that being named a leader in this Wave evaluation further validates what we hear from our customers - that OpenShift delivers the modern bridge between existing IT deployments and a cloud-native future, while simultaneously bringing development and IT operations teams together on a common platform ASHESH BADANI SENIOR VICE PRESIDENT, CLOUD PLATFORMS, RED HAT Multicloud Container Development Platforms 2020 Q3 report • 8 Multicloud container platform vendors • 3 Categories (Current Offering, Strategy, Market Presence) • 29 evaluation criteria • Red Hat scored top in the strategy and market presence categories, as well as the highest score in the current offering category.
services ﺔﻔﻠﺗﺧﻣ كﻼﮭﺗﺳإ جذﺎﻣﻧﺑ دﺣاو ﺞﺗﻧﻣ Red Hat OpenShift Dedicated or Amazon Red Hat OpenShift (AMRO) Azure Red Hat OpenShift Red Hat OpenShift Dedicated Red Hat OpenShift on IBM Cloud OpenShift Container Platform On-premises Red Hat OpenShift Dedicated - Managed By Red Hat or OCP Customer Managed ARO - Jointly Engineered, Managed & supported or OCP Customer Managed Dedicated - Managed By Red Hat or OCP Customer Managed Jointly Engineered and Supported OCP Customer Managed Developer Efficiency Business Productivity Enterprise Ready
Automated Simplified opinionated “Best Practices” for cluster provisioning Fully automated installation and updates including host container OS. Pre-existing Infrastructure Customer managed resources & infrastructure provisioning Plug into existing DNS and security boundaries OPENSHIFT CONTAINER PLATFORM HOSTED OPENSHIFT Azure Red Hat OpenShift Deploy directly from the Azure console. Jointly managed by Red Hat and Microsoft Azure engineers. OpenShift Dedicated Get a powerful cluster, fully Managed by Red Hat engineers and support. IPI UPI Managed بﯾﺻﻧﺗﻟا قرط بﯾﺻﻧﺗﻟا
selects the target version • OpenShift is updated over the air • Auto-update support Over the Air (OTA) Updates Cluster Version Operator (CVO) تﺎﺛﯾدﺣﺗﻟا
• OpenShift Update Service (OSUS) is the on-premise release of Red Hat’s hosted update service • Supports the publishing of upgrade graph information to clusters in restricted networks • Provides clusters with a list of next recommended update versions based on the current version installed on the cluster • Comprised of two services: ◦ Graph Builder: Fetches OpenShift release payload information (primary metadata) from any container registry (compatible with Docker registry V2 API) and builds a directed acyclic graph (DAG) representing valid upgrade edges ◦ Policy Engine: Responsible for selectively serving updates to every cluster by altering a client’s view of the graph with a set of filters • Distributed on Operator Hub as an optional add-on operator https://www.openshift.com/blog/cluster-updates-get-an-update-in-openshift-4.6 Blog post announcing OpenShift Update Service OpenShift Update Service Local Container Registry in Restricted Network OpenShift Update Service Graph Builder Policy Engine OpenShift Cluster in Restricted Network Cluster Version Operator (CVO) Scrape Release Images from Registry Read graph data (secondary metadata) Edge Add/Remove Cluster Version Operator (CVO) OpenShift Cluster in Restricted Network تﺎﺛﯾدﺣﺗﻟا
cluster administrator can define egress firewall policies to limit the external addresses that some or all pods can access from within the cluster All pods can communicate with each other across projects Flat Network NODE POD POD POD POD NODE POD POD POD POD PROJECT A PROJECT B DEFAULT NAMESPACE ✓ PROJECT C Multi-Tenant Network Project-level network isolation, Multicast support, Egress Network Policy Multi-Tenant Network Granular policy-based isolation Network Policy ﺔﻛﺑﺷﻟا
