3. FULLY AUTOMATED DAY-1 AND DAY-2 OPERATIONS
Infra provisioning
Embedded OS
Full-stack deployment
On-premises and cloud
Unified experience
Secure defaults
Network isolation
Signing and policies
Audit and logs
Multicluster aware
Monitoring and alerts
Zero-downtime upgrades
Full-stack patch & upgrade
Vulnerability scanning
INSTALL HARDEN
DEPLOY OPERATE
AUTOMATED OPERATIONS
Automated container operations
4. Flexible app
architectures
Uniform deploy
and debug
No reinvention
of core concepts
Truly hybrid
Operators codify operational knowledge and workflows to automate life-
cycle management of containerized applications with Kubernetes
Kubernetes-native day 2 management
5. ● OperatorHub.io launched by Red Hat, AWS,
Microsoft and Google
● OpenShift Operator Certification
● OperatorHub integrated into OpenShift 4
COMMUNITY OPERATORS
OperatorHub and certified Operators
OPENSHIFT CERTIFIED OPERATORS
8. ● Manage multiple OpenShift clusters,
across multiple cloud and on-premises
environments
● Install and update OpenShift across all
your cloud environments
● Centrally manage policy and
deployments
cloud.redhat.com
Delivering Kubernetes everywhere
11. OpenShift 4 - A smarter Kubernetes
platform
Automated, full-stack installation from the
container host to application services
Seamless Kubernetes deployment to any
cloud or on-premises environment
Autoscaling of cloud resources
One-click updates for platform, services,
and applications
13. Installation Paradigms
OPENSHIFT CONTAINER PLATFORM | Installation
13
Full Stack Automated
Simplified opinionated “Best
Practices” for cluster provisioning
Fully automated installation and
updates including host container
OS.
Pre-existing Infrastructure
Customer managed resources &
infrastructure provisioning
Plug into existing DNS and security
boundaries
OPENSHIFT CONTAINER PLATFORM HOSTED OPENSHIFT
Azure Red Hat OpenShift
Deploy directly from the Azure
console. Jointly managed by Red
Hat and Microsoft Azure engineers.
OpenShift Dedicated
Get a powerful cluster, fully
Managed by Red Hat engineers and
support.
15. Pre-existing Infrastructure Installation
OPENSHIFT CONTAINER PLATFORM | Installation
15
openshift-install deployed
Cloud Resources
RH CoreOS
OCP Cluster
OCP Cluster Resources
Control Plane
Cloud Resources
Worker Nodes
Customer deployed
User managed
Operator managed
Note: Control plane nodes
must run RHEL CoreOS!
RH CoreOS
RHEL CoreOS RHEL 7
RHEL
CoreOS
16. Comparison of Paradigms
OPENSHIFT CONTAINER PLATFORM | Installation
16
Full Stack Automation Pre-existing Infrastructure
Build Network Installer User
Setup Load Balancers Installer User
Configure DNS Installer User
Hardware/VM Provisioning Installer User
OS Installation Installer User
Generate Ignition Configs Installer Installer
OS Support Installer: RHEL CoreOS User: RHEL CoreOS + RHEL 7
Node Provisioning / Autoscaling Yes Only for providers with OpenShift
Machine API support
17. ● OpenShift retrieves the
list of available updates
● Admin selects the target
version
● OpenShift is updated
over the air
● Auto-update support
Over the Air (OTA) Updates
19. 19
OPENSHIFT CONTAINER PLATFORM | Lifecycle
Each OpenShift release
is a collection of Operators
● 100% automated, in-place upgrade process
● 30 Operators run every major part of the platform:
○ Console, Monitoring, Authentication,
Machine management, Kubernetes Control
Plane, etcd, DNS, and more.
● Operators constantly strive to meet the desired
state, merging admin config and Red Hat
recommendations
● CI testing is constantly running install, upgrade and
stress tests against groups of Operators
20. N release
Full support, RFEs, bugfixes, security
Happy path = upgrade through each version
● On a regular cadence, upgrade to the next
supported version.
Optional path = migration tooling
● To skip versions or catch up, use the application
migration tooling to move to a new cluster.
