APP DEV •Kiali integration with Dev Console •Pipelines as code •Jenkins Operator GA •OpenShift Builds v2 & Buildpacks GA •Application version model for Operators •Operator Maturity increase via SDK •Dynamic Plugins for the OCP Console •Azure China & AWS China •Alibaba, AWS Outposts, Equinix Metal, & Microsoft Hyper-V •Edge: Single node lightweight Kube cluster •Enable user namespaces Additional Windows Containers capabilities* •Priority and Fairness for APIserver •Ingress v2 + Contour •Operator metering lean architecture •Network Topology and Analysis Tooling •SmartNIC Integrations •Cost management integration to SWAtch / RH marketplace for subscriptions visibility OpenShift 4.9+ HOSTED •Cost mgmt integration to Subs Watch, ACM •ROSA AWS console integration •Cluster Suspend / Resume H2 2021+ •OpenShift Serverless (Functions GA) •OpenShift Pipelines GA •OpenShift Builds v2 & Buildpacks TP •OpenShift GitOps (Argo CD) GA •Simplify access to RHEL content in builds •Enhanced GitOps bootstrapping with kam •Console internationalization GA •Foundation for User Preferences •Application environments in Dev Console •Better Operator version & update mgmt OpenShift 4.8 •OSD consumption billing, autoscaling •Expanded ROSA and OSD Add-ons •ARO government region (MAG) support Q2 2021 •Azure Stack Hub and RHCOS for IBM Cloud •IPv6 (single/dual stack on control plane) •Enhanced Userspace Interface API & Library •Additional Windows Containers capabilities* •Support TLS 1.3 for Ingress •External DNS Management •OVN Egress Router (GA) •HAProxy 2.2 •ipfailover Support •Cost management: support for GCP, air- gapped HOSTED PLATFORM APP DEV •OpenShift Pipelines TP •OpenShift Serverless (Functions DP) •OpenShift GitOps (Argo CD) TP •Monitor application workloads •Foundation for Console internationalization •QuickStarts Extensible •Service Binding GA OpenShift 4.7 •GA of Red Hat OpenShift Service on AWS (ROSA) •OSD CCS 60-day free trial •ROSA and OSD log forwarding •ARO Azure Portal integration Q1 2021 •AWS C2S Region •GCP: Customer-managed disk encryption keys •GA Userspace Interface API & Library •Additional Windows Containers capabilities* •Network Enhancements derived from OVN •IPSec Support •FPGA Support (pilot) •OpenShift Update Service GA •Cost management: new onboarding UX •New LUKS, SW RAID, and multipath options HOSTED PLATFORM
installer Hosted on Cloud.redhat.com Making OpenShift on Bare Metal easy Full stack automation Simplified flow - boot machines with ISO media and register them to installation web service Cluster managed LB/DNS Minimum prerequisites No dedicated bootstrap node 3 nodes cluster (M/W) No DHCP hostname allocation Jumpstart VIPs allocation Pre-install Validations Minimum host resources requirements Network connectivity/address matrix NTP sync/Chrony config Installation disk selection/IO speed Smart defaults Auto CIDR generation (based on available networks) Auto node role assignment Progress monitor and error handling End to end progress monitoring/Log collection PM: Moran Goldboim/Ramon Acedo Rodriguez ・クラウド上のコンソール (cloud.redhat.com) から、インストールを行う手法。 ・BareMetal 用。Bare Metal をもっと簡単に。 ・Node を 生成した ISOイメージでブートして登 録するだけ。 ・Tech Preview. ・bootstrap ノード用HWリソースが不要 ・インストーラー用の端末も不要 ・Load Balancer も不要 ・インターネット接続は必要
pods evenly across nodes HighNodeUtilization Pack as many pods as possible on to as few nodes NoScoring Quickest scheduling cycle by disabling all score plugins Customize default out of box behaviour of openshift scheduler with Scheduling Profiles *Note: in OSP 4.7 customer can use both policy API and profiles but going forward policy API will be depreciated to profiles Extension points Scheduling profile Scheduling plugin Extension points Scheduling plugin Add more Scheduling plugins Pre Build Profile Build your own Profile Scheduling profile : Openshift-scheduler can have only one profile Scheduling plugin : Implements one or more extension points Extension point : Plugins that define the scheduling logic NoScoring は、最適なスケジューリングよりも速く起動し たい場合に使用する。 ・“Scheduling Profiles”は、Kubernetes 1.18でリリース。 1.19から[beta] ・“Scheduling Profiles” を簡単に使えるように、デフォル トで3種類の profile を用意したのがこの機能。 ・User が Pod のスケジューリング機能を拡張可能 ・OpenShift としてテンプレの Profile を3つ用意