(default is still OVS) • Install-time option or post-install Why OVN? • Consolidates Red Hat SDN efforts across products • Flexible SDN architecture for faster feature development • Large upstream community (Linux Foundation project) • Red Hat leadership in upstream OVS & OVN communities • Manages overlays and physical network connectivity • Flexible security policies via ACLs and security groups • Distributed L3 routing, L2/L3 Gateways to other networks • IPv4 and IPv6 capability • Windows “Hybrid Overlay” service for pod-to-pod traffic between Windows and Linux cluster nodes. Kubernetes CNI (OVN) OpenShift SDN OVN Kubernetes veth pairs veth pairs OVS bridge OVS bridge Central controller / host-ipam Central controller / host-ipam VXLAN tunnels Geneve tunnels OVS flows for NetworkPolicy OVS flows for NetworkPolicy IPTables for services OVN LBs for services IPTables for NAT OVS for NAT Goal: Develop and support a modern, maintainable, community-based, open-source Kubernetes CNI network plugin for OpenShift that complements the existing capabilities of OVS to add native support for virtual network abstractions. Technology Highlights Comparison ﺔﻛﺑﺷﻟا
Kubernetes CNI plug-ins have begun the OpenShift certification process and are at varying stages of progress: • ACI • The certification process primarily consists of: 1. Formalizing the partnership 2. Certifying the container(s) 3. Certifying the Operator 4. Successfully passing the same Kubernetes networking conformance tests that OpenShift uses to validate its own SDN OPENSHIFT KUBERNETES CNI Tech Preview Cert In-Progress TBD Cisco ACI midCY2020 VMware NSX-T soon Juniper Contrail Q4CY2020 OpenShift SDN DEFAULT 4.x OVN 4.6 kuryr- kubernetes2 RH-OSP Neutron Plugin 4.2.2 Tigera Calico (open src) 4.2 Fully Supported 27 https://access.redhat.com/articles/4763741 As of Sep 23, VMware officially completed certification of the following: • NSX Container Plug-in (NCP) 3.0.2 with Openshift 4.4 and NSX-T 3.x+ ﺔﻛﺑﺷﻟا
28 Feature Ingress on OpenShift Route on OpenShift Standard Kubernetes object X External access to services X X Persistent (sticky) sessions X X Load-balancing strategies X X Rate-limit and throttling X X IP whitelisting X X TLS edge termination for improved security X X TLS re-encryption for improved security X TLS passthrough for improved security X Multiple weighted backends (split traffic) X Generated pattern-based hostnames X Wildcard domains X Source: https://blog.openshift.com/kubernetes-ingress-vs-openshift-route/ ﺔﻛﺑﺷﻟا
Containers (RWX) Container application state is held in this persistent file storage • Persistent Block Storage For Containers (RWO) Specific storage type for workloads that require a certain performance. i.e. Database workloads, Logging where Elastic or equivalents are involved. • Object Storage Storage type widely being used within cloud and container workloads OCS offers a huge amount of options for Object Storage leveraged by NooBaa • Registry Store Location where container base images are placed in May not have redundant storage, therefore possible point of failure. نﯾزﺧﺗﻟا
management (consumed and managed through OpenShift) Stores all types of data (structured, semi-structured and unstructured) 33 Manages storage based on policies (across clouds) • Persistent storage for containers • Integrated management from OpenShift • Storage provisioning for all types of data • Backed by Red Hat expertise نﯾزﺧﺗﻟا
NO LOCK IN Future Proof against cloud or infrastructure lock-in CONTAINERS BARE METAL LEGACY STORAGE RED HAT OPENSHIFT CONTAINER STORAGE HYBRID CLOUD VIRTUAL MACHINES OCS | OVERVIEW Block File Object نﯾزﺧﺗﻟا
Access Mode support matrix OCP 4.2 Block Volume support matrix Kubernetes CSI Drivers Persistent volume capabilities C SI provision Basic CSI driver persistent volume capabilities 1 2 3 4 5 A B C D E F G C SI attach Common persistent volume modes, types and capabilities C SI snapshot C SI clone Raw Block m ode RW O single pod access m ode D ynam ic provisioning RW X m ulti-pod access m ode Rapid PV attach/detach M ulti-zone PVs Topology-aware provisioning H O bject bucket claim C SI resize
