OpenShift 4 Technical Highlights

linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
TECHNICAL HIGHLIGHTS
1
OpenShift v4
Brad Hinson
Principal Solution Architect
bhinson@redhat.com

2
A cloud-like experience,
everywhere
Operator Framework
Operator Hub &
ISV ecosystem
Multicluster
management

FULLY AUTOMATED DAY-1 AND DAY-2 OPERATIONS
Infra provisioning
Embedded OS
Full-stack deployment
On-premises and cloud
Unified experience
Secure defaults
Network isolation
Signing and policies
Audit and logs
Multicluster aware
Monitoring and alerts
Zero-downtime upgrades
Full-stack patch & upgrade
Vulnerability scanning
INSTALL HARDEN
DEPLOY OPERATE
AUTOMATED OPERATIONS
Automated container operations

Flexible app
architectures
Uniform deploy
and debug
No reinvention
of core concepts
Truly hybrid
Operators codify operational knowledge and workflows to automate life-
cycle management of containerized applications with Kubernetes
Kubernetes-native day 2 management

● OperatorHub.io launched by Red Hat, AWS,
Microsoft and Google
● OpenShift Operator Certification
● OperatorHub integrated into OpenShift 4
COMMUNITY OPERATORS
OperatorHub and certified Operators
OPENSHIFT CERTIFIED OPERATORS

Full control for administrators

apiVersion: mongodb.com/v1
kind: MongoDbReplicaSet
metadata:
name: example
namespace: production
spec:
members: 3
version: 4.0.2
persistent: false
project: example
credentials: my-secret
Self-service for developers
7

● Manage multiple OpenShift clusters,
across multiple cloud and on-premises
environments
● Install and update OpenShift across all
your cloud environments
● Centrally manage policy and
deployments
cloud.redhat.com
Delivering Kubernetes everywhere

9
OpenShift
lifecycle,
installation &
upgrades

10
OpenShift 4
Installation
Two new paradigms for
deploying clusters

OpenShift 4 - A smarter Kubernetes
platform
Automated, full-stack installation from the
container host to application services
Seamless Kubernetes deployment to any
cloud or on-premises environment
Autoscaling of cloud resources
One-click updates for platform, services,
and applications

OPERATING SYSTEM
OPERATING SYSTEM
OPENSHIFT PLATFORM
OPENSHIFT PLATFORM
OPENSHIFT 4 (only)
OPENSHIFT 3 & 4
INFRASTRUCTURE
Full-stack automated install

Installation Paradigms
OPENSHIFT CONTAINER PLATFORM | Installation
13
Full Stack Automated
Simplified opinionated “Best
Practices” for cluster provisioning
Fully automated installation and
updates including host container
OS.
Pre-existing Infrastructure
Customer managed resources &
infrastructure provisioning
Plug into existing DNS and security
boundaries
OPENSHIFT CONTAINER PLATFORM HOSTED OPENSHIFT
Azure Red Hat OpenShift
Deploy directly from the Azure
console. Jointly managed by Red
Hat and Microsoft Azure engineers.
OpenShift Dedicated
Get a powerful cluster, fully
Managed by Red Hat engineers and
support.

Full-stack Automated Installation
14
openshift-install deployed
Control Plane Worker Nodes
User managed
Operator managed
Cloud Resources
RH CoreOS
OCP Cluster
OCP Cluster Resources
RH CoreOS
RHEL CoreOS
Cloud Resources
RH CoreOS
RH CoreOS
RHEL CoreOS

Pre-existing Infrastructure Installation
15
openshift-install deployed
Cloud Resources
RH CoreOS
OCP Cluster
OCP Cluster Resources
Control Plane
Cloud Resources
Worker Nodes
Customer deployed
User managed
Operator managed
Note: Control plane nodes
must run RHEL CoreOS!
RH CoreOS
RHEL CoreOS RHEL 7
RHEL
CoreOS

Comparison of Paradigms
16
Full Stack Automation Pre-existing Infrastructure
Build Network Installer User
Setup Load Balancers Installer User
Configure DNS Installer User
Hardware/VM Provisioning Installer User
OS Installation Installer User
Generate Ignition Configs Installer Installer
OS Support Installer: RHEL CoreOS User: RHEL CoreOS + RHEL 7
Node Provisioning / Autoscaling Yes Only for providers with OpenShift
Machine API support

● OpenShift retrieves the
list of available updates
● Admin selects the target
version
● OpenShift is updated
over the air
● Auto-update support
Over the Air (OTA) Updates