What is Extended Update Support (EUS) ?
● Extended timeframe for critical security and bug fixes
● Work within a customer’s release management philosophies
● Goal to provide a serial pathway to update from EUS to EUS
○ Augmented by Migration Tool and/or Advanced
Cluster Management (ACM) based on use-case
4.6 EUS
4.7
4.5
2020 2021 2022
MA
Y
JUN JUL AUG SEP OCT NOV DEC JAN FEB MA
R
APR MA
Y
JUN JUL AUG SEP OCT NOV DEC JAN FEB MA
R
APR MA
Y
JUN JUL AUG
N-2 release
OTA pathway to N release, critical bugs and security
OpenShift Upgrades and Migrations
20
OPENSHIFT CONTAINER PLATFORM | Lifecycle
Upgrade
Migration or Serial Upgrade
21. 4.6 EUS for Layered Products/Add-ons
4.6 EUS
2020 2021 2022
MA
Y
JUN JUL AUG SEP OCT NOV DEC JAN FEB MA
R
APR MA
Y
JUN JUL AUG SEP OCT NOV DEC JAN FEB MA
R
APR MA
Y
JUN JUL AUG
Complete “hands off” EUS
Mid-cycle refresh during EUS
Normal updates during EUS
OpenShift Logging
OpenShift Container Storage
Advanced Cluster Manager
Cluster Migration Tool
Red Hat SSO
JBoss EAP
OpenShift Virtualization
OpenShift Serverless
OpenShift Pipelines
Process Automation
OpenShift CNF
Jaeger
OpenShift Service Mesh
CodeReady Containers
Red Hat Quay / CSO
Remain on single supported
version for the entire EUS period
The EUS cycles for these products
refresh during the OpenShift EUS
Follows the normal support window
for the add-on, shorter than EUS
LAYERED PRODUCT
UPGRADE
Quarkus
Thorntail
Spring Boot
Vert.x
JWS (Tomcat)
DataGrid
21
LAYERED UPGRADE
LAYERED UPGRADE
LAYERED UPGRADE
LAYERED UPGRADE
LAYERED UPGRADE
OPENSHIFT CONTAINER PLATFORM | Lifecycle
24. OPENSHIFT PLATFORM
Generally Available
Product Manager: Ben Breard
General Purpose OS Immutable container host
BENEFITS
WHEN TO USE
• 10+ year enterprise life cycle
• Industry standard security
• High performance on any infrastructure
• Customizable and compatible with wide
ecosystem of partner solutions
• Self-managing, over-the-air updates
• Immutable and tightly integrated with
OpenShift
• Host isolation is enforced via Containers
• Optimized performance on popular
infrastructure
When customization and integration with
additional solutions is required
When cloud-native, hands-free operations
are a top priority
Red Hat Enterprise Linux
25. Immutable Operating System
OPENSHIFT PLATFORM
Red Hat Enterprise Linux CoreOS is versioned with
OpenShift
CoreOS is tested and shipped in conjunction with the
platform. Red Hat runs thousands of tests against these
configurations.
Red Hat Enterprise Linux CoreOS is managed by the cluster
The Operating system is operated as part of the cluster, with
the config for components managed by Machine Config
Operator:
● CRI-O config
● Kubelet config
● Authorized registries
● SSH config
v4.1.6
v4.1.6
RHEL CoreOS admins are responsible for:
Nothing.
26. OpenShift Architecture
26
A lightweight, OCI-compliant container runtime
Minimal and Secure
Architecture
Optimized for
Kubernetes
Runs any OCI-
compliant image
(including docker)
27. BROAD ECOSYSTEM OF WORKLOADS
CRI-O Support in OpenShift
CRI-O 1.13 Kubernetes 1.13 OpenShift 4.1
CRI-O 1.14 Kubernetes 1.14 OpenShift 4.2
CRI-O 1.12 Kubernetes 1.12 OpenShift 4.0
CRI-O tracks and versions identical to Kubernetes, simplifying support permutations
43. OpenShift enables developer productivity
SPRING & JAVA™ EE MICROSERVICES FUNCTIONS
LANGUAGES DATABASES APPLICATION SERVICES
LINUX WINDOWS
CODE
BUILD TEST DEPLOY
MONITOR
REVIEW
Self-service
provisioning
Automated
build & deploy
CI/CD
pipelines
Consistent
environments
Configuration
management
App logs &
metrics
44. OPENSHIFT
SERVICE MESH
OPENSHIFT
SERVERLESS
OpenShift Service Mesh
○ Integrated Service Mesh for enhanced security
and network segmentation of microservices
applications. Combines Istio, Kiali (UI), and
Jaeger (Tracing) projects.