search and analytics engine to store logs ・ Fluentd: gathers logs and sends to Elasticsearch. ・ Kibana: A web UI for Elasticsearch. Access control ・ Integrated with OCP RBAC ・ Cluster administrators can view all logs ・ Users can only view logs for their projects Ability to forward logs elsewhere ・ External elasticsearch, Splunk, etc APPLICATION LOGS OPERATION LOGS ELASTIC ELASTIC RHEL NODE POD POD POD POD FLUENTD RHEL NODE POD POD POD POD FLUENTD ELASTICSEARCH RHEL NODE POD POD POD POD FLUENTD USER ELASTIC ELASTIC KIBANA ELASTIC ELASTIC ELASTICSEARCH ELASTIC ELASTIC KIBANA ADMIN تﻼﺟﺳﻟا Infra App Audit Forward logs to different systems based on their “inputSource”. inputSource=app inputSource=audit apiVersion: "logging.openshift.io/v1" kind: "ClusterLogForwarder" spec: outputs: - name: MyLogs type: Syslog syslog: Facility: Local0 url: localstore.example.com:9200 pipelines: - inputs: [Infrastructure, Application, Audit] outputs: [MyLogs] Log forwarding • Extra Fluentd • Managed cluster-wide using ClusterLogForwarder CRD • The API helps to reduce probability to misconfigure Fluentd • Audit log collection and forwarding to external elasticsearch and kafka
collection and storage via Prometheus, an open-source monitoring system time series database. Metrics visualization via Grafana, the leading metrics visualization technology. Alerting/notification via Prometheus’ Alertmanager, an open-source tool that handles alerts send by Prometheus. سﯾﯾﺎﻘﻣﻟا
follow container image versioning • Immutable • Installing RPMs on RHCOS is not supported • Security and compliance are managed by machine config operator Openshift Machine Config Operator
unmodified Kernel is loaded • File integrity monitoring ◦ /usr is read only ◦ Machine Config Operator marks nodes with wrongly configured files as degraded • Roadmap: a file integrity operator using AIDE ◦ Advanced Intrusion Detection Environment is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions File Integrity
reconcile, config Monitor, scale, troubleshoot, backup Summarize Observe Red Hat Consolidated Vulnerability Feed 2 1 User adds the Container Security Operator to watch containers for vulnerabilities Continuous Quay and Claire Scans 3
workflows to automate lifecycle management of containerized applications with Kubernetes SDK LIFECYCLE MANAGEMENT METERING Operators are only targeting the platform, But also all workloads running on top of it! ﺔﺗﻣﺗﻷاو ةرادﻹا
and network segmentation of microservices applications including Istio, Kiali (UI), and Jaeger (Tracing) projects OpenShift Serverless ◦ Integrated serverless for scale-to-zero FaaS services and event sources, built on the Knative framework OpenShift Pipelines (Tech Preview) ◦ Kubernetes-style CI/CD based on Tekton delivers tight integration with OpenShift and Red Hat developer tools Building next-gen applications OPENSHIFT PIPELINES تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
Entry point for a developer to access all services available to them • Merges all capabilities from Application Services, Operators, and Custom templates Example: adding Drupal to Developer Catalog (Setting up Drupal-8 and MariaDB) تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
From Source Build From Binary Build From Image Multi Stage Build Still not enough, You can go for S2I Custom Build Polyglot automated image builder تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
Pilot Mixer Auth Data Plane Pod Envoy App Pod Envoy App Pod Envoy App Pod Envoy App Mixer • Enforces access control and usage policies across service mesh • Collects telemetry data from Envoy proxy and other services • Proxy extracts request-level attributes, sends to Mixer for evaluation Pilot • Service discovery for Envoy sidecars • Traffic management capabilities for intelligent routing—A/B tests, canary deployments, etc. • Resiliency—timeouts, retries, circuit breakers, etc. • Converts high-level routing rules that control traffic behavior into Envoy-specific configurations ◦ Propagates them to sidecars at runtime Envoy - Sidecar • Policy Enforcement as defined in Pilot • Communicates telemetry to the Mixer MyService Business Code Observing Tracing Security Deployment Resilience Routing Traffic Management Authentication Logging Versioning تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
