June 2019

OPEN for the Public Sector

The Kubernetes Platform For Big Ideas

Kevin Dubois
Senior Solution Architect
@kevindubois

1
EXPAND YOUR POSSIBILITIES
Join us at Red Hat® Forum 2019, a place to build on
what you have, build toward what you want, and build
up your expectations of possibilities to come.

On October 8th we invite you to join hundreds of open-minded,

tech-hungry and inspiration-craving guests to our legendary Red Hat
Forum. Due to the enormous growth over the past few years, we decided
it was time to host the first BeLux edition at the Event Lounge in
Brussels!

Register at red.ht/RedHatForumBeLux

2
 A secure and enterprise-grade container
application platform based on Kubernetes for
traditional and cloud-native applications

OPEN for the Public Sector 2019

 Openshift is specifically designed to bring
developers and operations teams together

OPEN for the Public Sector 2019

 Kubernetes is an open-source
system for automating deployment,
operations, and scaling of
containerized applications across
multiple hosts

kubernetes

OPEN for the Public Sector 2019

 KUBERNETES DOES A LOT FOR YOU

Orchestration Storage plugins

Deployment Networking plugins

Discovery Scheduling

Health Monitoring Scaling

(Some) Security Service Load Balancing

OPEN for the Public Sector 2019

 KUBERNETES DONE RIGHT IS HARD

INSTALL DEPLOY HARDEN OPERATE

● Templating ● Identity & Security Access
● Validation ● App Monitoring & Alerts
● OS Setup ● Storage & Persistence
● Provision Infrastructure ● Egress, Ingress & Integration
● Host Container Images
● Build/Deploy Methodology
● Platform Monitoring & Alerts
● Metering & Chargeback
● Platform Security Hardening
● Image Hardening
● Security Certifications
● Network Policy
● Disaster Recovery
● Resource Segmentation
● OS Upgrade & Patch
● Platform Upgrade & Patch
● Image Upgrade & Patch
● App Upgrade & Patch
● Security Patches
● Continuous Security Scanning
● Multi-environment Rollout
● Enterprise Container Registry
● Cluster & App Elasticity
● Monitor, Alert, Remediate
● Log Aggregation

OPEN for the Public Sector 2019

 THE KUBERNETES NEWS YOU DON’T WANT
● K8s dashboard exposed
● AWS environment with
telemetry data
compromised
● Tesla’s infrastructure was
used for crypto mining
Unnecessary
Costs
8
OPEN for the Public Sector 2019
● No security on K8s ● K8S and etcd bug
dashboard introduced to servers
during update
● IT infrastructure
credentials exposed ● New features and changes
deployed cause failures
● Enabled access to a large
part of Weight Watchers' ● Restart backend
network components leading to full
platform outage
Increased Unrealized
Risk Value
 k8s DOES NOT DO EVERYTHING
Multi-tenancy Metrics and Logging Application Lifecycle Management

Self-Service Application Services Networking

Image Registry Teams and Collaboration Chargeback

Routing & Load Balancing Quota Management Dynamic Storage

CI/CD Pipelines Image Build Automation Infrastructure Visibility

Role-based Authorization Container Isolation Ease of Use

Vulnerability Scanning Capacity Management Infrastructure Agnosticity

OPEN for the Public Sector 2019

 ANY OCI COMPLIANT
CONTAINER

ENTERPRISE CAPABILITIES

+ a wide range of
value added
products

CONTAINER ORCHESTRATION AND MANAGEMENT

ENTERPRISE CONTAINER HOST

ANY
Laptop Datacenter OpenStack Microsoft Azure Amazon Web Services Google Cloud
INFRASTRUCTURE

10

OPEN for the Public Sector 2019

 OPENSHIFT IS THE BEST CHOICE FOR KUBERNETES

CUSTOMERS CODE CLOUD COMPREHENSIVE

1000+ customers and the Red Hat is the leading Strong partnerships Comprehensive portfolio of
largest amount of Kubernetes developer and with cloud providers, container products and
reference customers contributor with Google since ISVs, CCSPs, (G)SIs. services for the enterprise,
running in production. day 1. including developer tools,
Extensive container security, application
Years of experience We make container catalog of certified services, storage, and
running OpenShift Online development easy, reliable, partner images. management.
and OpenShift Dedicated and more secure.
services.