OpenShift Serverless
○ Integrated serverless, enabling scale-to-zero
FaaS services and event sources - built on the
Knative framework.
○ Support for Azure Functions
○ Integrated with Camel-k for rich set of initial
event sources: HTTP, Kafka, AMQP
Building next-gen applications
46. Container Workspaces
Workspace replicas to end
“works on my machine” and
enable team collaboration.
The collaborative OpenShift-Native IDE. Free for any customer
of OpenShift Dedicated or OpenShift Container Platform.
Based on the open Eclipse
Che project
Red Hat Linux and
Application Infrastructure
Plugin model for
extensibility
Serverless support
(coming soon)
DevOps Integrations
Reference developer
workspaces from any issue,
failed build, or git notification.
Protect Source Code
Full access to source code
without any of it landing on
hard-to-secure laptops.
Use It To: Replace VDI for devs, and enable true container-based DevOps.
CodeReady Workspaces
47. ● What’s new with OpenShift 4?
● OpenShift Service Mesh
● Docker support in OpenShift
Appendices
51. ● OpenShift retrieves list of
available updates
● Admin selects the target
version
● OpenShift is updated over
the air
● Auto-update support
SEAMLESS UPDATES
51
52. DAY 1: OPENSHIFT INSTALL - DAY 2: OPERATORS
openshift-install
Cloud resources
Red Hat Enterprise
Linux CoreOS
Red Hat OpenShift Container Platform cluster
Red Hat OpenShift Container Platform cluster services
Control Plane
Cloud resources
Red Hat Enterprise
Linux CoreOS
Worker Nodes
User managed
Installer/Operator managed
FULL STACK AUTOMATED INSTALLATION
52
53. DAY 1: OPENSHIFT INSTALL - DAY 2: OPERATORS + CUSTOMER MANAGED NODES & INFRA
openshift-install
Cloud resources
Red Hat Enterprise
Linux CoreOS
Red Hat OpenShift Container Platform cluster
Red Hat OpenShift Container Platform cluster services
Control Plane
Cloud resources
Red Hat Enterprise Linux /
RHEL CoreOS
Worker Nodes
Customer deployed
User managed
Installer/Operator managed
PRE-EXISTING INFRASTRUCTURE
INSTALLATION
53
56. ● Deploy a replication of your applications from one OpenShift cluster to a different
OpenShift cluster
● Enable cluster specific configuration from OpenShift 3 to work on a OpenShift 4 cluster
● Documentation on how to handle common network, storage, and machine/node re-use
scenarios between OpenShift 3 and OpenShift 4 clusters
vSphere OpenShift 3.10 Cluster
Target PVs using NFS
S3 Bucket
Full Backup
Increment Diff Backup
(like rsync)
AWS OpenShift 4.1 Cluster
New EBS PV based on restic
restore and mount to migrated app
$ oc command
$ oc command
Full Deck Here
CLUSTER MIGRATION OPENSHIFT 3 to 4
56
58. Trusted enterprise Kubernetes
● Trusted Host, Content, Platform
● Full Stack Automated Install
● Over the Air Updates & Day 2 Mgt
A cloud-like experience, everywhere
● Hybrid, Multi-Cluster Management
● Operator Framework
● Operator Hub & Certified ISVs
Empowering developers to innovate
● OpenShift Service Mesh (Istio)
● OpenShift Serverless (Knative)
● CodeReady Workspaces (Che)
59. ● Cloud-based multicluster
management
○ New clusters on AWS, Azure,
Google, vSphere, OpenStack, and
bare metal
○ Register existing clusters
○ Including OpenShift Dedicated
● Management operations
○ Install new clusters
○ View all registered clusters
○ Update clusters
cloud.openshift.com
AWS Google Azure On-Prem
UNIFIED HYBRID CLOUD
59
60. Operators codify operational
knowledge and workflows to
automate life cycle management
of containerized applications
with Kubernetes
SDK
LIFE CYCLE
MANAGEMENT
METERING
OPERATOR FRAMEWORK
60
61. ● Launched with AWS, Microsoft,
and Google
● Discover and install optional
components and apps
● Upstream & downstream content
● ISV partners will support their
own Operators
Red Hat products
ISV partners
Community
TYPES OF OPERATORS
OPERATOR HUB
61
65. OPENSHIFT AND KNATIVE OVERVIEW
65
Build
A pluggable model for
building artifacts, like jar
files, zips or containers from
source code.