18
OpenShift 4
Lifecycle
Supported paths for
upgrades and migrations

19
OPENSHIFT CONTAINER PLATFORM | Lifecycle
Each OpenShift release
is a collection of Operators
● 100% automated, in-place upgrade process
● 30 Operators run every major part of the platform:
○ Console, Monitoring, Authentication,
Machine management, Kubernetes Control
Plane, etcd, DNS, and more.
● Operators constantly strive to meet the desired
state, merging admin config and Red Hat
recommendations
● CI testing is constantly running install, upgrade and
stress tests against groups of Operators

N release
Full support, RFEs, bugfixes, security
Happy path = upgrade through each version
● On a regular cadence, upgrade to the next
supported version.
Optional path = migration tooling
● To skip versions or catch up, use the application
migration tooling to move to a new cluster.
What is Extended Update Support (EUS) ?
● Extended timeframe for critical security and bug fixes
● Work within a customer’s release management philosophies
● Goal to provide a serial pathway to update from EUS to EUS
○ Augmented by Migration Tool and/or Advanced
Cluster Management (ACM) based on use-case
4.6 EUS
4.7
4.5
2020 2021 2022
MA
Y
JUN JUL AUG SEP OCT NOV DEC JAN FEB MA
R
APR MA
Y
R
APR MA
Y
JUN JUL AUG
N-2 release
OTA pathway to N release, critical bugs and security
OpenShift Upgrades and Migrations
20
Upgrade
Migration or Serial Upgrade

4.6 EUS for Layered Products/Add-ons
4.6 EUS
2020 2021 2022
MA
Y
R
APR MA
Y
R
APR MA
Y
JUN JUL AUG
Complete “hands off” EUS
Mid-cycle refresh during EUS
Normal updates during EUS
OpenShift Logging
OpenShift Container Storage
Advanced Cluster Manager
Cluster Migration Tool
Red Hat SSO
JBoss EAP
OpenShift Virtualization
OpenShift Serverless
OpenShift Pipelines
Process Automation
OpenShift CNF
Jaeger
OpenShift Service Mesh
CodeReady Containers
Red Hat Quay / CSO
Remain on single supported
version for the entire EUS period
The EUS cycles for these products
refresh during the OpenShift EUS
Follows the normal support window
for the add-on, shorter than EUS
LAYERED PRODUCT
UPGRADE
Quarkus
Thorntail
Spring Boot
Vert.x
JWS (Tomcat)
DataGrid
21
LAYERED UPGRADE
LAYERED UPGRADE
LAYERED UPGRADE
LAYERED UPGRADE
LAYERED UPGRADE

22
Operations
and
infrastructure
deep dive

23
Red Hat
Enterprise Linux
CoreOS
The OpenShift operating
system

OPENSHIFT PLATFORM
Generally Available
Product Manager: Ben Breard
General Purpose OS Immutable container host
BENEFITS
WHEN TO USE
• 10+ year enterprise life cycle
• Industry standard security
• High performance on any infrastructure
• Customizable and compatible with wide
ecosystem of partner solutions
• Self-managing, over-the-air updates
• Immutable and tightly integrated with
OpenShift
• Host isolation is enforced via Containers
• Optimized performance on popular
infrastructure
When customization and integration with
additional solutions is required
When cloud-native, hands-free operations
are a top priority
Red Hat Enterprise Linux

Immutable Operating System
OPENSHIFT PLATFORM
Red Hat Enterprise Linux CoreOS is versioned with
OpenShift
CoreOS is tested and shipped in conjunction with the
platform. Red Hat runs thousands of tests against these
configurations.
Red Hat Enterprise Linux CoreOS is managed by the cluster
The Operating system is operated as part of the cluster, with
the config for components managed by Machine Config
Operator:
● CRI-O config
● Kubelet config
● Authorized registries
● SSH config
v4.1.6
v4.1.6
RHEL CoreOS admins are responsible for:
Nothing.

