What's new in OpenShift 4.20

Transcript

1. V0000000 Oct 21, 2025 What’s New in Red Hat OpenShift

   4.20 OpenShift Product Management red.ht/whatsnew 1

2. What's New in OpenShift 4.20 2 Physical Virtual Private cloud

   Public cloud Edge Linux host operating system Kubernetes Run Containers and Virtual Machines | Run Virtual Machines Only Foundational Application Platform Capabilities Service Mesh | Serverless | Builds | Pipelines | GitOps |Tracing | Log Management | Cost Management Advanced Development Capabilities Internal Development Portal | Secure Software Delivery | Developer Tools Advanced Management & Security Multicluster Management | Cluster Security Global Registry | Cluster Data Management Red Hat OpenShift on IBM Cloud Red Hat OpenShift Service on AWS Azure Red Hat OpenShift OpenShift Dedicated Red Hat OpenShift Cloud Services Middleware Application Servers | Integration | Messaging AI Capabilities Model Development | Serving Lifecycle | Agentic | RAG | Fine Tuning Red Hat OpenShift and Open Hybrid Cloud

3. What's New in OpenShift 4.20 Kubernetes 1.33 3 CRI-O 1.33

   Kubernetes 1.33 OpenShift 4.20 Notable Beta Features ▸ In-place Pod vertical scaling ▸ Dynamic Resource Allocation (DRA) ▸ OCI images as volumes ▸ NUMA-aware scheduling and asynchronous preemption ▸ ClusterTrustBundles “Octarine” Notable Stable Features ▸ Sidecar containers ▸ Volume populators ▸ nftables kube-proxy ▸ Topology aware routing (PreferClose) ▸ Job enhancements 64 Total Enhancements 18 Graduated to Stable 20 Promoted to Beta 24 New Alpha Features

4. What's New in OpenShift 4.20 Notable Top RFEs and Components

   4 Top Requests for Enhancement (RFEs) ▸ Support the External Secrets Operator (GA) - RFE-3988 ▸ Install LVMS operator in Different namespace other than `openshift-storage` - RFE-6419 ▸ oc-mirror v2: Verify credentials, hostname, and certs before populating the cache during disk to mirror operations - RFE-7425 ▸ Support bring your own OIDC authentication - RFE-3929 ▸ Support Zero Trust Workload Identity Manager (SPIFFE/SPIRE) - OCPSTRAT-1763 ▸ Support SELinux context mounts for RWO/RWX PVs (TP) - RFE-3327

5. What's New in OpenShift 4.20 5 OpenShift 4.20 Spotlight Features

6. Red Hat OpenShift 4.20 Highlights AI • Distributed AI workloads

   with LeaderWorkerSet (GA) and JobSet (TP) • Distributed Inference with llm-d with Red Hat OpenShift AI 3.0 • Runtime OCI Image Volume Source for AI Workloads • Multi-cluster support with OpenShift Lightspeed 1.1 (coming in Dec 2025) • Kubernetes and OpenShift accessibility via Model Context Protocol (DP) Core • Bring your own OIDC Identity Provider (GA) • Zero Trust Workload Identity Manager (GA) • User namespace (GA) • External Secrets Operator (GA) • BGP in OVN-Kubernetes for on-premises (GA) • Two node OpenShift with arbiter (GA) Virtualization • CPU load aware rebalancing with descheduler (GA) • Arm Support (GA) • Faster live migration via parallel streams • OpenShift Virtualization on ARO with Azure Boost and OpenShift Data Foundation • OpenShift Virtualization on bare metal in OpenShift Dedicated, Google Cloud (GA) and Oracle Cloud (GA) Red Hat GA: Generally Available TP: Technology Preview DP: Developer Preview red.ht/whatsnew

7. What's New in OpenShift 4.20 AI Workloads in OpenShift 4.20

   Optimizing Infrastructure for Enterprise AI/ML Red Hat Build of Kueue 1.1 General Availability Provides Kubernetes-native job queueing for workload orchestration in OpenShift. Supports all OCP architecture types (x86, Arm, IBM Power and IBM Z). Leader/Worker Set General Availability Simplifies leader-follower workload orchestration for distributed applications within Kubernetes. JobSet Technology Preview Facilitates coordinated execution and lifecycle management of complex, multi-pod batch jobs in Kubernetes. DRA (Attribute-Based GPU Allocation) Technology Preview User specifies device type like Nvidia H100 or A100 as opposed to / NVIDIA.com. 7 OCI Volume Source for AI Workloads General Availability Allows containers to directly mount model images as volumes, streamlining AI/ML deployment pipelines.

8. What's New in OpenShift 4.20 Multi-cluster support Of OpenShift Lightspeed

   8 Now Available Now ▸ User ability to attach managed cluster’s YAML/logs/events/error in Openshift Lightspeed listed in ACM hub cluster Coming Soon ▸ Red Hat Advanced Cluster Management product knowledge in Openshift Lightspeed ◦ Example “How to knowledge ACM” ▸ Ability to get status of remote cluster object ◦ Example “List all pods from ABC cluster” What’s next With Advanced Cluster Management

9. What's New in OpenShift 4.20 AI-powered Cluster Management Bridge LLMs

   to OpenShift / Kubernetes with the Model Context Protocol 9 ▸ Model Context Protocol (MCP) server extension for Kubernetes and OpenShift ▸ Developer Preview ▸ Native Go implementation ▸ Natural Language Queries ▸ Direct API Calls ▸ RBAC-Compliant ▸ Zero Dependencies ▸ Generic CRUD ▸ Try this MCP Server with VSCode, GitHub Copilot, Cursor, Claude Desktop and Goose ▸ Learn more at Kubernetes MCP server: AI-powered cluster management https://github.com/containers/kubernetes-mcp-server Developer Preview Product Manager: Gaurav Singh

10. What's New in OpenShift 4.20 User Namespace and External Secrets

    Operator 10 General Availability User Namespace isolates the UIDs and GIDs of the containers from the ones on the host. Example: A root user inside the container can be non root on the host External Secret Operator User Namespace Provides the ability to consume credentials stored in the secrets management system of your choice Core features: Policies for creation, rotation, and advanced templating 10

