9. Dark Launch with Istio
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
100%
0%
@burrsutter
Mirrored traffic
10. Istio - Cloud Native Service Mesh
Control the flow of traffic between services:
● A/B Testing
● Quantile based deployments
● Canary Deployments
● Staged Rollouts
● Fault injection
● Traffic mirroring
Application independent security:
● Zero trust network
● Mutual Transport Layer Security (TLS)
● Service to service encryption
● Service to service authentication
● Transport authentication
● Origin authentication
Connect Secure
Product Manager: Brian Harrington
11. Istio - Cloud Native Service Mesh
Uniform abstraction for policy control
● Allow for traffic redirection in response to
real time events
● Response codes
● Service latency
● Rule based processing based on headers
Visibility into application deployments
● Pluggable backend for telemetry capture
● Allows for COTS applications to get
non-zero visibility into performance
● Prometheus
● Others TBD based on customer need
● Application tracing
● Jaeger
● Service topology
● Kiali
Control Observe
Product Manager: Brian Harrington
13. Kiali (GUI for Istio / OSM)
Product Manager: Brian Harrington
14. OSM vs Upstream Istio - What’s different?
Istio is an “operator first product” (using Operator Framework)-
https://github.com/Maistra/istio-operator
The operator manages the installation and updates utilizing the
Operator Lifecycle Manager (OLM)
Product Manager: Brian Harrington
15. LEARN MORE
● Tutorial using Minishift/Minikube
http://bit.ly/istio-tutorial
● Online labs, no installation needed
https://learn.openshift.com/servicemesh/
● Book, and more if you look around
https://developers.redhat.com/books/introducing-istio-service-mesh-microservices/
Product Manager: Brian Harrington
17. Product Manager: William Markito
Build / Pipelines
A pluggable model for
building artifacts, like jar
files, zips or containers
from source code.
Knative Overview - Components
Serving
An event-driven model
that serves the container
with your application and
can "scale to zero".
Eventing
Common infrastructure for
consuming and producing
events that will stimulate
applications.
"...an extension to Kubernetes exposing building blocks to build modern, source-centric, and
container-based applications that can run anywhere".
18. Product Manager: William Markito
Code repository (GitHub, GitLab, Local)
Application
B Function A
Application
A
Knative
Red Hat Service Mesh
(Istio)
Step 2: Serving
Cloud
event
Autoscaler (scale to 0)
Activator
Controller
<container>
function
<container>
function<container>
function
<container>
application
Step 1: Build
events
Operators
New
entry
New file
New
Login
Services
Many
(200+)
ReceiveAdapter
ReceiveAdapter
Data
Grid
Gluster /
Ceph
SSO
ISVs...
Fuse
(Camel-k)
Dockerfile
B
Function B
Step 3: Events
Strimzi
channel
Event Sources
Channels
Receivers
...
Router
Red Hat
User
Events
19. Product Manager: William Markito
FUNCTION - AS - A - SERVICE
Red Hat OpenShift
Knative
Function as a Service*
The leading enterprise Kubernetes platform
Automated Operations
Build and run anywhere (Hybrid Cloud)
Developer experience
APIs, CLI, service binding
Events Build Serving
Building blocks for serverless
Source-centric and container-based
Red Hat Enterprise Linux or Red Hat CoreOS
Kubernetes
Automated
Operations
Hybrid Install / Ops
Ops & Dev Consoles
Install / Upgrade
Security / Auth
Network / CNI
Storage / CSI
Istio
Operator Framework
RH MW Services
(Operator backed)
ISV Services
(Operator backed)
ODO CLI Eclipse Che
Invoker Runtime CLI API
20. LEARN MORE
● Tutorial using Minishift/Minikube
bit.ly/knative-tutorial
● Funny(er) tutorial?
https://developers.redhat.com/coderland/serverless/
Product Manager: Brian Harrington
25. Stable team, multi projects
Long tail adds up
Agile teams own 3+ code bases
Contribute to 10+ others
26. WHAT DEVELOPERS NEED
IN ORDER TO CONTRIBUTE
27
● Project sources
● Dependencies
● Developer Tools: language servers, debuggers, testing tools, security tools, etc...