cluster namespace: openshift-kube-descheduler- operator spec: deschedulingIntervalSeconds: 1800 profiles: - <Profile: Select one or more profiles from the table on the left> Product Manager: Gaurav Singh AffinityAndTaints Evicts pods that violate node and pod affinity, and node taints TopologyAndDuplicates Evicts duplicate pods and balance distribution of pods LifecycleAndUtilization Evicts low utilized pods from node marked as high utilization nodes. Evicts pods base on “PodLifeTime” Evict pods that are scheduled on less desired nodes in a cluster based on profiles. Profiles* *Note: in OSP 4.7 customer can use both descheduling strategies and profiles but going forward strategies will be depreciated to profiles Descheduler の機能がGA マニュアルはこちら 2.10. Descheduler を使用した Pod のエビクト 4.7 | Red Hat Customer Portal
between pods on different nodes is confidential, authenticated, and has not been tampered with. • Uses Libreswan and IPSec in the kernel • Currently IPv4-only • Each node has a unique IPsec connection to each other node in the cluster. ◦ Node private keys: valid for 5yr and rotate at 4.5yr (at cluster update) ◦ CA-signed keys: valid for 10yr, do not rotate currently • Encrypted internode traffic includes that from: ◦ hostnetwork-pod -> pod ◦ pod -> pod • The following internode traffic is NOT IPSec encrypted: ◦ Control plane traffic (already TLS encrypted) ◦ pod -> hostnetwork-pod ◦ hostnetwork-pod -> hostnetwork-pod spec: defaultNetwork: type: OVNKubernetes ovnKubernetesConfig: ipsecConfig: {} Product Manager: Marc Curry IPSec is enabled by updating the Cluster Network Operator configuration during installation (details in Notes section): これで IPSec が Enable される。 {} は今後の機能拡張用 ※ hostnetwork を使った Pod は、基本的に使用しない 方が良い。NodePort Service 等を利用する。 Pod 間の通信を暗号化する機能。
Sadeghianfar • Multi-cluster GitOps config management with Argo CD ◦ One-click Argo CD install through OLM for cluster configs ◦ Restricted Argo CD instances for app deployment • Support for clusters with restricted networks • Deployments guide for Argo CD • Opinionated GitOps bootstrapping with GitOps Application Manager CLI kind: Application metadata: name: payroll-dev spec: destination: namespace: payroll-dev server: https://kubernetes.default.svc source: repoURL: https://github.com/myorg/payroll.git path: config $ kam bootstrap $ kam environment add stage Tech Preview 一言で言うと、Argo CD
ACM Integration Checks inspired by the CIS Kubernetes benchmark are now available. These work for both OCP 4.7 and OCP 4.6 (For 4.6, apply RHSA-2021:0190) The CIS OpenShift Benchmark will be released to the CIS Kubernetes community for comment in January. The OpenShift 4 Hardening Guide is available from Red Hat now until the CIS OpenShift Benchmark is published. Red Hat Advanced Cluster Manager 2.2 integrates with the OpenShift Compliance Operator Product Manager: Kirsten Newcomer What's new in OpenShift 4.7 ・”OpenShift 4 Hardening Guide” は、Customer Portal にリンクがあ るが、クリックすると、RedHatイン トラのリンクに飛ばされる。Share は可能と書いてある。 https://www.cisecurity.org/bench mark/kubernetes/
onboarding user experience for OCP Clusters ◦ New operator, no longer requires Operator Metering ▪ Significantly reduced resource consumption (by 1.000x) ◦ Certified version will be available during the OCP 4.7 timeframe ◦ Only one configuration YAML file ◦ Level 2 operator ◦ Support for air-gapped clusters coming soon Community Operator Red Hat Operator Naming Koku Metrics Operator Cost management metrics operator Location In Cluster Operator Hub In Cluster Operator Hub Availability Today Q1/2 2021 Air-gapped support Q2 2021 Q2 2021 19 ・OpenShift 用の Metrics データを吸 い上げて koku に送る Operator ・現状は Community 版だけで、Red Hat サポート版は未リリース ・Q1/Q2に出る予定