11. What's New in OpenShift 4.20 Traffic Management for AI/ML with

    Red Hat OpenShift AI 3.0 11 Bringing AI-Optimized Traffic Management to OpenShift ▸ Red Hat OpenShift AI 3.0 introduces distributed inference with llm-d to enable specialized routing and traffic management capabilities for AI/ML inference workloads. ▸ Uses Gateway API Inference Extensions (GIE) to provide advanced capabilities for routing inference requests based on the specific model and available load telemetry ▸ GIE extends Kubernetes Gateway API and is automatically enabled when InferencePool resources are created. ▸ GIE is implemented with Istio’s Gateway (Envoy) through OpenShift Service Mesh 3.2.0+ Gateway with GIE (Istio Proxy) Inference Scheduler (“End Point Picker”) Inference Pool Model Servers & Models 3. Report model load telemetry Red Hat OpenShift AI 3.0 1. Request 4.Choose optimal model instance 2.Select InferencePool 5.Route request

12. What's New in OpenShift 4.20 ROADMAP ▸ BGP No-overlay support

    ▸ EVPN support ▸ Multi-Platform Multi-Cluster connectivity ▸ Improved L2 advertised routes to avoid extra hops ▸ Advertise pod networks from a subset of nodes 12 BGP Support in OVN-Kubernetes Generally Available in 4.20 and 4.19.12 node-2 BGP Router (FRR) Customer BGP Router Provider Network node-1 BGP Router (FRR) BGP with OVN-Kubernetes (KEP) ▸ Bare metal platform, initially ▸ Adds to MetalLB & CNO BGP support already available ▸ Expose pod/VM networks directly in the provider network, supports both default and UDN networks ▸ Cluster Admin privileged Primary UDN advertisements ▸ Export EgressIP routes for native L3 failover to another node ▸ Import routes from the provider network to default pod network or designated UDN (VRF) ▸ VRF-Lite extends UDN tenant isolation via VPN integration with external networks ▸ Import/Export of routes enabled independently ▸ BFD is supported UDN-1 VM 10.10.2.6 UDN-2 UDN-1 VM 10.10.2.6 pod 11.103.5 UDN-3 pod 12.10.4.5

13. What's New in OpenShift 4.20 Zero Trust Workload Identity Manager

    (GA) Multi-Factor Authentication for Workloads with Runtime Attested Identities Zero Trust Workload Identity Manager — Now Generally Available on OpenShift Based on upstream SPIFFE/SPIRE, delivering runtime-attested, cryptographically verifiable identities for every workload. Core Capabilities ▸ Workload auto-registration with SPIRE Controller manager ▸ SPIRE<>SPIRE Server Federation enables universal trust across hybrid and multi-cloud environments ▸ OIDC Federation enables workloads to integrate with existing enterprise identity systems (e.g., Keycloak) ▸ Secretless authentication with Vault integration using SPIFFE IDs ▸ Bring Your Own Database (BYODB) with PostgreSQL for compliance and resilience ▸ Flexible configuration options for automation and advanced security customization Why It Matters • Establishes universal trust across hybrid and multi-cloud environments • Eliminates static secrets and manual certificate management • Enables short-lived, verifiable identities for secure workload-to-workload communication • Provides consistent, runtime-attested identities for all cloud-native workloads — from traditional services to emerging Agentic AI systems • Ensures accountability and traceability for every workload action • Forms the foundation for Zero Trust architectures across the entire application landscape 13

14. What's New in OpenShift 4.20 Bring Your Own External Authentication

    (GA) Direct Integration of Corporate Identity Providers with OpenShift APIs Core Functionality In Self-Managed OpenShift: ▸ Works on both fresh installs & upgrades ▸ Switch easily between OAuth server & BYO OIDC configs ▸ Built-in oc-oidc CLI plugin (Auth Code + PKCE) ▸ Verified end-to-end with Red Hat–supported OIDC Identity Providers Customer Benefits ▸ Corporate IDP Tokens: Direct API access using enterprise credentials ▸ Customer control over session configuration, which is important for compliance ▸ Unified Access: Single pane for users & groups across clusters ▸ Upstream-Aligned: Based on upstream OIDC structured authentication ▸ Automation-Ready: Enables hybrid & multi-cloud workflows Self-managed OpenShift OCPSTRAT-1804 Also available on ROSA HCP ROSA-130 and ARO HCP ARO-21390 JWT Returned Token Verification API Request User/Machine Authenticates Corporate IDP API Server 14

15. What's New in OpenShift 4.20 Node 3 Two Node OpenShift

    with Arbiter (TNA) New Topology Approach: • Two node solution for cost sensitive customers who do not need a full third node for their workload • Small arbiter node (2 vCPU, 8Gi), running only third etcd instance • Same HA characteristics as a regular three node cluster - tolerates single node outage • OpenShift Virtualization fully supported • X86 and Arm, bare metal only (platform=none) • Hyperconverged Storage / Software Defined Storage (replica 2, disks only on node 1 and 2) via partners: ◦ Pure / Portworx (GA 10/’25) ◦ Arctera / Infoscale (limited GA 12/’25)* ◦ IBM / Fusion (DP 10’25) Node 2 Node 1 Infrastructure Services Kubernetes Services etcd 3 instances with regular quorum mechanisms like 3 node compact clusters Workload 15

16. What's New in OpenShift 4.20 Simplified VM Management • Multi-cluster

    VM operations and management • Optimize cluster for Virtualization with recommended operators • OpenShift Virtualization installation in Disconnected and Registry-less (TP) Optimize your infrastructure • Cross-cluster VM live migration (TP) • Live migration to specific node • Migrate large VMs up to 10 times faster (minutes vs. hours) with storage offload on some models of Hitachi, NetApp, Dell, Pure, and HPE • CPU utilization based Automatic VM workload balancing • OpenShift Virtualization on Arm Networking Enhancements • Routed ingress (BGP) for L2 User Defined Network • Ability to change the virtual network interface link state of a running VM • Passt Integration for OpenShift Virtualization (TP) 16 OpenShift Virtualization Highlights Modernize your operations with comprehensive lifecycle and infrastructure management Storage Array New Disk New Disk Remap LUN Original disk XCOPY MTV Storage offloading accelerated migration 16