and after Istio Platform Microservice Service Discovery Load Balancing Circuit Breaker Traffic Control Monitoring Tracing Business Logic Netflix OSS Config Server Security Policies Service Registry Traffic Control Monitoring Tracing API Magenement Smart Routing Microservice Business Logic OpenShift + Istio Config Server Load Balancing Service Registry Traffic Control Monitoring Tracing API Magenement Smart Routing Microservices App Microservices App Before After تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
Requests Kafka Messages Image Uploaded New Order Login from user trigger produce Benefits of this model: • No need to setup auto-scaling and load balancers ◦ Scale down and save resources when needed. ◦ Scale up to meet the demand. • Enable Event Driven Architectures (EDA) patterns • Enable teams to associate cost with IT • Modernize existing applications to run as serverless containers Event Sourcing Containers تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
performing canary, A/B or blue-green testing with gradual traffic rollout with no sweat and following best practices. No need to configure number of replicas, or idling. Scale to zero when not in use, auto scale to thousands during peak, with built-in reliability and fault-tolerance. Automatic scaling Ready for the Hybrid Cloud Truly portable serverless running anywhere OpenShift runs, that is on-premises or on any public cloud. Leverage data locality and SaaS when needed. Event Driven Architectures Build loosely coupled & distributed apps connecting with a variety of built-in or third-party event sources or connectors powered by Operators. Any programming language Use any programming language or runtime of choice. From Java, Python, Go and JavaScript to Quarkus, SpringBoot or Node.js. Simplified developer experience to deploy applications/code on serverless containers abstracting infrastructure & focusing on what matters. Containers made easy prem aws azure Key Features https://docs.google.com/presentation/d/1AFnyQUaRw1uAr4gwIRQSsPhhSmp967We4eX1rg7DafM/edit#slide=id.g74a3ba7280_4_3519 تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
Install experience • Developer & admin experience in Console • Built-in event sources • No external dependencies. • "Just works." Toolset • Kn CLI • Web UI • Monitoring, Metering and Logging • Disconnected install support (air-gapped) • Egress proxy with TLS support • Over the air updates and patches CLI UI $ kn service create --image= تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
OpenShift Serverless with Red Hat Services Connected Services How Knative services interact with the outside world. Service Orchestrator Composing multiple services together into an application. Event Streaming All modern architectures need some Kafka. API Gateway Next gen APIs still require management. Implementing Services Functions, languages, and the vagaries of cold starts. The Dirty Word in Serverless Yep, you still need state to handle long-lived orchestration. تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
tools Terminal Operating system Web server / application server Database (All other runtime components) Everything a developer needs is managed in a personal Workspace hosted in an IT-Managed OpenShift cluster. CodeReady Workspaces creates a containerized developer environment in Kubernetes - requires no Kube knowledge 1. Accelerates projects and onboarding of developers. 2. Removes inconsistencies between dev and prod. 3. Protects source code by keeping it off laptops. Developer Experience | IDE تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
a new CLI for OpenShift that is tailored for developer syntax and workflows. Goal is to make it simple for a developer to create an app, add components (like a database) and expose it without needing to know Kubernetes. odo is a affectionately called “OpenShift DO!” > odo create wildfly backend Component ‘backend’ was created. To push source code to the component run ‘odo push’ > odo push Pushing changes to component: backend > odo storage create backend-store --path /data --size 100M Added storage backend-store to backend > odo create php frontend Component ‘frontend’ was created. To push source code to the component run ‘odo push’ > odo push Pushing changes to component: frontend > odo url create frontend - http://frontend-myproject.192.168.99.100.nip.io > odo watch Waiting for something to change in /Users/tomas/odo/frontend تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