ingestion filtering ◦ Now you can restrict which tags are available in reports • Cost model enhancements ◦ Label-based rates (i.e. use tags to differentiate prices for “gold”, “silver” and “bronze”) ◦ Support for default rates • RBAC enhancements ◦ Visibility fine tuning ▪ Limit user access to specific resources ◦ You can now create sources without org admin privileges with the right role 20 ・細々とした改良 元々、以下の事ができる ・Cost Modelの作成(Metrix で得られた値に、コ ストのレートを指定できる) ・tagを付けて複数の Project をまとめる事ができ る。
Manager: Siamak Sadeghianfar • Enable teams to adopt a declarative GitOps approach to multi-cluster configuration and continuous delivery • OpenShift GitOps is complementary to OpenShift Pipelines and includes ◦ Argo CD ◦ GitOps Application Manager CLI ◦ Integrated into Dev Console (App Stages) • Included in OpenShift SKUs Desired State Cluster State Observe State Take Action OpenShift GitOps 24 補則:OpenShift GitOps ・OCP 4.6で Tech Preview 開始 ・OCP 4.7 でも Tech Preview ・OCP 4.8 で GA予定 ・OpenShift UI との統合 ・CLIを提供 (kam コマンド) 補則:OpenShift GitOps Tech Preview OpenShift GitOps Argo CD (Community)
as nonroot, pipelines as anyuid • Cluster-wide proxy configs passed to TaskRuns pods • HTTPS support for webhooks (TLS in EventListeners) • EventListener can be shared across multiple namespaces to reduce resource consumption • Image digest published as result in buildah and S2I tasks • Pipeline UX enhancements highlights in Dev Console ◦ Metrics tab: pipeline execution metrics ◦ TaskRuns tab: list of TaskRuns created by a PipelineRun ◦ Events tab: related PipelineRun, TaskRun and Pod events ◦ Download PipelineRun logs Tech Preview Product Manager: Siamak Sadeghianfar OpenShift Pipelines 1.3 25 ・TEKTION は、4.6 で Tech Preview ・細々とした改善
• Interact with OpenShift from GitHub workflows • Verified OpenShift actions on GitHub Marketplace ◦ OpenShift client (oc) ◦ OpenShift login ◦ S2I build ◦ Buildah builds ◦ Push image to registry • More actions and GitHub Runner to come... Red Hat GitHub Actions GitHub Integration Blog: Deploying to OpenShift using GitHub Actions | Demo Product Manager: William Markito GitHub の Marketplace に Red Hat 提供の GitHub Action を公開
3.4 • All Quay / Clair images • All Operator Images • All Operator Bundles • Gated by Subscription • All upstream images remain on quay.io/projectquay Official Red Hat Quay images Download now via Red Hat Container Catalog Product Manager: Daniel Messer ・Quay は、2月に 3.4 がリリースさ れました。
Clair PostgreSQL DB Redis DB Mirroring Workers Route Horizontal Auto-Scaling Config Editor Operator Object Storage* Mandatory Component Optional Component Quay Operator 3.4 can now update deployments to a newer version and will also migrate existing deployments managed by the Quay Operator 3.3 Quay Operator can now deploy a complete Quay installation with all required services managed by the Operator and supported by Red Hat. * based on local storage provided by non-HA NooBaa S3 endpoint (included in subscription) WHAT’S NEW IN QUAY 3.4 Product Manager: Daniel Messer ・Operator のインストールで、Quay のコンポーネントを全てインストール できるように。 ・Optional のモジュールは、オプトア ウトできる。 ・ストレージは OCSを使ったり、外部 のS3を使ったり選択できる。
a complete refactoring in order to make several big enhancements possible. This includes: • Support for programming language package managers (python) • immutable data model & new manifest-oriented API • Air-Gapped Deployments Clair v4 General Availability v4 Learn more about Clair v4 here: Red Hat Quay Technical Deck WHAT’S NEW IN QUAY 3.4 Product Manager: Daniel Messer ・Clair が ver 4 になりました。