17. What's New in OpenShift 4.20 Learn more about What’s New

    in OpenShift Virtualization 4.20 When: October 28, 11:00am CDT Where: Virtual Sign up: Use the QR code or go to red.ht/Virt420 17

18. What's New in OpenShift 4.20 Intelligent OpenShift 18

19. What's New in OpenShift 4.20 19 Cluster Observability Operator Observability

    ▷ Incident Detection MCP / COO 1.2.2+ (DP) ▷ Incident detection for Red Hat OpenShift (GA) ▷ Observability signal correlation for Red Hat OpenShift (GA) ▷ APM dashboard (DP) ▷ Traces UI enhancements New Features COO 1.3

20. What's New in OpenShift 4.20 ▸ Manage alert noise at

    rapid speed Incident detection groups related alerts into incidents ▸ Alert groupings = incidents Currently based on the temporal correlation between events ▸ Incidents UI in the OpenShift web console A unified view of incidents, their severity with the possibility to drill down into individual alerts ▸ Shipped by the cluster observability operator (COO) Optional operator that makes incident detection and advanced observability features available to the user Incident detection for Red Hat OpenShift Generally Available with COO 1.3 20 Coming soon!

21. What's New in OpenShift 4.20 ▸ Powered by Korrel8r Open

    source rule-based correlation engine that provides the backend logic ▸ Guided troubleshooting Navigate from an alert to a pod, from a pod to logs, and from logs to a specific metric, following the chain of events until the root cause of the issue is identified ▸ Troubleshooting panel in the OpenShift web console An Interactive, correlated view of observability signals and K8s resources ▸ Shipped by the cluster observability operator (COO) Optional operator that makes signal correlation and advanced observability features available to the user Observability signal correlation for Red Hat OpenShift Generally Available with COO 1.3 21 Coming soon!

22. What's New in OpenShift 4.20 ▸ Right sizing recommendations at

    the VM level Policy-driven architecture using PrometheusRule Customizable data filtering via ConfigMap Working with OpenShift labels & namespace filters Historical analysis using daily aggregated data points ▸ Ensure better performance across VM workloads Help identify savings in resource allocation and over-utilized resources (CPU & Memory) ▸ Enable the feature in the MultiClusterObservability Custom Resource in the hub cluster Make use of a dedicated Grafana dashboard in RHACM console Right Sizing Recommendations / Virtualization Technology Preview with Red Hat Advanced Cluster Management 2.15 22 Coming soon! Detailed overview for each VM: CPU overestimation/underestimation:

23. What's New in OpenShift 4.20 23 AI Accelerator Ecosystem With

    the NVIDIA GPU Operator 25.10: ▸ OpenShift Virtualization vGPU for compute (MIG-backed) ▸ Support for hardened base images UBI-STIG container driver. ▸ Distroless NVIDIA GPU Operator. ▸ Support OpenShift on GB200 NVL72 (Arm) ▸ NVIDIA GPU Operator CDI by default ▸ DCGM metrics included in OpenShift telemetry ▸ Rebellions AI NPU Operator ▸ ATOM NPU, 8 cards per servers ▸ AMD MI300X SR-IOV support with partitioning support for containers and OpenShift with the AMD GPU Operator. ▸ Device-Metrics-Exporter enhancements: New Metric Fields, Health Service Config, Profiler Metrics Default Config Change Eight partitions (CPX) ATOM-Max

24. What's New in OpenShift 4.20 GA Dual-Stack IPv4/IPv6 GA support

    for the agent provider (bare metal) for 4.18 onwards 24 Hosted Control Planes OVN IPv4 subnet configuration Customizable OVN IPv4 subnet configuration for HCP clusters to avoid CIDR conflicts and enable advanced networking features adding ovnKubernetesConfig to the HostedCluster API ARO with HCP roadmap in motion Ongoing development towards releasing ARO with HCP in 2026. Progress during OpenShift 4.20: • New hosted_cluster_info Prometheus metrics • Global Pull Secret for private registries • Heterogeneous architecture support: x86 control plane with Arm data plane • OIDC provider support with customer-managed client secrets CNI Certification for HCP Isovalent now certified for Hosted Clusters. Tigera coming soon. Cluster AutoScaler API for Hosted Clusters Customize the Cluster AutoScaler behaviour for hosted clusters such as CPU utilization thresholds Documentation Improvements Greatly improved the documentation for deploying hosted clusters on bare metal * Hosted Control Planes is shipped in the HyperShift Operator included in RHACM, released about 6 weeks after the GA of OCP

25. What's New in OpenShift 4.20 Manage at Scale 25

26. What's New in OpenShift 4.20 26 Global Cluster Management •

    Managed Cluster Migration - Global Hub (GA) Virtualization & Fleet Management • Fleet Virtualization ◦ Tree View & VNC Console ◦ VM Details, VM Actions , VM Multiselect (GA) • Cross-cluster live migration (TP) Policy & Governance • Expanded Gatekeeper run-time configurability (GA) • policytools CLI dry-run against live cluster (GA) Red Hat Advanced Cluster Management for Kubernetes 2.15

27. What's New in OpenShift 4.20 Monitoring & Observability • Metrics

    Collection with MCOA (GA) • Improved backup restore procedure for Observability • Alert Management UI (TP) • Global Hub enhancements (ability to observe Managed Hub Clusters) ArgoCD & Application Management • ApplicationSets in any namespace (TP) ◦ crucial for enabling multi-tenancy or self-service and at scale • ACM ArgoCD Agent Integration (TP) ◦ focus on lifecycle management • Support for syncing ApplicationSets in the UI Cluster Lifecycle Management • Cluster Lifecycle for ROSA with Cluster API Provider AWS (CAPA) (GA) • Cluster Lifecycle for Nutanix IPI (GA) Red Hat Advanced Cluster Management for Kubernetes 2.15

