to End encryption for internal and external services
● Broker and Channel authentication and authorization
● Zero Trust Architecture for securing serverless containers
● OpenShift AI powered by Serverless
● OpenShift Serverless for Edge
● Integration with other platform features, Custom Auto
Metrics scaler, Cert Operator, Gateway API
OpenShift Serverless
Security
Platform
User Experience
● Seamless Developer Experience for apps creation and
deployment through DevConsole, CLI and IDE
● Pipeline as a code for Serverless functions
● Event Mesh for easy discovery and subscription of events
● Orchestration of microservices and functions
Workloads and Developer Experience

View Slide

▸ Observability : CI oriented dashboard
▸ Pipelines As Code: GH permissions,
Chains integration, Pipelines Templating
▸ Customization: Red Hat Tekton Catalog,
Manual Approval, Pipelines caching,
Recording artifacts in Pipeline, Pipelines in
Pipelines
▸ Performance: Pipelines resource quota,
Advanced concurrency control
Product Manager: Siamak Sadeghianfar, Koustav Saha, Harriet Lawrence
▸ Observability: Progressive delivery UI
integration
▸ Automation: Dynamic value lookup, Image
Updater support, Automatic scaling
▸ Performance: Small-footprint GitOps,
Resource consumption
CI/CD & GitOps
OpenShift Pipelines OpenShift GitOps
29

View Slide

OCP Console
▸ Improved Debugging Tooling and Documentation
▸ Support for Charting Components
▸ New Extension Points/SDK Components
･ Project Creation Flow
･ Details Page
･ more…
▸ PF5 & React-Router 6 support
▸ New and improved Sample Plugins
▸ Plugin Template Repo Refresh
▸ Axe Testing Framework for 508 Compliance
What’s next with Dynamic Plugins?
OCP Console - Dynamic Plugins
Product Managers: Ali Mobrem

View Slide

31
Migration Toolkit for Applications
Enable adoption leads to
make informed decisions
and keep the migration and
modernization process
measurable and predictable
Gather Insight
Fully integrated toolkit
leveraging tools from the
CNCF project Konveyor with
a seamless user experience
Extended Scope
Reduce risks Provide value on each
stage of adoption
Help organizations safely
migrate and modernize their
application portfolio to
leverage OpenShift
Migration Guidance
Ease OpenShift adoption
Product Manager: Ramon Roman Nissen
Workloads

View Slide

What's Next in OpenShift
Product Manager: Daniel Messer, Tony Wu
● New controls over granting access to CRDs
provided by Operators to cluster users.
● Admins can define if any namespaces should
only get ‘view-only’ access.
Operator Framework
32
OLM 1.0 Preview: Enable full flexibility depending on your operational model
● OLM exposes all versions along the update path.
● Admins can select a target version for update or
set auto updates but bound to z-stream for CVE
patches without breaking changes.
User permission management
Full control over desired update path
Fully declarative / GitOps-friendly workﬂows
User-facing Operator API
● A single GitOps friendly API to manage installed Operators.
● First-class controls for update policy, permission/access controls.
● Displaying Operator constraints, dependencies, provided APIs pre-/post-install.
Flexible Operator packaging format
● OLM can manage Operators packaged with
plain k8s manifests or in helm charts.
● Manage in-house built Operators or join our
partner ecosystem at ease with OLM.
● A reduced user-facing API surface area for
managing an Operator.
● Admins or SREs team can automate and define
desired state via GitOps.

View Slide

33
Dynamic loading of plugins,
helping organizations scale
and simplify plugin
management.
Improved plugin
installation & config
Red Hat Plug-Ins for
Backstage and GPTs enable
cohesive integration with
OpenShift and other products
in the Red Hat portfolio.
Better Together
Reduce time & complexity
when adding plugins
Increase developer productivity
Product Manager: Serena Chechile
Red Hat Developer Hub
Provide a permission
framework by default, with an
Admin UI supporting RBAC
flows and more.
Improved authorization
& Admin UI experience
Reduce exposure and risk
What’s Next Roadmap - Subject to change