Serving
An event-driven model
that serves the container
with your application and
can "scale to zero".
Events
Common infrastructure for
consuming and producing
events that will stimulate
applications.
"...an extension to Kubernetes exposing building blocks to build modern, source-centric, and container-
based applications that can run anywhere".
66. Serving
● Browser-based Web IDE + Dev
Environment in pods
● Red Hat supported Eclipse Che
● Bundled with OCP/OSD SKU
● Available on OCP and OSD
● Enabled via an operator
● RHEL 8-based stacks
(tools and runtimes)
CODEREADY WORKSPACES
66
67. Trusted enterprise Kubernetes
● Trusted Host, Content, Platform
● Full Stack Automated Install
● Over the Air Updates & Day 2 Mgt
A cloud-like experience, everywhere
● Hybrid, Multi-Cluster Management
● Operator Framework
● Operator Hub & Certified ISVs
Empowering developers to innovate
● OpenShift Service Mesh (Istio)
● OpenShift Serverless (Knative)
● CodeReady Workspaces (Che)
71. Enter the Service Mesh
○ Infrastructure layer to help manage for service-to-service communication, delivering
enhanced security and traf for microservices applications.
■ Load balancing
■ Routing rules
■ Service monitoring and logging
■ Secure cross-service communications
72. MySQL Database
app.example.com
95% of traffic
5% of traffic
backend-app (Java)
frontend-app
backend-app (Go)
frontend-app
makes call to
makes call to
Control flow of traffic between application components
v1
v2
Simplify the Mess With a Service Mesh
73. Limitations to the Service Mesh
○ On its own, the Service Mesh is just the communication layer
■ Limited measurement functionality
■ Limited observation capabilities
■ Not a complete set of tools developers need to build and deploy microservices
77. OpenShift Service Mesh
77
USE CASES
● Adaptive traffic
management
● Service performance
tracing
● Secure
communications and
API access
BENEFITS
1. Complete service mesh, including tracing and
visualization capabilities, packaged for ease of
use
2. Built with key open source projects and
integrations
3. Extend security through the service mesh into
the API layer with with 3scale API management
integration
78. Distributed Tracing with Jaeger
● Discover service relationships
and process times, transparent
to the services
● Visualize the service execution
times across the application
● Identify potential latency issues
in each service
POD
SERVICE
C
PROXY
720 ms 210 ms
930 ms
POD
SERVICE
C
PROXY
POD
SERVICE
C
PROXY
79. Service Mesh Observability with Kiali
● Kiali works to visualise the
service mesh topology
● Identify which services are part
of the service mesh and how
they are connected
● Understand the topology and
health of the service mesh
POD
SERVICE
C
PROXY
POD
SERVICE
C
PROXY
POD
SERVICE
C
PROXY
80. Reducing Installation and Management Overhead
○ Leveraging the Kubernetes Operator model to embed logic into a single package
■ Automation of OpenShift Service Mesh Operator installation reduces complexity
to get service mesh running quickly
■ Business logic for installation and updates of all components (Istio, Jaeger and
Kiali) in one placd
■ Rely on the baked-in best practices and human operational knowledge of the
software for configuration and upgrades
81. Do I need API Management with the Service Mesh?
81
● Do you have tens / hundreds of services / APIs?