28. What's New in OpenShift 4.20 28 4.9 highlights Red Hat

    Advanced Cluster Security for Kubernetes ACS Prometheus Metrics Centralized exposed Prometheus metrics for custom dashboarding and monitoring Policy Editor Reorganized Policy editor is more intuitive and documentation includes comprehensive guidance Automatic process baseline lock-in Automatic alerts for suspicious process detection ServiceNow Integration ACS vulnerability data populated in ServiceNow Container Vulnerability Response Application to support custom management workflows Declarative Machine-to-Machine Auth Config DevSecOps-friendly declarative M2M config for access to ACS APIs KEY UPDATES MORE FEATURES View based Vulnerability Reporting Export filtered vulnerability data as CSV files providing unprecedented flexibility in analyzing data and addressing specific security concerns Dev Preview: Vulnerability Reporting for Virtual Machines (VMs) in Red Hat OpenShift Virtualization Agent-based solution for RHEL guest OS vulnerability reporting, offering a unified view for containerized and VM workloads

29. What's New in OpenShift 4.20 Operator Support for Custom StorageClass

    Customize the Kubernetes Storage Class for Persistent Volume Claims (PVCs) using the Quay Operator, allowing for different storage backends to improve performance and resilience. Modernized Quay User Experience (New UI !) The new PatternFly UI is now the default with enhanced features, providing a modern, consistent experience that aligns with Red Hat products. Note: The Classic UIs are fully deprecated in this release. Enhanced Security with OIDC PKCE Support Integrates with modern OIDC providers that require Proof Key for Code Exchange (PKCE) to ensure secure and uninterrupted authentication. Image Tag Popularity Tracking Tracks the last pull time and pull count for each image tag, providing insights for custom pruning and future automated cleanup to improve repository governance. 29 Red Hat Quay 3.16 Enhanced Insights, Security, Storage Flexibility, and Modernized UX. What’s new in Red Hat Quay 3.16

30. What's New in OpenShift 4.20 Observability & Sustainability

31. What's New in OpenShift 4.20 31 Observability OpenShift Monitoring ▷

    Expanded Node-Level Metrics: Enabled the sysctl node-exporter collector for networking troubleshooting. ▷ Enhanced KSM Metric Configuration: multi-tenancy support for Custom Resource State in kube-state-metrics ▷ Adjustable metric-server Verbosity: Possible to directly change the log verbosity of the metric-server. ▷ Enhanced Network Security ◦ Implemented NetworkPolicy support for monitoring components to improve security ▷ Monitoring stack components updated ◦ Prometheus Operator: 0.85.0 ◦ Prometheus: 3.3.1 ◦ kube-state-metrics: 2.16.0 ◦ node-exporter: 1.9.1 ◦ thanos: 0.39.2 New Features Improvements OpenShift 4.20

32. What's New in OpenShift 4.20 32 Observability Logging 6.4 OpenShift

    Logging ▷ Streamlined storage AWS output ▷ Cross-account forwarding enabled with assume-role ▷ Loki performance troubleshooting made simple ▷ Smarter monitoring with Loki conditional alerting rules Log Collection Log Storage

33. What's New in OpenShift 4.20 33 Application Observability & Integrations

    ▷ [Tech Preview] Probabilistic Sampling Processor ▷ Deploy custom exporters ▷ Updated Tempo version to Tempo 2.8.2 ▷ Expose Tempo Gateway using Route with Reencrypt Observability Distributed Tracing 3.7 Red Hat Build of OpenTelemetry Distributed Tracing

34. What's New in OpenShift 4.20 Console 34

35. What's New in OpenShift 4.20 35 Console Console: Unified Software

    Catalog One location to manage all software that runs on your cluster Designed to Simplify! • New Ecosystem Navigation Menu • Merged Dev Catalog and Operator Hub ◦ Previous Content merged into a Single Catalog for simplification • Two Sub Menus ◦ Software Catalog ◦ Installed Operators

36. What's New in OpenShift 4.20 36 Console ControlPlaneMachineSet User Experience

    Improved discoverability and manageability of CPMS in the Console ▸ Added CPMS to the Console under Compute ▸ Provide UI controls to manage CPMS, similar to MachineSets ▸ Show node lifecycle status and replacement operations in the UI ▸ Enable rolling upgrade strategies visibility in the console

37. What's New in OpenShift 4.20 37 Console Console RFEs “Customer

    Happiness” for 4.20 ▸ RFE-7712 - Full-Screen YAML Editor in OpenShift Web Console ▸ RFE-4945 - "Copy to clipboard" button for YAML in OpenShift Console ▸ RFE-1125 - Allow custom icons in OpenShift 4 developer catalog templates ▸ RFE-5057 - Ability to define Application Icon in Topology View ▸ RFE-4254 - Make PodRingSet available in Console Dynamic SDK

38. What's New in OpenShift 4.20 Developer Experience 38

39. What's New in OpenShift 4.20 39 Red Hat Developer Hub

    Streamlined DevX and accelerated onboarding using centralized tools and docs. Red Hat Developer Hub RHDH 1.7 Highlights: • New look Homepage experience • Quickstart - for platform engineers • ServiceNow Plugin - fully OSS • Developer Lightspeed for RHDH - Dev. Pre. ◦ Also available in RHDH Local! • Plugin management can now be done via the Extension Catalog RHDH Release Notes • Dynatrace & IBM API Connect plugins are now Certified by Red Hat • Template versioning • New rhdh-CLI for devs • Adoption Insights is now GA & on by default

40. What's New in OpenShift 4.20 40 6.6k ! ▸ Clearer

    dashboard notifications and updated onboarding experience ▸ Switch namespaces & context in the Kubernetes UI ▸ Libkrun as default provider (macOS) → GPU access for containers ▸ Switch between a rootless and rootful Podman Machine ▸ Podman Support for Windows ARM64 ▸ Transparent proxy support ▸ New! Apple Containers: View and manage your Apple containers from within Podman Desktop ▸ AI Lab: Model catalog updated with recent models (gpt-oss, Granite 4.0, Gemma 3n, phi 4) ▸ Minc: Start MicroShift in a container for a lightweight development experience. ▸ RHEL VMs: Run RHEL in VMs directly from Podman Desktop Podman Desktop 3 million downloads and counting! Extensions! Extensions! Extensions! Release Notes