Hat plugins for VSCode add IDE superpowers for Java, Kubernetes YAML and Fuse XML. The OpenShift plugin allows developers to quickly connect and deploy to OpenShift instances locally or remotely. Dependency Analytics adds license and CVE package alerts. تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
Create apps from git, images, etc… • Application topology views • Pipeline creation and tracking • Scale up/down in a single click • Monitor app health and metrics • Link to more detailed admin views Creates a UI to focus DevOps teams. Why? A PaaS layer on OpenShift’s hybrid multi-cloud Kubernetes platform. Developer Experience | OPENSHIFT DEVELOPER CONSOLE تﺎﻘﯾﺑطﺗﻟا رﯾوطﺗ
subscription units • Valid for all supported infrastructures • 1Y/3Y and can be managed for 5Y • OCP subscription covers the following ◦ OCP engine ◦ Fully Automated Installers, and Over the Air Smart Upgrades ◦ Operator Lifecycle Manager (OLM) ◦ SDN ◦ Matrix ◦ Logging ◦ Metering and Cost Management SaaS Service ◦ Registry ◦ Service Mesh ◦ OCP Virtualization ◦ RHSCL 4 vCPU 32 vCPU 128 vCPU Units
machines use virtualized CPUs. • For hyperthreaded systems ◦ You can see two vCPU per underlying physical core ◦ Red Hat calculates cores with a ratio of 2 core = 4 vCPUs ◦ In other words, a 2-core subscription covers 4 virtual CPUs in a VM • This is the default unless It is explicitly mentioned that hyperthreading is not used Example: An 8 vCPU VM has 4 effective “cores”, and would need two (2) 2 core subscriptions. • For non-hyperthreaded systems ◦ You can see one vCPU per underlying physical core ◦ Red Hat calculates cores with a ratio of 2 cores = 2 vCPUs ◦ In other words, a 2-core of a subscription covers 2 virtual CPUs in a VM on a non-hyperthreaded system Example: A 4 vCPU VM has 4 effective “cores”, and would need two (2) 2 core subscriptions.
Perl • Python • Ruby • NodeJS • PHP • Postgresql • MariaDB • MySql • MongoDB • Redis • Httpd • Nginx • Varnish • Red Hat Developer Toolset (DTS) Certified/Supported Images At minimum, Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) will be issued if and when available. Lower-impact security advisories may be made in the next point release. All errata are provided at Red Hat's discretion. The following table details the types of software maintenance performed during the life cycle: Description Support Unlimited-incident technical support Yes Asynchronous security errata Yes Asynchronous bug-fix errata Yes Software enhancements Yes Scope of Coverage
EAP ◦ Red Hat Data Grid ◦ Red Hat AMQ Broker ◦ JWS (Tomcat) ◦ OpenJDK ◦ Quarkus ◦ Spring Boot ◦ Vert.x ◦ Wildfly Swarm ◦ Thorntail ◦ Open liberty ◦ NodeJS ◦ RHSSO • Integration Bundle • Process Automation Bundle • Portfolio Bundle Integration Process Runtimes • Runtimes is included in higher bundles • No restriction on vCPU distribution • Bundled with OCP subscription • Can be added on an existing OCP subscription
CoreOS x86 is supported and tested: • Bare metal • Virtual ◦ VMware ◦ Red Hat Virtualization ◦ Other Virtualization Platforms, Other platforms are supported via the Bare Metal UPI install method • Private cloud ◦ Red Hat OpenStack Platform • Any OpenShift-certified public cloud ◦ AWS, GCE, and Azure. ◦ Cloud Access subscription transfer is required for RHEL Nodes ◦ https://www.redhat.com/en/technologies/cloud-computing/cloud-access ◦ Cloud providers that sell our product on their public clouds have to join the CCSP program.
leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you Optional section marker or title
k8saraby
jumtech
belongadmin
askua
uhyo
soudai
tetsuya28
oracle4engineer
subroh0508
ks91
itouhi
nari_ex
axbom
tenderlove
dougneiner
tammyeverts
jonyablonski
inesmontani
schroneko
paigeccino
lauravandoore
jct
livdayseo
![3 Capacity Planning App Team Request VM[s] Having Capacity Request](https://files.speakerdeck.com/presentations/c91deb683f1b41f3a2ff1516b06551a1/slide_2.jpg){kind=link}