View Slide

● Onboarding experience
● Simpler Docker compatibility
configuration
● Native Hypervisors support
Kubernetes Capabilities OpenShift Support
Containers tooling
Product Manager: Stevan Le Meur
Simple transitions to Kubernetes Tighter OpenShift
Integration
Efficient developer flows
● Improvements in Podify and
Kubify flows
● Kubernetes Objects Explorer
● Compose to Kubernetes
● DevSandbox account creation
and token renewal flow
● Image checker
● Continue exploration on
Microshift for developers

View Slide

IDE Extensions
JBoss Tools presents the
OpenShift tooling for Eclipse
OpenShift Toolkit for Visual
Studio Code and IntelliJ
Language support for Java in
Visual Studio Code
Quarkus Tooling with
Microprofile and Qute
Support
Visual Studio Code, IntelliJ and Eclipse Tooling
Inner Loop Developer Experience on Red Hat OpenShift
Accelerates application development from
local development environment to OpenShift
using CLI and extensions workflows and across
any language frameworks.
VSCode: https://marketplace.visualstudio.com/publishers/redhat
IntelliJ: https://plugins.jetbrains.com/organizations/Red-Hat
Odo CLI: https://odo.dev/
Inner Loop application
development using OpenShift
Toolkit IDE extension
- Support Helm Charts in IDE
- Deploy from Git to OpenShift
- Provision OpenShift clusters
- Remote Debugging of apps
- Support air-gapped environment
Deploy apps on Hybrid Cloud
through IDE extension on:
- Developer Sandbox
- OpenShift on Azure
- OpenShift on AWS
- Podman
- OpenShift Local
IDE Extensions - Developer Experience
IDE extensions across products, languages and CLI tools around OpenShift
Product Manager: Mohit Suman
Cloud-native apps Odo CLI IDE Extensions
Devfile
configuration
> > >
35

View Slide

36
Much Later
Invite users to join a
sandbox
Invite others in your organization
to join your sandbox and even
join theirs. Collaborate on new
applications and learn OpenShift
together.
Later
Dashboard and
application launcher
See everything you need to know
about your sandbox in one place
on HCC. Know how much
resource you have used and how
much time you have left.
Next
Red Hat Developer Hub
on Sandbox
Have your own instance of the
Red Hat Developer Hub to
experiment with and share with
others. Try out our library of
plugins and Golden Path
Templates.
Now
Sign Up in Hybrid Cloud
Console
Sign Up for the developer
sandbox on HCC. The new home
for the Red Hat Developer
Sandbox! No more SMS
veriﬁcation either!
Developer Sandbox

View Slide

Core platform
37

View Slide

Installation, Updates, and Provider Integration
38
● Add new clouds and platforms
● Add new regions
● Enable third party integrations
● Composable installation
● Add more flexibility and new
capabilities
Installation
Updates
Platforms
Enable Hybrid
Cloud
Simplify
onboarding
Mitigate risk
● Improve update user experience
and documentation
● Update risk assessment
● 24-month lifecycle for EUS releases
for multi-architectures
Core platform
Product Manager: Ju Lim, Marcos Entenza, Ramon Acedo, Adel Zaalouk, Subin Modeel

View Slide

External DNS and Azure Managed Identity
39
Support external DNS for cloud providers
▸ Enable full stack automated installations
(IPI) to use existing user managed DNS
records to deploy OpenShift on public
clouds like AWS, Azure or GCP.
▸ Customers deploying OpenShift on
regulated environments where DNS
cloud services can not be used will be
able to leverage their own external DNS
solution.
Azure Managed Identity
▸ Create and manage OpenShift
clusters with managed identities for
Azure resources for authentication, in
conjunction with Azure AD workload
identities to access Azure cloud
resources securely
▸ Deploy OpenShift and run operators
on Azure using access controls (IAM
roles) with temporary, limited privilege
credentials
Product Manager: Marcos Entenza (External DNS), Ju Lim (Azure Managed Identity)

View Slide

40
Longer lifecycle for Multi Architectures for EUS Releases
Product Manager: Duncan Hardie
What An additional 6 month of Extended Update Support (EUS) phase on even numbered OpenShift
(OKE, OCP, OPP) releases and a subset of layered operators for multiple architectures
▸ ARM, IBM Power, and IBM Z
Who Those with Premium subscriptions, [or Standard subscriptions + an add-on SKU]
When Starting with OpenShift 4.14 and applying to subsequent even numbered releases of OpenShift.
Why ▸ Support customers and partners struggling to maintain pace with 4.y cadence
▸ Align approach and offering rules of OCP EUS to RHEL’s program rules
Note ▸ EUS to EUS upgrades continue the same behaviour.
▸ Layered operators/operands and products will continue to have their own lifecycle.
▸ Layered operator lifecycles are available on the OpenShift lifecycle page.