OpenShift Architecture
26
A lightweight, OCI-compliant container runtime
Minimal and Secure
Architecture
Optimized for
Kubernetes
Runs any OCI-
compliant image
(including docker)

BROAD ECOSYSTEM OF WORKLOADS
CRI-O Support in OpenShift
CRI-O 1.13 Kubernetes 1.13 OpenShift 4.1
CRI-O tracks and versions identical to Kubernetes, simplifying support permutations

28
podman
A docker-compatible
CLI for containers
● Remote
management API
via Varlink
● Image/container
tagging
● Advanced
namespace
isolation

29
buildah
Secure & flexible OCI container builds
● Integrated into
OCP build pods
● Performance
improvements for
knative
enablement
● Image signing
improvements

kubelet static containers scheduled containers
systemd-managed
native binaries
CoreOS “pod” architecture
kubelet CRI-O
etcd
kube-scheduler
kube
controller-manager
kube-apiserver
coredns
openshift-apiserver
openshift
controller-manager
openshift-oauth

31
Special
Resources and
Devices
Enabling GPU, network,
and other specialty
resources for workloads

32
NFD finds certain resources
NFD Worker
Daemonset
Node Feature
Discovery Operator
(NFD)
GPU
Worker Node (CoreOS)
kubelet
GPU GPU
CRI-O

33
NFD labels nodes
NFD Worker
Daemonset
GPU
GPU GPU
kubernetes API
(Master)
feature.node.kubernetes.io
/pci-10de.present=true
kubelet CRI-O

34
Specialty Resource Operator deploys to relevant nodes
GPU
GPU GPU
GPU Driver
Daemonset
CRI-O Plugin
Daemonset
Device Plugin
Daemonset
GPU Feature
Discovery
Daemonset
Node Exporter
Daemonset
Special Resource
Operator
(SRO)
kubelet CRI-O

35
GPU Feature Discovery reports additional capabilities
GPU
GPU GPU
GPU Feature
Discovery
Daemonset
kubernetes API
(Master)
nvidia.com/gpu.family=tesla
nvidia.com/gpu.memory=16130
...
kubelet CRI-O

36
GPU Driver installs kmod and userspace drivers
GPU
GPU GPU
...
GPU Driver
Daemonset
kmod-nvidia
nvidia-driver-userspace
kubelet CRI-O

37
CRI-O Plugin installs prestart hook
GPU
GPU GPU
...
CRI-O Plugin
Daemonset
CRI-O (runc) prestart hook
kubelet CRI-O

38
Device Plugin informs kubelet of resource details
GPU
GPU GPU
...
kubelet CRI-O
Device Plugin
Daemonset
nvidia.com/gpu=3 GPU healthy?

39
Node Exporter provides metrics on GPU
GPU
GPU GPU
...
kubelet CRI-O
Node Exporter
Daemonset
Prometheus
(cluster monitoring)
/metrics

40
GPU workload deployment
GPU
GPU GPU
kubelet CRI-O
...
resources:
requests:
nvidia.com/gpu: 1
...
mypod
mypod
CRI-O
prestart hook mounts
userspace drivers into pod
pod accesses GPU via driver

V0000000
41
OpenShift
Virtualization
Detailed Slides in
Separate Presentation
Deck

42
Developer
Experience
Deep Dive

OpenShift enables developer productivity
SPRING & JAVA™ EE MICROSERVICES FUNCTIONS
LANGUAGES DATABASES APPLICATION SERVICES
LINUX WINDOWS
CODE
BUILD TEST DEPLOY
MONITOR
REVIEW
Self-service
provisioning
Automated
build & deploy
CI/CD
pipelines
Consistent
environments
Configuration
management
App logs &
metrics

OPENSHIFT
SERVICE MESH
OPENSHIFT
SERVERLESS
○ Integrated Service Mesh for enhanced security
and network segmentation of microservices
applications. Combines Istio, Kiali (UI), and
Jaeger (Tracing) projects.
OpenShift Serverless
○ Integrated serverless, enabling scale-to-zero
FaaS services and event sources - built on the
Knative framework.
○ Support for Azure Functions
○ Integrated with Camel-k for rich set of initial
event sources: HTTP, Kafka, AMQP
Building next-gen applications

Enabling greater developer
productivity
CODEREADY
WORKSPACES
ODO
VSCODE
AZURE DEVOPS
ECLIPSE
JETBRAINS
CodeReady Workspaces
Web-Based IDE (Eclipse Che),
Collaborative Development,
integrated with CI/CD.
OpenShift ODO
Advanced developer CLI
OpenShift Plugins
Integration plugins - VScode, Azure
DevOps, Eclipse IDE, JetBrains
DEV