41. What's New in OpenShift 4.20 OpenShift Dev Spaces Version 3.23

    is now available Red Hat OpenShift Dev Spaces 3.23 is based on Eclipse Che 7.107 Admins can now deploy an on-premises instance of the Open VSX extension registry where they can host extensions internally and point Dev Spaces to it. Dev Spaces can now run on Openshift clusters using ARM64 CPUs, which gives developers the ability to run and test application on ARM64 architecture. Currently limited to the VS Code web IDE for now. Added Support for Rider, GoLand, and PhpStorm. For air-gapped environments, admins can now host these IDEs on an internal network which removes the need to download them from the internet. On-prem openvsx instance More Jetbrains IDEs and host IDEs on local infra Support for ARM64 Architecture Admins can now configure an automatic pruner to clean up unused Dev Workspace objects. This reduces etcd usage and helps Dev Spaces run at scale. Etcd Auto pruner 41

42. What's New in OpenShift 4.20 Red Hat Developer Hub Enables

    cryptographic signing, verification of software and provenance metadata Red Hat Trusted Artifact Signer (RHTAS) RHTAS 1.3 Highlights: • Model Transparency Library with support for private Sigstore instances • Model Validation Operator for runtime model verification • High-availability Sigstore deployment options • Scalable Transparency Log with cloud storage support • Transparency Log Monitoring capabilities RHTAS 1.3 Release Notes • Conforma now supports Open Policy Agent (OPA) version 1.0 • Conforma can verify signatures from multiple Rekor instances within a single policy execution

43. What's New in OpenShift 4.20 Red Hat Developer Hub Analysis

    of software for vulnerabilities, on demand, at code-time, or over lifetime Red Hat Trusted Profile Analyzer (RHTPA) RHTPA 2.2 Highlights: • AIBOM (CycloneDX 1.6 component=machine-learning-model) Ingestion and Labeling • SBOM Ingestion and Generation from QUAY • License Search Inventory Wide • RH Dependency Analytics Multiple TPA sources

44. What's New in OpenShift 4.20 Runtimes 44

45. What's New in OpenShift 4.20 45 ▸ Red Hat build

    of Quarkus 3.27 (ETA Nov 2025) • Upgrade to Hibernate ORM 7, Hibernate Reactive 3 and Hibernate Search 8 • Subscription aware tooling (CLI, code.quarkus, etc) • Chappie - AI-powered assistant to improve dev experience ･ assistant module to talk to extensions ▸ IBM Enterprise build of Quarkus will be released in Nov (announcement FAQ) ▸ planning stages for Quarkus/RHBQ 4 (late ‘26/early ‘27) Red Hat build of Quarkus What’s New in 3.27 (Nov ‘25)

46. What's New in OpenShift 4.20 Platform Services 46

47. What's New in OpenShift 4.20 47 OpenShift Service Mesh ▸

    OpenShift Service Mesh 3.2 is coming soon: ▸ Based Istio 1.27 and Kiali 2.17 ▸ Istio Ambient mode - Generally Available ▪ Service mesh without sidecars! ▪ Significantly less resource usage ▪ ZTunnel proxies enable lightweight pod to pod mTLS encryption ▪ Waypoint proxies for L7 mesh features. ▸ Cert-manager 1.18 makes istio-csr GA ▸ Kiali’s new “local mode” enables efficient debugging & observability ▸ OpenShift Service Mesh 3.2 will be supported on OCP 4.18+. App SC App SC App SC App SC App SC App SC App App App ZTunnel App App App ZTunnel Waypoint Node Sidecar mode (Traditional service mesh) Ambient mode (GA in 3.2!) Node Node

48. What's New in OpenShift 4.20 48 OpenShift GitOps OpenShift GitOps

    1.18 release highlights: ▸ Argo CD 3.1, Argo Rollouts 1.8.3, and Argo CD Agent 0.4.1 ▸ Console menu item Environments -> GitOps ▸ Keycloak usage update ▸ OCI Support 6 Customer RFEs, including: ▸ Tenant namespace management without cluster-admin ▸ Declarative config to enable and disable auto-sync ▸ Dex support for additional volumes/volume mounts

49. What's New in OpenShift 4.20 49 Builds & Pipelines OpenShift

    Pipelines 1.20 ▸ DEPRECATION: Tekton Hub will be shut down in January 2026. ▸ Operator: HA support, CA/RBAC separately managed, and read-only filesystems on pipeline pods ▸ Security: The buildah-ns task uses Kubernetes user namespace ▸ PaC: Portability with relative paths, JSON body parameters support, and pull request numbers. ▸ Console: The UI displays task names with their resolved param values. ▸ Results: Skip incomplete runs to improve performance. Builds for OpenShift 1.6 ▸ Cloud-native Buildpacks build strategy GA

50. What's New in OpenShift 4.20 ▸ Serverless 1.37 release based

    on Knative 1.17 ▸ New IntegrationSink option for AWS EventBridge ▸ On-demand certs with cert-manager ▸ End-to-end TLS encryption across all Knative traffic hops (GA) ▸ Serverless integration with Service Mesh 3 OpenShift Serverless 50

51. What's New in OpenShift 4.20 Migration Toolkit for Applications 51

    Migration Toolkit for Applications 8 ▸ GA of Red Hat Developer Lightspeed for MTA (Downstream of Konveyor AI) ▸ Automated source code transformation leveraging LLMs ▸ MTA addon available in the Red Hat Advanced Developer Suite subscription ▸ Simplify the migration from Cloud Foundry to OpenShift of already containerized applications that don't require changes in the source code by enabling MTA to: ▸ Retrieve deployment and runtime configuration from the platform an application is deployed on ▸ Produce deployment manifests and configuration files to deploy applications in OpenShift

52. What's New in OpenShift 4.20 Enables non-privileged users to trigger

    log collection while preventing privilege escalation paths Using the support log gather operator, developers can now trigger collection of logs to pass to Red Hat Support teams. Non-privileged, secure collection of OpenShift logs Will be available with 4.20.z+ 52 Additional customizations Secure by default Customize the operator deployment to enable automatic upload of logs to a linked support case. Developer triggered log collection Support Log Gather