● Commands
● Build and packaging tools
● Terminal
● Operating system
● Web server / application server
● Database
● (All other runtime components)
For each service that is maintained!
27. ● Project sources
● Dependencies
● Developer Tools: language servers, debuggers, testing tools, security tools, etc...
● Commands
● Build and packaging tools
● Terminal
● Operating system
● Web server / application server
● Database
● (All other runtime components)
CODEREADY WORKSPACES
28
Shareable
+
Secure
28. WORKSPACE AS CODE
29
Workspaces: An instance of a stack for your projects
A Workspace is made of
● The Runtime from the Stack
● The Source code of your Project
● The IDE and its configuration
User can share the workspace for collaboration or easy development
29. ● Local desktop instance of OCP 4
● Replaces oc cluster, Minishift and CDK
● Focus on ease of access and native experience
● Native installer on macOS and Windows
● Native hypervisor support
● Tray icon integration
● Provides OCP 4 on RH CoreOS, dev tools and tutorials
● Leverages the standard OpenShift Installer
CodeReady Containers
Product Manager: Steve Speicher
30. Dev Console
31
● Application-centric views and
tasks of Kubernetes, OpenShift +
Operator-enabled addons
● Developer workflows
● Import app
● Web IDE (Eclipse Che)
● DevOps workflows
● Pipelines
● Environments
● Third-party integrations
TARGET FOR 4.2
Product Manager: Steve Speicher
31. ● OCI compliant and
docker compatible
● CLI via crictl
● Improved performance
and scalability
● Continue to track the
Kube CRI
Light-weight
runtime for the
Kube CRI
Secure & flexible
OCI container
builds
● Integrated into OCP
build pods
● Performance
improvements for
knative enablement
● Image signing
improvements
A
docker-compatible
CLI for containers
● Remote management
API via Varlink
● Image/container
tagging
● Advanced namespace
isolation
Container Tools
OCI tooling to create, run, and manage, Linux Containers with a
cluster-friendly life cycle
Product Manager: Scott McCarty
33. For Builders and the community
● Easily create application on Kubernetes via a common method
● Provide standardized set of tools to build consistent apps
For application consumers and Kubernetes users
● Keep used apps up to date for security reasons and app lifecycle management
● Consume of cloud-native / kube-native applications more secure and easier
Product Manager: Daniel Messer
38. BASE INSTALL
Product Manager: Rob Szumski
https://github.com/openshift/installer
Console & Auth
Monitoring
Over-the-air Updates
Machine Management
Optional Service Brokers
Optional OCP Components
Red Hat Product Operators
ISV/Partner Operators
Community Operators
NEW INSTALLER OPERATOR HUB
41. Provider Roadmap for OpenShift 4
Developer Preview
4.1
4.2
4.3
Installer Provisioned
Infrastructure (IPI)
User Provisioned
Infrastructure (UPI)
Baremetal
Baremetal
On RHHI**
** On qualified hardware stack
Product Manager: Katherine Dubé
42. OpenShift Hive
API Driven Multi-cluster Provisioning & Lifecycle Management
● Reliably provision/deprovision, upgrade, & configure OpenShift 4 clusters
○ 4.1: Internal only release
■ Initial support for OpenShift deployment on AWS only.
■ Primary focus supporting Dedicated clusters
and the new UHC Portal/API.
■ May be used to drive cluster creation for CI.