Container Workspaces
Workspace replicas to end
“works on my machine” and
enable team collaboration.
The collaborative OpenShift-Native IDE. Free for any customer
of OpenShift Dedicated or OpenShift Container Platform.
Based on the open Eclipse
Che project
Red Hat Linux and
Application Infrastructure
Plugin model for
extensibility
Serverless support
(coming soon)
DevOps Integrations
Reference developer
workspaces from any issue,
failed build, or git notification.
Protect Source Code
Full access to source code
without any of it landing on
hard-to-secure laptops.
Use It To: Replace VDI for devs, and enable true container-based DevOps.
CodeReady Workspaces

● What’s new with OpenShift 4?
● OpenShift Service Mesh
● Docker support in OpenShift
Appendices

Appendix:
What’s new with
OpenShift 4?
48

Trusted enterprise Kubernetes
● Trusted Host, Content, Platform
● Full Stack Automated Install
● Over the Air Updates & Day 2 Mgt
A cloud-like experience, everywhere
● Hybrid, Multi-Cluster Management
● Operator Framework
● Operator Hub & Certified ISVs
Empowering developers to innovate
● OpenShift Service Mesh (Istio)
● OpenShift Serverless (Knative)
● CodeReady Workspaces (Che)

OPERATING SYSTEM
OPERATING SYSTEM
OPENSHIFT PLATFORM
OPENSHIFT PLATFORM
OPENSHIFT 4 (only)
OPENSHIFT 3 & 4
INFRASTRUCTURE
FULL-STACK AUTOMATION

● OpenShift retrieves list of
available updates
● Admin selects the target
version
● OpenShift is updated over
the air
● Auto-update support
SEAMLESS UPDATES
51

DAY 1: OPENSHIFT INSTALL - DAY 2: OPERATORS
openshift-install
Cloud resources
Red Hat Enterprise
Linux CoreOS
Red Hat OpenShift Container Platform cluster
Red Hat OpenShift Container Platform cluster services
Control Plane
Cloud resources
Red Hat Enterprise
Linux CoreOS
Worker Nodes
User managed
Installer/Operator managed
FULL STACK AUTOMATED INSTALLATION
52

DAY 1: OPENSHIFT INSTALL - DAY 2: OPERATORS + CUSTOMER MANAGED NODES & INFRA
openshift-install
Cloud resources
Red Hat Enterprise
Linux CoreOS
Red Hat OpenShift Container Platform cluster
Red Hat OpenShift Container Platform cluster services
Control Plane
Cloud resources
Red Hat Enterprise Linux /
RHEL CoreOS
Worker Nodes
Customer deployed
User managed
Installer/Operator managed
PRE-EXISTING INFRASTRUCTURE
INSTALLATION
53

Demo Link: https://drive.google.com/file/d/1d7MlygcBxH-_eUAxIO6Z9364veXiBJz4/view
DEMO: INSTALL OPENSHIFT 4 ON AWS
54

4.0*
4.1
4.2
4.3
INSTALLER PROVISIONED
INFRASTRUCTURE (IPI)
USER PROVISIONED
INFRASTRUCTURE (UPI)
Baremetal
Baremetal
PROVIDER ROADMAP FOR RED HAT OPENSHIFT
4
55

● Deploy a replication of your applications from one OpenShift cluster to a different
OpenShift cluster
● Enable cluster specific configuration from OpenShift 3 to work on a OpenShift 4 cluster
● Documentation on how to handle common network, storage, and machine/node re-use
scenarios between OpenShift 3 and OpenShift 4 clusters
vSphere OpenShift 3.10 Cluster
Target PVs using NFS
S3 Bucket
Full Backup
Increment Diff Backup
(like rsync)
AWS OpenShift 4.1 Cluster
New EBS PV based on restic
restore and mount to migrated app
$ oc command
$ oc command
Full Deck Here
CLUSTER MIGRATION OPENSHIFT 3 to 4
56

Demo Link: https://drive.google.com/file/d/1nF6dOCkHpDOxUaE_3-194v6h27TBJu-0/view
DEMO: OPENSHIFT NODE AUTO-SCALING
57

● Cloud-based multicluster
management
○ New clusters on AWS, Azure,
Google, vSphere, OpenStack, and
bare metal
○ Register existing clusters
○ Including OpenShift Dedicated
● Management operations
○ Install new clusters
○ View all registered clusters
○ Update clusters
cloud.openshift.com
AWS Google Azure On-Prem
UNIFIED HYBRID CLOUD
59

Operators codify operational
knowledge and workflows to
automate life cycle management
of containerized applications
with Kubernetes
SDK
LIFE CYCLE
MANAGEMENT
METERING
OPERATOR FRAMEWORK
60