53. What's New in OpenShift 4.20 Installation & Updates 53

54. What's New in OpenShift 4.20 and IBM LinuxONE OpenShift 4.20

    Supported Providers Installation Experiences Automated Full Control Interactive – Connected - Auto-provisions infrastructure - *KS like - Enables self-service - Bring your own hosts - You choose infrastructure automation - Full flexibility - Integrate ISV solutions - Hosted web-based guided experience - Agnostic, bare metal, vSphere and Nutanix - ISO driven - Restricted network (disconnected / air -gapped) - Automatable installations via CLI - Bare metal, vSphere, SNO - ISO driven Installer Provisioned Infrastructure User Provisioned Infrastructure Assisted Installer Agent-based Installer Local – Disconnected Azure Stack Hub Bare Metal IBM Power Systems 54 Outposts Wavelength Local Zones (Tech Preview)

55. What's New in OpenShift 4.20 55 ▸ Support customer managed

    DNS solutions (Developer Preview) ▸ Support Mexico and Taipei regions ▸ Support DNS Zones in a third separated project for OpenShift in GCP XPN deployments ▸ Support OpenShift installation into Azure VNETs with encryption ▸ Confidential Nodes in Intel TDX (GA) ▸ Configure additional disks at install time (Technology Preview) Installation Highlights for Cloud Providers Cloud ▸ OpenShift in EU Sovereign Cloud (General Availability) ▸ OpenShift in US Government Cloud (Technology Preview) ▸ OpenShift in UK Government Cloud (Technology Preview) ▸ OpenShift in Oracle Cloud Isolated Region (Technology Preview) ▸ OpenShift in Oracle Alloy (Technology Preview)

56. What's New in OpenShift 4.20 Installation Highlights for On-premises Providers

    56 On-premises ▸ vSphere multi-NIC VM creation support for IPI installation (GA) ▸ MachineSet - support of more than one disk (TP) ▸ Support Additional Bare Metal Node to OpenShift Cluster (Dev Preview) ▸ Extend Metal3 firmware updates to cover NiC F/W (GA) ▸ Bare Metal Multi-Arch Support for Virtual Media (GA) Bare Metal ▸ Hosted Control Planes: IBM Z control plane with x86 nodepools ▸ Improvements to Multi-arch builds with OpenShift Pipelines ▸ Enabling accelerators for IBM Z and IBM Power platforms IBM Power Systems and IBM LinuxONE ▸ Migrate your control planes to Arm based systems on GCP Multi- Arch

57. What's New in OpenShift 4.20 OpenShift Virtualization Installation in Disconnected

    and Registry-less Technology Preview in OpenShift 4.20.z 57 STEP B - Boot all servers using downloaded ISO and install an OpenShift Virt cluster in the air-gap and registry-less environment STEP A - Download the ISO image Blog

58. What's New in OpenShift 4.20 ▸ OpenShift on Openstack Highlights

    ◦ Manila CSI now supports multiple CIDR when mounting a volume ▪ Allows multiple IP ACLs to access shared for better AZ support ▪ Removed the all (0.0.0.0/0) or null (single subnet) default limitation which provides better security and flexibility ▸ RHOSO18 Highlights (Feature Release 4 Nov 16th 2025) ◦ OpenStack Workload Optimization Operator GA ▪ Dynamically manage compute resources based on infrastructure utilization ▪ Save resources by consolidating workloads ▪ Proactive policy to avoid congestion ◦ Native OVN-BGP support ▪ Removed the OVN-agent and FRR dependencies ▪ Improves Forwarding performance ▪ Paves the way for BGP-EVPN and FDP RHOSO18 and Shift-On-Stack in 4.20 58

59. What's New in OpenShift 4.20 Find issues prior to Performing

    OpenShift Updates General Availability ▸ GA in OpenShift 4.20 ▸ Use oc adm upgrade recommend to show: ◦ The next version recommended to update ◦ Precheck feature: Important alerts which can affect updates This allows users to check cluster before an update. ◦ read-only command and does not alter the state of your cluster $ oc adm upgrade recommend Failing=True: Reason: ClusterOperatorNotAvailable Message: Cluster operator monitoring is not available The following conditions found no cause for concern in updating this cluster to later releases: recommended/NodeAlerts (AsExpected), recommended/PodImagePullAlerts (AsExpected) The following conditions found cause for concern in updating this cluster to later releases: recommended/PodDisruptionBudgetAlerts/PodDisruptionBudgetAtLimit/1 recommended/PodDisruptionBudgetAlerts/PodDisruptionBudgetAtLimit/1=False: Reason: Alert:firing Message: warning alert PodDisruptionBudgetAtLimit firing, which might slow node drains. Namespace=openshift-monitoring, PodDisruptionBudget=prometheus-k8s. The pod disruption budget is preventing further disruption to pods. The alert description is: The pod disruption budget is at the minimum disruptions allowed level. The number of current healthy pods is equal to the desired healthy pods. https://github.com/openshift/runbooks/blob/master/alerts/cluster-kube-controller-manager-operator/PodDisr uptionBudgetAtLimit.md Upstream update service: https://api.integration.openshift.com/api/upgrades_info/graph Channel: candidate-4.18 (available channels: candidate-4.18, candidate-4.19, candidate-4.18, eus-4.18, fast-4.18, fast-4.19, stable-4.18, stable-4.19) Updates to 4.18: VERSION ISSUES 4.18.32 no known issues relevant to this cluster 4.18.30 no known issues relevant to this cluster And 2 older 4.18 updates you can see with '--show-outdated-releases' or '--version VERSION'. 59