● Leverages:
○ openshift-install - Uses CLI to launch clusters in the public cloud
○ Kubernetes Cluster API - Declarative, Kubernetes-style APIs for
cluster creation, configuration, and management
○ Kubernetes Federation - Makes it easy
to manage multiple clusters
● Working code & documentation now available:
○ https://github.com/openshift/hive Hive
Future
Deliverable
Product Manager: Katherine Dubé
43. The Red Hat Universal Base Image is a freely useable and
redistributable container image packed with all of the value
of Red Hat Enterprise Linux
Development
● Minimal footprint
● Latest programming languages
● Makes ops happy
Production
● Performance
● Security
● Life cycle
Red Hat Universal Base Image (UBI)
The base image for all of your needs on: OpenShift, RHEL, or other platform
of choice
CONTAINER
UBI
RUNTIME
APP
RED HAT PLATFORM
CONTAINER
UBI
RUNTIME
APP
NON-RED HAT PLATFORM
Fully supported by Red Hat Supported by end user
Detailed Presentation
Product Manager: Scott McCarty
45. 0-3 months
Quota by priority
Deamonset pods via kube-scheduler
Configurable Pod Process Namespace
Sharing
Taint node by Condition
Taint Based Evictions
Pid pod limits
KUBERNETES NODE AND SCHEDULER
PSAP related (0-3 months)
Node Feature Discovery (NFD) Operator
GPGPU Operator (with Nvidia)
CPU Manager enhancements (to respect
certain kernel tunings)
Product Manager: Tushar Katarki
46. 6 months plus
Resource Class
Debug Containers
Support node-level user namespace
remapping
Topology Aware Volume
Scheduling
Kubelet toleration for cgroup v2
KUBERNETES NODE AND SCHEDULER
3-6 months
Usage based scheduling
Device plugin metric enablement
Device and cpu assignment
topology aware
Operators for other hardware
accelerators
Kubelet Device Plugin Watcher
Product Manager: Tushar Katarki
47. 3-6 months
node-feature-discovery
Operator
GPU Operator (pod
startup ordering, driver,
device plugin)
OpenShift for DGX
Documentation
NVIDIA OPENSHIFT ROADMAP
6 months plus
Priority/Preemption
Taints/Tolerations
MachineDeployment
Backlog
RBAC
Quota
Monitoring (Grafana)
More Nvidia Gpu Cloud (NGC)
containers support
NGC containers with UBI
NGC containers in RHCC Registry
Product Manager: Tushar Katarki
49. SECURITY FEATURE ROADMAP
DEFENSE IN DEPTH - Control, Defend, Extend
Trusted Container Content
Quay Registry with
Image Scanning
CI/CD Pipeline
ImageStreams
Security Ecosystem
Container Host Multi-tenancy / Container Optimized
Immutable OS
Built-In IAM
Secrets Management
Deployment Policies (SCCs)
Audit & Logging
Network Policy & Isolation
API Management
Linux Host Security
- RHCOS minimal, immutable OS
- RHCOS updates managed and delivered as
integrated part of the OpenShift platform
Authentication & Authorization
- Integration with external Keycloak
- Use group membership from external IPs
Secrets & Certificates
- Encrypted certs stored in etcd (4.0)
- Improved cert management and Integration
with external CAs via ACME
- Integration with external Key Management
Systems
Integrated Audit & Logging
- East / West traffic tracing with OpenShift
Service Mesh
Network Policies
- Control service access flow with OpenShift
Service Mesh
Networking Isolation
- East / West mutual TLS authentication with
OpenShift Service Mesh
- Multus to isolate control plane / data plane
(4.0)
Image Security
- Clair v3 covers more content
Product Manager: Kirsten Newcomer
50. Metadata Provider
• Embedded Marketplace for
content governance
• Policy Management via UI
• Policy Enforcement
• Vulnerability Dashboards
• Notifications / Alerting
• Content ingress & federation
• Single source of truth for
deployment artifacts
• Metadata repository
• Signatures & attestations
• Event triggers / notifications
• Provenance data for content
inside images / applications
• Provide Metadata
(attestations) to Quay
• Integrated in CI/CD pipeline
automation
AN UPDATE ON POLICY
Product Manager: Dirk Herrmann
51. CONTAINER-NATIVE VIRTUALIZATION
● CNV 1.3 Tech Preview (now)
● CNV 1.4 Tech Preview (soon)
○ Basic live migration
○ Containerized data importer
■ Progress reporting
■ Disk expansion
■ Blank disks
○ Operators for KubeVirt,
Containerized data importer
○ UI Enhancements
■ RDP, Serial, VNC, consoles
■ CRUD Disks, VM templates
Product Manager: Steve Gordon