● Launched with AWS, Microsoft,
and Google
● Discover and install optional
components and apps
● Upstream & downstream content
● ISV partners will support their
own Operators
Red Hat products
ISV partners
Community
TYPES OF OPERATORS
OPERATOR HUB
61

Demo Link: https://drive.google.com/file/d/1dPxLIROOL7Ek1anub5Vr5P5sJzWSMC2f/view
DEMO: OPERATORS IN ACTION
62

Observe Observe
Secure
Control
Connect
Jaeger Prometheus
Istio
OPENSHIFT SERVICE MESH / ISTIO
64

OPENSHIFT AND KNATIVE OVERVIEW
65
Build
A pluggable model for
building artifacts, like jar
files, zips or containers from
source code.
Serving
An event-driven model
that serves the container
with your application and
can "scale to zero".
Events
Common infrastructure for
consuming and producing
events that will stimulate
applications.
"...an extension to Kubernetes exposing building blocks to build modern, source-centric, and container-
based applications that can run anywhere".

Serving
● Browser-based Web IDE + Dev
Environment in pods
● Red Hat supported Eclipse Che
● Bundled with OCP/OSD SKU
● Available on OCP and OSD
● Enabled via an operator
● RHEL 8-based stacks
(tools and runtimes)
CODEREADY WORKSPACES
66

Appendix:

Microservices Evolution
69
Service
Config
Svc Discovery
Routing
Circuit Breaker
Tracing
Service
Platform Container Platform
...2014 2018

Microservices Reality
70
Container Platform
Service
Service
Service
Service
Service
Service
Service
Service Service
Service
Service
Service
Service
Service
Service
Service
Service
Service
Service
Service

Enter the Service Mesh
○ Infrastructure layer to help manage for service-to-service communication, delivering
enhanced security and traf for microservices applications.
■ Load balancing
■ Routing rules
■ Service monitoring and logging
■ Secure cross-service communications

MySQL Database
app.example.com
95% of traffic
5% of traffic
backend-app (Java)
frontend-app
backend-app (Go)
frontend-app
makes call to
makes call to
Control flow of traffic between application components
v1
v2
Simplify the Mess With a Service Mesh

Limitations to the Service Mesh
○ On its own, the Service Mesh is just the communication layer
■ Limited measurement functionality
■ Limited observation capabilities
■ Not a complete set of tools developers need to build and deploy microservices

Observe Observe
Secure
Control
Connect
Jaeger Prometheus
Istio
Kiali
Grafana

Connect
Control the flow of traffic between services
Secure
Application independent security

Control
Uniform abstraction for policy control
Observe
Visibility into application deployments

77
USE CASES
● Adaptive traffic
management
● Service performance
tracing
● Secure
communications and
API access
BENEFITS
1. Complete service mesh, including tracing and
visualization capabilities, packaged for ease of
use
2. Built with key open source projects and
integrations
3. Extend security through the service mesh into
the API layer with with 3scale API management
integration

Distributed Tracing with Jaeger
● Discover service relationships
and process times, transparent
to the services
● Visualize the service execution
times across the application
● Identify potential latency issues
in each service
POD
SERVICE
C
PROXY
720 ms 210 ms
930 ms
POD
SERVICE
C
PROXY
POD
SERVICE
C
PROXY

Service Mesh Observability with Kiali
● Kiali works to visualise the
service mesh topology
● Identify which services are part
of the service mesh and how
they are connected
● Understand the topology and
health of the service mesh
POD
SERVICE
C
PROXY
POD
SERVICE
C
PROXY
POD
SERVICE
C
PROXY

Reducing Installation and Management Overhead
○ Leveraging the Kubernetes Operator model to embed logic into a single package
■ Automation of OpenShift Service Mesh Operator installation reduces complexity
to get service mesh running quickly
■ Business logic for installation and updates of all components (Istio, Jaeger and
Kiali) in one placd
■ Rely on the baked-in best practices and human operational knowledge of the
software for configuration and upgrades

Do I need API Management with the Service Mesh?
81
● Do you have tens / hundreds of services / APIs?
● Are the applications consuming your APIs internal services?
● Do you have a need to package those services into consumable API products?
● Are there different classes of consumers in need of consuming these API
products? E.g. internal applications, partner applications, etc.
● Do you need a portal where API consumers can explore available API products
(composed by services deployed in different environments / clusters / etc.) and
get immediate access to them?