60. What's New in OpenShift 4.20 OpenShift Update Status General Availability

    ▸ GA in OpenShift 4.20 ▸ oc adm upgrade status shows current status of the OpenShift updates ◦ read-only command and does not alter the state of your cluster $ oc adm upgrade status = Control Plane = Assessment: Progressing Completion: 12% Duration: 12m5s Operator Status: 33 Healthy Control Plane Nodes NAME ASSESSMENT PHASE VERSION EST MESSAGE ip-10-0-30-217.us-east-2.compute.internal Outdated Pending 4.14.0 ? ip-10-0-53-40.us-east-2.compute.internal Outdated Pending 4.14.0 ? ip-10-0-92-180.us-east-2.compute.internal Outdated Pending 4.14.0 ? = Worker Upgrade = = Worker Pool = Worker Pool: worker Assessment: Excluded Completion: 0% Worker Status: 3 Total, 3 Available, 0 Progressing, 3 Outdated, 0 Draining, 3 Excluded, 0 Degraded Worker Pool Nodes NAME ASSESSMENT PHASE VERSION EST MESSAGE ip-10-0-20-162.us-east-2.compute.internal Excluded Paused 4.14.0 - ip-10-0-4-159.us-east-2.compute.internal Excluded Paused 4.14.0 - ip-10-0-99-40.us-east-2.compute.internal Excluded Paused 4.14.0 - = Update Health = SINCE LEVEL IMPACT MESSAGE - Warning Update Stalled Outdated nodes in a paused pool 'worker' will not be updated Run with --details=health for additional description and links to related online documentation 60

61. What's New in OpenShift 4.20 61 61 OpenShift oc-mirror v2

    Enhancements driven by customer requests: • Verify credentials, hostname, and certs before populating the cache ◦ oc-mirror will fail quickly by checking if the mirror registry is accessible before the caching starts to help users address the underlying issues before going too far • Enhance Helm support via improved environment variable parsing for ImagePaths ◦ Users can now mirror all necessary container images referenced within environment variables of deployment templates, including operand images, for operator-based applications in air-gapped environments • Timestamp will be added to the name of the new log file created ◦ Logs in the same working directory won’t get overwritten and new log file will be created for each execution of oc-mirror Enhancements and functionality gaps for oc-mirror v2

62. What's New in OpenShift 4.20 Control Plane & Security 62

63. What's New in OpenShift 4.20 63 OpenShift Control Plane Consolidate

    information to manage the OpenShift control plane in one section In 4.20 we are focusing on consolidating content only available in articles Etcd Documentation Section Zero API server downtime during certificate updates, even under heavy loads or in SNO deployments Hitless TLS Certificate Rotation Creation of a TLS registry containing metadata for all certificates in OpenShift including ownership and rotation details Operators Internal TLS Registry Security Documentation Scalability Improved default go-away chance to 0.001 to automatically distribute HTTP/2 connections across API server pods, preventing overload and improving response times Improved API Traffic Distribution

64. Version number here V00000 What's Next in OpenShift Q2CY2023 Sigstore

    Policy Controller GA of sigstore API (clusterimagepolicy, imagepolicy) What Sigstore Policy Controller Is Sigstore Policy Controller is a Openshift admission controller that enforces supply chain security policies on container images before they’re deployed. 64 API Scope What It Does ClusterImagePolicy (CIP) Cluster-wide Defines policies that apply to all namespaces in the cluster. Good for organization-wide rules. ImagePolicy (IP) Namespace-scoped Defines policies for a single namespace. Good for team- or app-specific rules.

65. Version number here V00000 What's Next in OpenShift Q2CY2023 Sigstore-based

    image verification with BYOPKI Technology Preview The Problem OpenShift already has Sigstore-based image verification (ClusterImagePolicy / ImagePolicy) but it was limited to using built-in PKI managed by the cluster. BYOPKI Lets organizations use their own CAs or intermediate certs to verify image signatures. Use Cases How This Helps Large Enterprises with Internal PKI Seamlessly integrate your company’s existing certificate authorities into OpenShift image verification Disconnected Clusters Enforce image verification with a fully offline or government-approved CA 65

66. What's New in OpenShift 4.20 Networking & Routing 66

67. What's New in OpenShift 4.20 Network Observability Network Observability Operator

    • New release: v1.10 • New CLI-based console-like features, adding customizable columns, smart filtering, packet preview and in-terminal line charts • Network Health and Alerting view [Tech Preview] ◦ e.g. a namespace exceeding a configurable threshold of packet drops (w/ context links) • Default OpenShift Network Policies compliance • Performance Estimator ◦ sampling rate slider to choose between accuracy and impact on resources • New installation wizard and improved FlowCollector & FlowMetric forms for a simplified setup 67 Network Health & Alerting views

68. What's New in OpenShift 4.20 Introducing BlueField 3 DPU (Tech

    Preview) ▸ Extending compute capacity dynamically ▸ Tenant and Infrastructure workload isolation improving the security posture ▸ Accelerated data plane for AI and Enterprise workloads with 400G line rate ▸ 3rd party network function deployment on DPU DOCA services ▸ HBN (Host based networking) - OCP 4.20 ▸ Firefly (timing service) - Future ▸ Storage-defined Network Accelerated Processing (SNAP) - Future ▸ DOCA Telemetry Service - Future

69. What's New in OpenShift 4.20 69 Red Hat Connectivity Link

    New Features: • New Custom Policy Extensions: ◦ OIDC (Auth) Policy ▪ Low-Code Approach to Authentication ◦ Plan Policy ▪ Definition of Usage Plans for API Consumers ◦ Telemetry Policy ▪ More Extensibility w/ Metrics • AI Gateway Functionalities: ◦ Token-Based Rate Limiting Policy ▪ Controlling Access to AI Services (ex. LLMs) by setting limits based on Tokens ◦ Token Metrics ▪ Evaluate the performance, efficiency, & resource consumption of AI Models & Applications New Release (v1.2) Featuring: • RHCL CoreDNS integration goes from Developer Preview to Technical Preview ◦ Tech Preview support now in place for RHCL’s CoreDNS Integration • RHCL for ARM Infrastructure ◦ New builds of RHCL for operation within ARM infrastructure • Seamless WASM Plugin Installation ◦ Continued effort to keep RHCL Modular & Simple for Operation Additional Updates:

70. What's New in OpenShift 4.20 Operator Framework 70

71. What's New in OpenShift 4.20 The next-gen Operator Lifecycle Manager

    → OLM v1 Operator Framework 71 • Resolved multiple issues related to Catalog performance • Enable support for Network Policies in OLM and OLM Bundles • Use of read only root file system for OLM internal components • Broader registry+v1 bundle support for existing operators, together with OwnNamespace and SingleNamespace support added in 4.19 and now also: • [Tech Preview] Support operators packaged in registry+v1 bundles with webhooks • Operator authors can rely on OLM v1 to manage the lifecycle of webhooks in their registry+v1 bundle-packaged operators without modifications • Users can rely on OLM v1 to detect webhook misconfigurations and troubleshoot the underlying Service's Pods OLM v1 new features (as Tech Preview) Improvements in OLM performance Enhancing OpenShift Security Posture