11

OPEN for the Public Sector 2019

 FROM COMMUNITIES TO ENTERPRISE

**

12

OPEN for the Public Sector 2019

 RED HAT CONTRIBUTIONS TO KUBERNETES
Operators Framework | ClusterRole Aggregation |
RBAC Authorization | StatefulSets | Init Containers |
Rolling Update Status | Pod Security Policy Limits |
Memory based Pod Eviction | Quota Controlled Services |
1,000+ Nodes | Dynamic PV Provisioning | Multiple
Schedulers | SECCOMP | Audit | Job Scheduler | Access
Review API | Whitelisting Sysctls | Secure Cluster Policy |
Evict Pods Disk IO | Storage Classes | Azure Data Disk |
etcdv3 | RBAC API | Auth to kubelet API | Pod-level
cGroups QoS | Kublet Eviction Model | RBAC | Storage
Class | CustomResourceDefinitions | API Aggregation |
Encrypted secrets in etcd | Limit Node Access | HPA
Status Conditions | Network Policy | CRI Validation Test
Suite | Local Persistent Storage | Audit Logging |
13

OPEN for the Public Sector 2019

 VALUE PROPOSITIONS OF A RED HAT SUBSCRIPTION

1. Stable open source technology, organized and optimized for enterprise use
2. Security and accountability from a trusted advisor
3. Knowledge and influence in open source communities to pursue innovation and
development
4. Access to world-class technical support, documentation, and tools
5. Flexibility for your plans with compatible, vendor-agnostic solutions, and longer
life cycles
6. Partnership with Red Hat from proof of concept (POC) to deployment and beyond
7. Broad ecosystem of partners: original equipment manufacturers (OEM), channel,
hardware, software, and cloud certification (CCSP) (and more)
8. Red Hat product certification provides the assurance that your third-party
solutions are tested specifically on the Red Hat platform.

14

OPEN for the Public Sector 2019

 Trusted enterprise Kubernetes
● Trusted Host, Content, Platform
● Full Stack Automated Install
● Over the Air Updates & Day 2 Mgt

A cloud-like experience, everywhere

● Hybrid, Multi-Cluster Management
● Operator Framework
● Operator Hub & Certified ISVs

Empowering developers to innovate

● OpenShift Service Mesh (Istio)
● OpenShift Serverless (Knative)
● CodeReady Workspaces (Che)

15

try.openshift.com
 FULL STACK AUTOMATED INSTALL
OPENSHIFT 3 OPENSHIFT 4

OPENSHIFT PLATFORM
OPENSHIFT PLATFORM

OPERATING SYSTEM

OPERATING SYSTEM

16
INFRASTRUCTURE

OPEN for the Public Sector 2019

 RHEL COREOS
Minimal Linux distribution

Optimized for running

containers

Decreased attack surface

Over-the-air automated
updates
Immutable foundation for
OpenShift clusters
Ignition-based Metal and Cloud
host configuration
17

OPEN for the Public Sector 2019

 INSTALLER PROVISIONED INFRASTRUCTURE (IPI)
Day 1: OpenShift install - Day 2: Operators

User managed
Control Plane Worker Nodes
Installer/Operator managed

Red Hat OpenShift Container Platform cluster services

Red Hat OpenShift Container Platform cluster

openshift-install
Red Hat Enterprise Red Hat Enterprise
Linux CoreOS Linux CoreOS

Cloud resources Cloud resources

18

OPEN for the Public Sector 2019

 USER PROVISIONED INFRASTRUCTURE (UPI)
Day 1: OpenShift install - Day 2: Operators + Customer Managed Nodes & Infra