● Are the applications consuming your APIs internal services?
● Do you have a need to package those services into consumable API products?
● Are there different classes of consumers in need of consuming these API
products? E.g. internal applications, partner applications, etc.
● Do you need a portal where API consumers can explore available API products
(composed by services deployed in different environments / clusters / etc.) and
get immediate access to them?
82. Bringing API Management to the Service Mesh
● The 3scale Istio Mixer Adapter gives your services exposed within the service
mesh API management capabilities.
● Developer access via developer portal and documentation, configuring different
types of access for different type of developers, usage analytics, billing and
invoicing.
● Quota enforcement, caching, and analytics are available at the ‘API product’ level.
83. ANY
INFRASTRUCTURE
OpenShift Container Platform
(Enterprise Kubernetes)
Amazon Web Services Microsoft Azure Google Cloud
OpenStack
Datacenter
Laptop
OpenShift Service Mesh
(Istio + Jaeger + Kiali)
ANY
APPLICATION
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
Service
CONTAINER
API
Manager
Distributed Services Platform
84. OpenShift Service Mesh Availability
● OpenShift Service Mesh is available at no additional cost for licensed OpenShift
customers
● OpenShift Service Mesh Operator will be found from the embedded OperatorHub
interface through the OpenShift interface
86. IS DOCKER THE BEST AVAILABLE CONTAINER
ENGINE?
86
Potential limitations surrounding Docker
● Build requires a “big fat” daemon on every host
● Regression for integration with container platforms
Kubernetes/OpenShift
● Build has secret handling issues
● Root/privileged concerns at runtime
● Root/privileged concerns with daemon
● Build requires a running container
87. 87
● Docker, Red Hat et al. June 2015
● Two specifications
○ Image format
■ How to package an OCI Image with sufficient information to launch
the application on the target platform
○ Runtime
■ How to launch a “filesystem bundle” that is unpacked on disk
● Version 1.0 of each released July 19th 2017
● Distribution spec started in April, 2018.
89. ● Built for interfacing with Docker registry
● CLI for images and image registries
● Rejected by upstream Docker ¯_(ツ)_/¯
● Allows remote inspection of image meta-
data - no downloading
● Can copy from one storage to another
SKOPEO
Image
Repository
Image
Registry
Host
/var/lib/containers
or
/var/lib/docker
SECURITY FEATURES
Share securely
No daemon
Inspect remote images
No pulling potentially malicious images
Non-root copy. Bridge between registries.
89
IMAGE COPY WITH SKOPEO
90. ● @ podman.io
● Client only tool, based on the Docker CLI. (same+)
● No daemon!
● Storage for
○ Images - containers/image
○ Containers - containers/storage
● Runtime - runc
● Shares state with CRI-O and with Buildah!
PODMAN
Images
Image
Registry
Containers
Kernel
SECURITY FEATURES
Run and develop securely
No daemon
Run without root
Isolate with user namespaces
Audit who runs what
90
The new container CLI
91. 91
● Now buildah.io
● Builds OCI compliant images
● No daemon - no “docker socket”
● Does not require a running container
● Can use the host’s user’s secrets.
● Single layer, from scratch images are made
easy and it ensures limited manifest.
● If needed you can still maintain Dockerfile
based workflow
Base RHEL
OS Update Layer
Java Runtime Layer
Application Layer
Java runtime and
dependencies, and
Application
From scratch,
single layer
From base,
multi-layer
SECURITY FEATURES
Build securely
No daemon
Shrink the attack surface
Fine-grained control of the layers
Run builds isolated
Better secret management
Why use Buildah?
92. ● A Kubernetes thing
● Now part of CNCF! (April 8th)
● OCI daemon
● Implements Kubelet Container Runtime
Interface (CRI)
CRI-O
Container
Host
Container
Container
Container
Kubernetes
READONLY
SECURITY FEATURES
Run securely in a production cluster
No daemon
Read-only containers
Enable fewer capabilities
User namespaces
FIPS mode support
92
OCI AND CRI-O