72. What's New in OpenShift 4.20 Storage 72

73. What's New in OpenShift 4.20 OpenShift Storage Operators & Drivers

    ▸ Azure Disk • Support for “Performance Plus” disks ▸ AWS EFS • Zonal volumes (GA) • EFS cross account process improvements Core Storage ▸ Volume Populators (GA) ▸ SELinux Context Mount RWO/RWX (TP) ▸ Changed Block Tracking (DP) … Misc ▸ Set fsGroupChangePolicy label per namespace • storage.openshift.io/fsgroup-change-policy NS label ▸ Set SELinuxChangePolicy label per namespace • Opt-out of future context mount default switch ･ For conflicting pods ▸ Set SELinuxChangePolicy parameter per pod • Opt-out of future context mount default switch ･ For conflicting pods

74. What's New in OpenShift 4.20 ▸ Regional Disaster Recovery •

    Multi Volume support • Recipes with Exec hooks • Independent VM DR control within namespace • Support for Multus (Tech Preview) ▸ Multus with IPv6 ▸ Forceful redeployment option for test cluster automation ▸ ARM Tech Preview OpenShift Data Foundation 4.20 Out of the box support Block, File, Object, NFS Platforms AWS/Azure Google Cloud (GA) OpenShift Virtualization OSP (Tech Preview) Bare metal/IBM Z/Power VMWare 7,8 Thin/Thick IPI/UPI ARO ARM (Tech Preview) ROSA HCP (GA) with Self managed ODF IBM ROKS & Satellite - Managed ODF (GA) Any platform using agnostic deployment mode for self managed OpenShift deployments. Deployment modes Disconnected environment and Proxied environments 74

75. What's New in OpenShift 4.20 Telco 5G & Edge 75

76. What's New in OpenShift 4.20 Telco 5G 76 Telco Core

    Reference Design Specifications (RDS) https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/scalability_and_performance/telco-core-ref-design-specs#scheduling-crs_telco-core New server generation high core count • Schedulable Control plane • AMD Turin CPUs • Intel Sierra Forest CPUs CP0 CP1 CP2 Control Plane ~8-16 CPUs (*) CNFs / workload up to ~496-504 CPUs (*) (*) Exact dimensioning depends on the use case and servers

77. What's New in OpenShift 4.20 Telco Edge New Platforms First

    Call Ready Available • Xeon 6 CPUs • Integrated NIC & Carter Flat NIC ◦ SR-IOV & FDP ◦ PTP: OC & BC • Acceleration: VRB2 (3rd party support) Not Ready • T-BC & T-GM ◦ Microchip M.2 Advanced Timing ◦ Ublox M.2 GNSS • OEM Certifications (HW & RT) Full Functionality / Commercial HW Available • Xeon 6 CPUs • Integrated NIC & “Carter Flat” NIC ◦ SR-IOV & FDP ◦ PTP: OC & BC ◦ PTP: T-BC & T-GM ▪ Microchip M.2 Advanced Timing ▪ Ublox M.2 GNSS • Acceleration: VRB2 (3rd party support) • OEM Certifications (HW & RT) Not Ready • “Pine Channel” NIC • Projected alignment with OCP assumes both Intel and 3rd party upstream schedules are met and that Intel and OEM hardware availability schedules are met. • Red Hat will regression test 4.20 on commercial hardware, but commercial HW will not be available in time for OCP 4.20 GA so commercial support expected in 4.20.z. • OEM hardware must be certified and available in the Red Hat Ecosystem Catalog for production use cases. Intel® Xeon® 6 SoC “Granite Rapids-D” Single Node and Multi Node OpenShift Use Cases • All RAN Operators supported on ARM • Standard Kernel Only (no Real Time Kernel) • Full regression testing and KPI testing • Zero Touch Provisioning • Image Based Install, Upgrade and Break+Fix • CX-7/BF3 (NIC mode only) • RDS Update nVIDIA Grace Hopper (ARM) • Real Time kernel not supported by nVIDIA GPU Operator • Multi Node OpenShift deployments assume control plane nodes are x86 architecture • Assumes Hub Cluster nodes are x86 architecture OCP 4.20.z (Q1’26) OCP 4.20 OCP 4.20

78. What's New in OpenShift 4.20 New Features MicroShift V4.20 Cert-manager

    support • Add cert-manager as optional component to MicroShift, to dynamically and automatically manage certificates from external certificate authorities • Greatly simplifies certificate management with self-serving and automatic renewal • Wide range of issuer providers supported (same as with OpenShift, e.g. ACME, Vault etc.) • Use for Ingress, Routes and the API server endpoints RHEL image mode Enhancements • Delta update with bootc to reduce update sizes Enhanced config options • Ingress errors & Logging customization Generic Device Plugin (TechPreview) • Simplifies access to generic devices like USB cameras, serial ports etc. • No elevated privileges for the consuming pod needed • Uses standard k8s device plugin mechanism for devices that do not need a special driver, e.g. /dev/ttyUSB0 • Simple but configuration of available devices • Containers declare device requirements as resources: 78

79. What's New in OpenShift 4.20 79 OpenShift Commons Gathering Date:

    Monday, November 10 Time: 7:00 AM - 2:30 PM Location: Courtland Grand Hotel 165 Courtland St NE, Atlanta, GA 30303 • Agenda includes customer use cases on App development, Virtualization, Hybrid cloud, Observability, AI, Security • Registration open! red.ht/commons

80. V0000000 linkedin.com/company/red-hat youtube.com/OpenShift facebook.com/redhatinc twitter.com/OpenShift 80 Thank you Guided demos

    of new features on a real cluster learn.openshift.com OpenShift info, documentation and more try.openshift.com OpenShift Commons: where users, partners, and contributors come together commons.openshift.org