User managed
Control Plane Worker Nodes
Installer/Operator managed

Red Hat OpenShift Container Platform cluster services

openshift-install

Red Hat OpenShift Container Platform cluster

Red Hat Enterprise Red Hat Enterprise Linux /

Linux CoreOS RHEL CoreOS
Customer deployed
Cloud resources Cloud resources

19

OPEN for the Public Sector 2019

 USING KUBERNETES TO PROVISION KUBERNETES CLUSTERS
KUBERNETES MACHINE API OPERATOR

20

OPEN for the Public Sector 2019

 OVER-THE-AIR UPDATES

● OpenShift retrieves list of

available updates
● Admin selects the target
version
● OpenShift is updated over
the air
● Auto-update support

21

OPEN for the Public Sector 2019

 PROVIDER ROADMAP FOR RED HAT OPENSHIFT 4
Installer Provisioned User Provisioned
Infrastructure (IPI) Infrastructure (UPI)

Baremetal
4.1

4.2

4.3* Baremetal

* TBD

22

OPEN for the Public Sector 2019

 AUTOMATED CONTAINER OPERATIONS

Fully automated day-1 and day-2 operations

INSTALL DEPLOY HARDEN OPERATE

AUTOMATED OPERATIONS
Infra provisioning Full-stack deployment Secure defaults Multi-cluster aware

Embedded OS On-premises and cloud Network isolation Monitoring and alerts

Unified experience Audit and logs Full-stack patch & upgrade

Signing and policies Zero downtime upgrades

Vulnerability scanning

23

OPEN for the Public Sector 2019

 BROAD ECOSYSTEM OF WORKLOADS

CRI-O Support in OpenShift

CRI-O tracks and versions identical to Kubernetes, simplifying support permutations

CRI-O 1.12 Kubernetes 1.12 OpenShift 4.0

CRI-O 1.13 Kubernetes 1.13 OpenShift 4.1

CRI-O 1.14 Kubernetes 1.14 OpenShift 4.2

24
 Trusted enterprise Kubernetes
● Trusted Host, Content, Platform
● Full Stack Automated Install
● Over the Air Updates & Day 2 Mgt

A cloud-like experience, everywhere

● Hybrid, Multi-Cluster Management
● Operator Framework
● Operator Hub & Certified ISVs

Empowering developers to innovate

● OpenShift Service Mesh (Istio)
● OpenShift Serverless (Knative)
● CodeReady Workspaces (Che)

25

try.openshift.com
 UNIFIED HYBRID CLOUD
● cloud.redhat.com
● Multi-cluster management
○ New clusters on AWS, Azure,
Google, vSphere, OpenStack, and
bare metal
○ Register existing clusters
○ Including OpenShift Dedicated
● Management operations cloud.redhat.com
○ Install new clusters
○ View all registered clusters
○ Update clusters
AWS Google Azure On-Prem

26

OPEN for the Public Sector 2019

 OPERATOR FRAMEWORK

Operators codify operational

knowledge and workflows to
automate life cycle management
of containerized applications
with Kubernetes LIFE CYCLE
SDK METERING
MANAGEMENT

27

OPEN for the Public Sector 2019

 KUBERNETES OPERATOR FRAMEWORK

AN INNOVATIVE, MORE EFFICIENT WAY TO MANAGE CONTAINERIZED APPLICATIONS AT SCALE

AUTOMATED LIFECYCLE MANAGEMENT

Failure Metrics
Installation Upgrade Backup Tuning
recovery & insights

Operators codify operational knowledge and workflows to automate lifecycle

management of containerized applications with Kubernetes

28

OPEN for the Public Sector 2019

 OPERATORHUB IN OPENSHIFT 4
For Cluster Admins: For Developers:

● Discovery/install/upgrade of Operators ● Developers can’t see admin screens

● Community, Red Hat products, Certified ISVs ● Operator capabilities are exposed in Catalog
● Granular access via specific Projects ● Self-service management

29

OPEN for the Public Sector 2019

 THE INDUSTRY IS ALIGNING BEHIND THE
KUBERNETES OPERATOR FRAMEWORK

60+ Certified ISV Operators in Red Hat Early Access Program

30

OPEN for the Public Sector 2019

 OPERATOR CERTIFICATION FUNNEL
Aided contribution
ISV account White glove experience (long tail of ISVs) Organic contribution
managers (top 25 ISVs) (review only)
Prior
it
back y for whit
log eglov
e