View Slide

Onboarding Third Party Integrations (Components)
41
▸ Introducing platform “external” to allow for 3rd party (partner) integrations
▸ “External” joins other platform types (e.g. AWS, baremetal, None, etc.) to indicate provider
integration type
▸ “External” signals that OpenShift cluster is deployed on partner infrastructure where core cluster
components (e.g. Cloud Controller Manager, Container Storage Interface) may be replaced by
partner
▸ Partner has option to disable (or replace) selected platform components through the capabilities
API
･ Some components in OpenShift cluster with “External” platform allow changes to
deployment options
･ E.g. If partner specifies the presence of custom Cloud Controller Manager, then cluster is
configured to expect the custom Cloud Controller Manager with option to add their own
Container Storage Interface driver
Product Manager: Ju Lim

View Slide

Cloud Controller Manager and Cluster API
42
Product Manager: Subin Modeel
Out-of-tree Cloud Controller Manager Cluster API
What We GA’ed out-of-tree Cloud controller Manager for
AWS, GCP, Azure platforms.
Create Machines and MachineSets in CAPI
Why Originally, Kubernetes implemented cloud
provider-specific functionalities natively within the
main Kubernetes tree (as in-tree modules).
With more infrastructure providers supporting
Kubernetes, the in-tree method became impractical
and no longer advised. New providers supporting
Kubernetes must follow the out-of-tree model.
We gradually plan to replace the Machine API
controllers/code with Cluster API controllers and API
types to reduce the maintenance burden of
maintaining two competing solutions across multiple
products.
Users will be able to create Machines and MachineSets
in CAPI for the following platforms; AWS, Azure, GCP,
vSphere, (Possibly OpenStack + Baremetal).
When Starting with OpenShift 4.14 Mid to long term
Who No impact on user in any way. The out-of-tree
implementation is backward compatible and does not
impact OpenShift.
This feature will come out as a Tech Preview and will
provide a migration path to CAPI when it GAs.

View Slide

OpenShift on Oracle Cloud
43
▸ OpenShift on Oracle Cloud VMware Solution (OCVS)
･ Supported since OpenShift 4.12+
･ Support included as OCVS is a VMware Cloud Verified provider
･ Validated reference architecture: Red Hat OpenShift Container Platform 4.12 on
Oracle Cloud VMware Solution
▸ OpenShift on Oracle Cloud Infrastructure (OCI)
･ VMs and bare metal
･ Guided installation from Hybrid Cloud Console via Assisted Installer
･ Partner provided integrations
Product Manager: Ju Lim, Marcos Entenza, Ramon Acedo

View Slide

OpenShift on Arm
● Run OpenShift on highly
efficient, high performance per
watt architectures
o-----------------------------o
● Support for Arm on GCP
● More layered products (Service
Mesh, Serverless)
Multi-architecture Cluster
● Allow more flexibility in a cluster,
use different cloud platforms and
different architecture types to
enhance flexibility
o------------------------------o
● Support for Arm & IBM
architectures with
Multi-architecture compute and
Hosted Control Planes
● More integration into Console
and ACM
● Improved disconnected
experience
IBM Power and IBM Z
● Expose more Power and Z built
in capabilities for use via
OpenShift
o-----------------------------o
● Assisted Installer
● Agent based installer
● Disaster recovery
● SMC-D/R support, SMT power
level support
● Kepler support
● Quay support
PM: Duncan Hardie
Systems Enablement

View Slide

Improving disconnected
installations, hybrid-cloud and
cluster zero deployments
45
● UPI use cases
● AWS, Azure and GCP cluster
expansion with bare metal nodes
● Multicluster Engine integration
PM: Ramon Acedo Rodriguez
UPI use cases, such as specific host-level configurations or
platform agnostic, will be handled by the Agent-Based
Installer.
Agent-Based Installer with UPI use cases
Add bare metal compute nodes to clusters on public clouds
within your on-premise datacenters using the Bare Metal
Operator.
Expand AWS, Azure and GCP clusters on-premise
Enable MCE during installation to get to cluster zero easily,
and to manage the day-2 operations in your clusters
Multicluster Engine Integration
OpenShift on Bare Metal