Bringing API Management to the Service Mesh
● The 3scale Istio Mixer Adapter gives your services exposed within the service
mesh API management capabilities.
● Developer access via developer portal and documentation, configuring different
types of access for different type of developers, usage analytics, billing and
invoicing.
● Quota enforcement, caching, and analytics are available at the ‘API product’ level.

ANY
INFRASTRUCTURE
OpenShift Container Platform
(Enterprise Kubernetes)
Amazon Web Services Microsoft Azure Google Cloud
OpenStack
Datacenter
Laptop
(Istio + Jaeger + Kiali)
ANY
APPLICATION
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
API
Manager
Distributed Services Platform

OpenShift Service Mesh Availability
● OpenShift Service Mesh is available at no additional cost for licensed OpenShift
customers
● OpenShift Service Mesh Operator will be found from the embedded OperatorHub
interface through the OpenShift interface

Appendix:
Docker Support in
OpenShift 4

IS DOCKER THE BEST AVAILABLE CONTAINER
ENGINE?
86
Potential limitations surrounding Docker
● Build requires a “big fat” daemon on every host
● Regression for integration with container platforms
Kubernetes/OpenShift
● Build has secret handling issues
● Root/privileged concerns at runtime
● Root/privileged concerns with daemon
● Build requires a running container

87
● Docker, Red Hat et al. June 2015
● Two specifications
○ Image format
■ How to package an OCI Image with sufficient information to launch
the application on the target platform
○ Runtime
■ How to launch a “filesystem bundle” that is unpacked on disk
● Version 1.0 of each released July 19th 2017
● Distribution spec started in April, 2018.

88
LXC Initial
release
Aug
‘08
OpenShift
online
May
‘11
Docker
initial
Mar
‘13
OpenShift
Enterprise
3.0
Jun
‘15
OCI
CNCF
Initial
release,
Buildah
Jun
‘17
Moby
Apr
‘17
Sep
‘17
Kubernetes
Mid
‘14
Buildah 1.0
Podman
New logo
May
‘18
buildah.io
podman.io
Sep
‘18
Buildah
Skopeo
Podman
RHEL
May
‘19
Nov
‘15
Mar
‘16
CONTAINER INNOVATION CONTINUES ….

● Built for interfacing with Docker registry
● CLI for images and image registries
● Rejected by upstream Docker ¯_(ツ)_/¯
● Allows remote inspection of image meta-
data - no downloading
● Can copy from one storage to another
SKOPEO
Image
Repository
Image
Registry
Host
/var/lib/containers
or
/var/lib/docker
SECURITY FEATURES
Share securely
No daemon
Inspect remote images
No pulling potentially malicious images
Non-root copy. Bridge between registries.
89
IMAGE COPY WITH SKOPEO

● @ podman.io
● Client only tool, based on the Docker CLI. (same+)
● No daemon!
● Storage for
○ Images - containers/image
○ Containers - containers/storage
● Runtime - runc
● Shares state with CRI-O and with Buildah!
PODMAN
Images
Image
Registry
Containers
Kernel
SECURITY FEATURES
Run and develop securely
No daemon
Run without root
Isolate with user namespaces
Audit who runs what
90
The new container CLI

91
● Now buildah.io
● Builds OCI compliant images
● No daemon - no “docker socket”
● Does not require a running container
● Can use the host’s user’s secrets.
● Single layer, from scratch images are made
easy and it ensures limited manifest.
● If needed you can still maintain Dockerfile
based workflow
Base RHEL
OS Update Layer
Java Runtime Layer
Application Layer
Java runtime and
dependencies, and
Application
From scratch,
single layer
From base,
multi-layer
SECURITY FEATURES
Build securely
No daemon
Shrink the attack surface
Fine-grained control of the layers
Run builds isolated
Better secret management
Why use Buildah?

● A Kubernetes thing
● Now part of CNCF! (April 8th)
● OCI daemon
● Implements Kubelet Container Runtime
Interface (CRI)
CRI-O
Container
Host
Container
Container
Container
Kubernetes
READONLY
SECURITY FEATURES
Run securely in a production cluster
No daemon
Read-only containers
Enable fewer capabilities
User namespaces
FIPS mode support
92
OCI AND CRI-O

OpenShift 4 Technical Highlights

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OpenShift 4 Technical Highlights

Similar to OpenShift 4 Technical Highlights (20)

Recently uploaded

Recently uploaded (20)

OpenShift 4 Technical Highlights