Logging 5.0 32 What Commencing as part of OpenShift 4.7, Red Hat OpenShift Logging is provided as an installable component, with a distinct release cycle from the core OpenShift Container Platform. Note: • No separate SKU. • No changes to the support process. • The changes are mostly about how and how often we deliver Logging but does not impact our current features. Why Better alignment with other layered products such as Service Mesh, Serverless, Pipelines, and others. • More choice to how you want to consume Logging through OLM channels (stable, tech-preview, specific release version). • Feature- vs time-based releases. • Smoother upgrade experience, logging built & tested to run on multiple OCP versions. Benefits Impact Almost none. We do not change any features, the process you use to receive support, EUS support. How Next time you upgrade Logging, choose one of the newer channels available from 4.7 onwards. ・OpenShift 4.7 から、「OpenShift Logging」のリリースサイクルが独立します。 ・バージョンは 5.0 からスタートします。(OpenShift 4.6では、Cluster Logging の バージョンは 4.6で、OpenShift と一致し ていた) ・サポートについては変更はありません。SKU もわかれません(OpenShiftに含まれたまま) ・OpenShift Logging を構成する Operator も2種類のまま(バージョンは両方とも 5.0)
Marc Curry • New "API Performance" grafana dashboard that visualizes kube-apiserver and openshift-apiserver metrics • Useful histogram of metrics that can be used to better understand API load characterization and debug issues • Metrics include: ◦ request rate by resource and verb, read vs write, status and instance ◦ request: duration, dropped, terminated, in-flight ◦ priority and fairness measurements ◦ TLS handshake error rates ◦ etcd object count ◦ ...and many others 34 ・API server の Performance が見れるダッシュボードができた。 ・”request rate by resource and verb” の例 “clusterroles-GET” や “Pods-GET” 等。 ・ Request にかかった時間なども見る事ができる。
OpenShift 4.8 “Public Service Announcement” for an upcoming change in OpenShift 4.8: • OpenShift 4.8 will update to HAProxy 2.2, which down-cases HTTP header names by default (for example, “Host: xyz.com” is transformed to “host: xyz.com”), as permitted by the HTTP protocol standard, and as required by HAProxy’s HTX feature for HTTP/2. • In OpenShift 4.7, for legacy applications that are sensitive to the capitalization of HTTP header names, the IngressController will have a new API field, spec.httpHeaders.headerNameCaseAdjustments, to accommodate these legacy applications until they can be fixed. • The new API will be backported to OpenShift 4.6, and allows the cluster administrator to specify rules for transforming the case of HTTP header names in HTTP/1 requests. • Cluster administrators and application developers need to be aware of the change and configure IngressControllers and Routes with this new configuration, if necessary, before upgrading to OpenShift 4.8. Product Manager: Marc Curry For more information about the change, including why it was made and how to specify Header name transformation rules, view the enhancement proposal. ・HTTP1.1 は、大文字小文字両方 ok で、アプリケーションは両方を処理で きるべきだったが、 HTTP2では小文字のみになっている。 ・HA Proxy 2.2 では、HTTP 1.1 でも小文字化がデフォルトになる。 ・小文字化を避けるために、新しいAPI Field を追加。 ・このAPIは 4.6 に backport される予定。 ・HA Proxy の HTTP Representation(HTX) が、HTTP2 に 必要で Header の小文字化を引き起こす。 ・OCP 4.4 では、HTTP2を使用してない時には off にする対 策を入れていた ・HAProxy 2.2 では HTXを off にできなくなる。
integration for encryption • Data protection ◦ Multi-cluster block async replication (TP) ◦ Stretch cluster with arbiter ◦ Mutli-cluster Metro DR - Dev Preview • Flexible failure domain • Local object caching for AI/ML • Guided tours for better user experience OpenShift Container Storage updates OCP STORAGE Out of the box support Block, File, Object Platforms AWS Azure Bare metal RHV (Tech Preview) VMWare Google Cloud (Tech Preview) IBM Z/Power OSP (Tech Preview) Deployment modes Disconnected environment and Proxied environments 40 Product Manager: Duncan Hardie ・HashiCorp の Vault と連携した暗号化。 ・非同期 Replication が Tech Preview ・Metro DR が Dev Preview (近距離の同期 Replication)
vSphere IPI in Windows Community Operator Support in Red Hat certified operator will be available end of Q1, 2021 Community Operator Red Hat Operator Location In Cluster OperatorHub Red Hat Catalog/ Marketplace Platforms supported AWS, Azure, vSphere IPI AWS, Azure Refresh cycle Every 1-2 sprints Every OCP Y stream Product Manager: Anand Chandramohan Community 版の Machine Config Operator は、vSphere IPI までサポート Red Hat 版の Machine Config Operator の vSphere IPI のサポートは、2021 / Q1終わり予定(そろそろ?)