View Slide

● Unified Kernel Images (UKI)
● Runtime integrity checks
● Remote attestation
● CIS Benchmark for RHCOS
RHEL CoreOS and Machine Config Operator
● On-cluster build
automation
● Custom boot images
● OpenShift Console
integration
CoreOS Layering
Enhancements
● Resilient and flexible
upgrade strategies
● Reboot Policies
● Enhanced metrics and
reporting
Administrator Clarity
& Control
Confidential Compute
and Security
Product Manager: Mark Russell
Deeper Integration Empowered
Admins
Reduced Risk

View Slide

● The new way of requesting
access to resources
● Provides partial or optional
device allocation
47
Hardware accelerators and specialized devices
● Removes on-site drivers
builds with
pre-compiled drivers
● Enables UEFI secure
boot
NVIDIA GPU
precompiled drivers
● Allows to share GPU
memory for AI training
with inbox network drivers
● Network Inline processing
using GPUs
AI training with
dma-buf
Dynamic Resource
Allocation API
Product Manager: Erwan Gallen
Fast deployment of GPU
nodes
Open offloading
Flexibility for accelerator
offloading

View Slide

Confidential Computing
Confidential computing provides a
Trusted Execution Environment (TEE)
that protects code/data that is in
memory from unauthorised entities
▸ Confidential Containers (CoCo) is a
new sandbox project of the Cloud
Native Computing Foundation
(CNCF)
▸ Developer Preview coming to
OpenShift
Product Manager: Jochen Schröder
48

View Slide

49
Use Case
▸ Job Queueing
･ Job queueing decides which jobs should wait, which can start immediately, and
what resources they can use.
▸ Job priority preemption
･ Ability to preempt low priority job for high priority job
▸ Job quota management
･ Ability to assign quota to the jobs
Potential upstream projects we are exploring to solve above use case:
▸ Kueue
▸ Multi-Cluster App Dispatcher (MCAD)
Enhanced Job Management in Openshift
Product Manager: Gaurav Singh

View Slide

Openshift Pod Autoscaling
● VPA based on CPU & Mem
● HPA based on CPU & Mem
● Custom metric autoscaler
● Behaviour detection VPA
● In-place update of pod
resources
● In-place update of VPA
● Multidimensional pod
scaling (VPA+HPA)
Product Manager: Gaurav Singh

View Slide

OpenShift Windows Containers
PM: Duncan Hardie
Enabling Infrastructure
● Bring better visibility to
preempt and diagnose issues,
while also improving access
to networks and storage
infrastructure
o-----------------------------o
● Cluster wide proxy
● CSI proxy
● Integrated Monitoring
● Logging solution
Secure Environments
● When you data center does
not have access to the internet
run windows workloads safely
while securing services
o------------------------------o
● Fully supported in
disconnected environments
● Group managed service
account support
More Platforms
● Bring windows nodes into
more cloud platforms and
benefit from multiple
managed service offerings
o-----------------------------o
● Nutanix Platform Support
● ARO/ROSA enablement
● IBM Cloud

View Slide

Control Plane Improvements: Auth
Pod Security
Admission (PSA)
No auto-creation
of SA secrets
User namespaces
Globally enforce:
restricted mode
SCC changes for Containers to
run as non-privileged users on
host
Secrets should not be
automatically created on SA
creation
BYO OIDC
Identity
Bring Your Own OIDC
provider for direct API
access
Secret Store
CSI Driver
Mount application
secrets from external
secret providers
Product Manager: Anjali Telang
52

View Slide

Control Plane Improvements: etcd
Backup API
(Automated B&R)
Hitless
Operations
ETCD Profiles
(adjust for efficiency)
Automated Backup &
Recovery of etcd database
Selectable validated profiles
for etcd heartbeat intervals
and election timers
Hitless etcd defragmentation
and certificate rotation
Product Manager: William Caban
53

View Slide

Automatic recovery from expired certificates
when cluster resumes from hibernation,
snapshots or a restored from a backup
Kube API and OpenShift API server internal
certificate rotation without any service
degradation or performance impact
Hitless* Certificate
Rotations
Automatic Certificate Rotation
on Cluster Hibernation or Restore
Improvements to Certificate Rotation
* Execute the action without any service degradation or performance impact
54

View Slide

Spanned Control Plane
Official guidance on designs and considerations for
deployment of control planes spanning multiple
locations or non-optimal underlying infrastructure.
Official Guidance in
OpenShift Docs
The etcd dashboard will include new metrics, alarms
and thresholds aligned with the guidance for
deployments of control planes across locations.
Improved etcd dashboard
supporting guidance
55

View Slide

56
Product Manager: Adel Zaalouk
Self-Managed Hosted Control Planes for Red Hat OpenShift
● AWS:
○ HCP (x86) | NodePools: x86
○ HCP (x86) | NodePools: Arm
○ HCP (Arm) | NodePools: x86
○ HCP (Arm) | NodePools: Arm
● Agent
○ HCP (x86) | NodePools (x86)
○ HCP (x86) | NodePools (P/Z)
● OpenShift Virtualization:
○ HCP (x86) | NodePools (x86)

View Slide

57
OpenShift Virtualization
Enterprise
Virtualization
Capabilities
● Metro (Sync) DR with ODF
● Regional (Async) DR with
ODF
● Dynamic configuration with
Network and CPU hotplug
● Improved density with
Memory Overcommit
● Ecosystem DR integrations
● Overlay Secondary network
● Windows 11 persistent vTPM
OpenShift
Developer Services
● VMs as code for GitOps
using Tekton and
ArgoCD Pipelines
● Windows 11 and Windows
Server 2022 examples.
● Ansible integration
● Gateway API for load
balancing
Multi-Cluster
Scaling and Cloud
Services
● Reduce cost and deploy
faster with multi-tenant
virtual clusters
● ACM VM lifecycle and
workflow
Public Cloud
● GA of AWS Bare Metal
Support
● Equinix
● OpenShift Virtualization
in ROSA
Product Manager: Peter Lauterbach

View Slide

Storage
58
ReadWriteOncePod Access mode TP
Non Graceful node shutdown GA
Retroactive storage class assignment GA
SELinux context mounting for RWO PVs TP
Core Storage
Unified storage across footprints
Cloud Providers CSI
Google FileStore CSI
Azure File NFS support
CSI Migration
vSphere migration for all clusters
Secret Management
Secrets Store CSI
Container Storage Interface
Enhanced user &
operator experience
Product Manager: Gregory Charot

View Slide

OpenShift Update Service
59
Product Manager: Subin Modeel
▸ Single command to monitor OpenShift Update
･ Check status of Openshift components during Update
･ oc adm update status
▸ Improve disconnected update experience
･ Remove manual steps by serving OpenShift release signatures via Cincinnati
▸ ROSA with hosted control planes consumes update recommendations from
OpenShift Update Service (OSUS)
▸ Improve Update documentation
･ Troubleshooting guide for common update issues

View Slide

60
▸ OSP18 uses Openshift Bare metal for hosting of its
control plane and lifecycle mechanisms
▸ Dataplane (Nova compute and Ironic) remain external to
OpenShift
▸ Leveraging core openshift capabilities (Operator
Framework, Metal3, Multus, MetalLB) and native ansible
▸ Support both greenfield and existing deployed clouds
(TripleO “adoption” process)
▸ Better telemetry and observability
▸ Beta to be released on 4.14.x
▸ GA targeting 4.16
OpenStack Services coming to OpenShift
Red Hat Openstack 18 will utilize a new architecture, leveraging OpenShift bare metal as the
hosting infra for the OSP control plane and lifecycle tooling (deployment, day 2 and upgrades)
Product Manager: Gil Rosenberg

View Slide

Baremetal
OCP-worker-1
(BM1)
OCP
App
Pod
OCP
App
Pod
Infra
Pod
Infra
Pod
OCPApp
Pod
OCPApp
Pod
Infra
Pod
Infra
Pod
Infra
Pod
Infra
Pod
Master-0
Infra
Pod
Infra
Pod
Master-1
Infra
Pod
Infra
Pod
Master-2
Infra
Pod
Infra
Pod
OCPApp
Pod
OCPApp
Pod
OCP-worker-3
(BM3)
OCP-worker-2
(BM2)
OCP-worker-0
(BM0)
OCP
App
Pod
Infra
Pod
OCP
App
Pod
Infra
Pod
OSP Infra Pods
(ctlplane)
OSP Infra Pods
(ctlplane)
OSP Infra Pods
(ctlplane)
Red Hat Openstack 18 High Level Architecture
OSP Compute
Baremetal
OSP Compute
Baremetal
OSP Infra Pods
(ctlplane)
Old control
plane
repurposed
Pre-existing
compute tier
adopted into the
new control
plane
Product Manager: Gil Rosenberg

View Slide

Telco & Edge
62

View Slide

63
Red Hat Device Edge
Add RHDE/ MicroShift
related management
capabilities to Ansible
Automation Platform and
Advanced Cluster
Management
Edge Management
● Machine Vision on arm
● Low latency workload
● Compliance (FIPS,
ISA62443, ….)
Extend Capabilities
MicroShift General
Availability
● Currently Tech Preview
● GA planned for next
release
● CNCF certification
Product Manager: Daniel Fröhlich
consistent management More edge use cases
Enterprise Support for k8s at
the smallest edge device

View Slide

Further extend
supported providers
● Added:
● Next:
Single Node OpenShift
● Make more cluster
capabilities optional
● Optimize resource
usage
● Goal: 1 core control
plane
Continue footprint
reduction
Minimize Deployment
Time
● Make SNO relocatable
● Install at near edge /
facility, then relocated
to far edge
Product Manager: Daniel Fröhlich
More ressources available
for workload
Faster edge rollouts
Cost savings for small clusters
C W

View Slide

65
Telco 5G Core and Edge
Telco orthogonal requirements… all mandatory!
Optimization on two axis, conceptually straightforward, is not an option
Availability
(5 nines SLA: 5 mins 15s of unavailability per year)
Cost-efficiency
(OPEX and CAPEX)
Performance
(millions of packet / subscriber per core / server)

View Slide

66
Strategic Investment Areas
Relentlessly reduce CaaS CPU
and memory consumption while
leveraging hardware power
consumption innovations
Sustainability
Secure the physical platform and
participate in the network chain of trust
and compliance with security regulation
authorities
Security
Reduce carbon footprint
and energy consumption
End to End chain of trust
from Hardware,
Networking and Software
Improve telco operations at scale
and utilize next generation
hardware (CPU, NIC,
Accelerators…) to maximize
platform efficiency
Operation excellence
Managing Agile
Infrastructure with the
latest Hardware
[Efficient, Scale, TCO]
Telco 5G Core and Edge
Product Manager: Erwan Gallen

View Slide

Networking and
Observability
67

View Slide

68
Multicluster End-to-End Networking
Red Hat OpenShift Networking
Internet
Gateway API
Platform-native Load Balancing
Ingress Controller
Node Node Node
OVN
OVS
▸ Unified traffic handling so you
configure all your traffic the
same way
▸ Any supported platform –
add or swap easily, hybrid
scenarios
▸ Flexibility to use native traffic
distribution for optimal
performance
▸
Physical Virtual
Private cloud Public cloud Edge
Managed cloud
Istio Ingress
Submariner
Product Managers: Marc Curry, Deepthi Dharwar, Bradd Weidenbenner (Submariner), Jack Britton (Service Interconnect), Jamie Longmuir (Service Mesh/Istio)
Service
Interconnect

View Slide

Product Managers: Marc Curry, Deepthi Dharwar
Red Hat OpenShift Networking
69
▸ Zero Trust Networking
▸ Performance and Scale Improvements
▸ Network Observability Operator updates
▸ Ingress as an option
▸ Resource consumption optimizations
▸ IPv6 for public cloud deployments
▸ HAProxy 2.6
▸ Unified IPsec North-South & East-West
▸ ovn-kubernetes on secondary interface
▸ Live migration from OpenShiftSDN to OVN
▸ Admin Network Policy
▸ Multi-NIC support for ovn-kubernetes
▸ Ingress Node Firewall
▸ Istio Implementation of Gateway API

View Slide

70
OpenShift Service Mesh
Support scaled mesh use
cases: Large meshes,
multi-cluster, services outside
of clusters and dual-stack.
Service Mesh at Scale
Cohesive with the OpenShift
including console, networking,
certificate management,
monitoring, GitOps and more.
Better Together
Secure, observe & manage
traffic at scale
Reduce complexity with a
consistent experience
Converge Service Mesh with
Istio to enable customers on
the latest from the Istio and
Kubernetes communities.
Istio Community
Convergence
The latest application
networking innovation
Product Manager: Jamie Longmuir
OpenShift Networking

View Slide

71
Observability
Correlated observability signals in the
OpenShift Web Console (first
experience)
TraceQL support for distributed traces
Analyze
OpenShift Web Console - Developer
Perspective: Expire silences in bulk
& Logs-based alerts (Loki)
Jaeger UI: RED metrics from traces
Dev Preview: power monitoring for Red
Hat OpenShift (Kepler)
Visualize
Out of the Box
Visualization Experience
Productization of Prometheus Operator
Multicluster log collection
Loki zone aware replication
OpenTelemetry collector and Tempo GA
OpenTelemetry metrics support
Collect, Store & Aggregate
Flexible Collection & Storage
Experience
Product Managers: Roger Floren, Jamie Parker, Vanessa Martini & Jose Gomez-Selles
Turn your data into
answers!
OpenShift Observability
near-term objectives near-term objectives near to mid-term
objectives

View Slide

Power monitoring with Kepler
Drive energy cost down for IT operations and contribute to achieve sustainability goals
Power monitoring with Kepler
● Uses eBPF to probe energy related system stats and
exports as Prometheus metrics that can be leveraged for
workload scheduler and auto-scaling and drive CI/CD
pipelines
● Power monitoring with Kepler will be Dev Preview with
OpenShift 4.14
Project Scope
● Monitor/Report Energy Costs and CO2 Emissions
● Hybrid Cloud Energy and CO2 Monitoring and Reporting
● Data/Analytics for Energy Optimization
● Data/Analytics for Green IT and Green (Re)-Engineering
● Data for ESG reporting Virtualized
Edge Public clouds
Physical Hardware
Private clouds
Kepler
Open
Data Hub
ESG Reporting
3rd Party Data
(Power Grid)
3rd Party
Observability
Power
Data
Power
Data
CO2 Data
CO2 Data
OpenShift Observability
Product Managers: Roger Floren, Jamie Parker, Vanessa Martini & Jose Gomez-Selles

View Slide

Insights for OpenShift
Red Hat Insights Advisor for OpenShift
73
- Predicting risks, recommending actions
- Leveraging Red Hat experience with running/supporting
OpenShift
Coming soon (Q3 2023 features)
▸ Update risk assessment generally available
･ Identifying cluster conditions impacting successful update
▸ Deployment Validation Operator generally available
･ Expanding Insights recommendations to workloads
･ Best practice recommendations based on Red Hat SRE experience
･ Workload recommendations with deanonymized content
▸ Insights Advisor support for Hosted control planes (Hypershift)
Product Managers: Radek Vokál, Tomas Dosek & Pau Garcia Quiles

View Slide

Insights for OpenShift
Red Hat Insights Cost Management
74
- Helps you visualize and distribute Red Hat OpenShift costs
and cost of additional services into meaningful items.
- Cost visibility and allocation
- Report fully-loaded per-project cost to bill internal/external
customers
Coming soon (Q3 2023 features )
▸ Improved cost of running apps on OpenShift to allow users
to define what’s the “platform costs”
▸ (More) Resource optimization - identify and optimize workloads
･ Pod-level usage reporting
･ Identify pods with no/wrong resource requests/limits
･ Waste reporting
▸ Tag mapping and reconciliation
Product Managers: Radek Vokál, Tomas Dosek & Pau Garcia Quiles

View Slide

linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
Thank you
Red Hat is the world’s leading provider of enterprise
open source software solutions. Award-winning
support, training, and consulting services make Red Hat
a trusted adviser to the Fortune 500.

View Slide

What's Next in OpenShift (Q2 CY2023)

What's Next in OpenShift (Q2 CY2023)

Red Hat Livestreaming

More Decks by Red Hat Livestreaming

Other Decks in Technology

Featured

Transcript