Light automated testing

OperatorHub.io
COMMUNITY

Direct to certification when it

makes sense (eg. OCP only Installs correctly on OCP
solution)
OperatorHub in OpenShift
COMMUNITY

Validated, supported, high quality

Certified in OpenShift
CERTIFIED
31

OPEN for the Public Sector 2019

 OPERATOR CERTIFICATION
Customer Benefits
● Enabling desired customer
workloads
● Support from the experts: the ISVs
● First line of support from Red Hat
● Testing to ensure quality and
verified to install on OpenShift
● Services released on partner
schedule
● Container updates through CFC
32
OPEN for the Public Sector 2019
ISV Benefits
● Access to our enterprise install base
● Out-of-the-box experience
● Use OCP for their hybrid story
● Consistent foundation to build and
support for their apps
● SaaS-like experience with a partner
that won’t compete with them
 Trusted enterprise Kubernetes
● Trusted Host, Content, Platform
● Full Stack Automated Install
● Over the Air Updates & Day 2 Mgt

A cloud-like experience, everywhere

● Hybrid, Multi-Cluster Management
● Operator Framework
● Operator Hub & Certified ISVs

Empowering developers to innovate

● OpenShift Service Mesh (Istio)
● OpenShift Serverless (Knative)
● CodeReady Workspaces (Che)

33

try.openshift.com
 GA Summer 2019 on
OCP 4.1
OpenShift Service Mesh
"A dedicated network for service-to-service communications"

Customer Benefits
● Reduced need for developers to have operational knowledge
● Service observability and discovery with distributed tracing
● Enable transparent policy-driven security
● From routing rules to chaos engineering
● Powerful visualization & monitoring

34

OPEN for the Public Sector 2019

 DISTRIBUTED ARCHITECTURE

Service Service Service

Service Service Service

Service Service Service

35

OPEN for the Public Sector 2019

 MICROSERVICES EVOLUTION

Service

Tracing

Circuit Breaker

Routing

Svc Discovery Service

Config

Container Platform
Platform
(+ Service Mesh)

...2014 2019

36

OPEN for the Public Sector 2019

 SIDECARS
● Two or more containers deployed to same
POD
pod
SERVICE A
● Share
○ Same
■ Namespace
Istio Proxy
■ Pod IP
○ Shared lifecycle
● Used to enhance the co-located containers
● Istio Proxy (L7 Proxy)
○ Proxy all network traffic in and out of
the app container
Source: http://blog.kubernetes.io/2015/06/the-distributed-system-toolkit-patterns.html
37

OPEN for the Public Sector 2019

 SERVICE MESH ARCHITECTURE

Jaeger Pilot Mixer Auth

Applies security,
ENVOY ENVOY ENVOY route rules, policies
and reports traffic
telemetry at the pod
level
SERVICE SERVICE SERVICE

POD POD POD

38

OPEN for the Public Sector 2019

 OPENSHIFT SERVICE MESH ECOSYSTEM

Secure

Istio

Jaeger Prometheus

Observe Observe

Connect Control

39
Kiali Grafana
OPEN for the Public Sector 2019
 CANARY DEPLOYMENT WITH SERVICE MESH

POD

SERVICE
B:v2

POD
boston employee
ENVOY
SERVICE
A

POD
ENVOY
SERVICE
B:v1

everyone
ENVOY

40

OPEN for the Public Sector 2019

 A/B DEPLOYMENT WITH SERVICE MESH

POD

SERVICE
B:v2

POD
50% traffic
ENVOY
SERVICE
A

POD
ENVOY
SERVICE
B:v1

50% traffic
ENVOY

41

OPEN for the Public Sector 2019

 DARK LAUNCHES WITH SERVICE MESH

POD

SERVICE
B:v2

mirror traffic
ENVOY

POD POD

SERVICE SERVICE
A B:v1

ENVOY ENVOY
100% traffic

42

OPEN for the Public Sector 2019

43

OPEN for the Public Sector 2019

 Tech Preview 4.2
OpenShift serverless
"Serverless building blocks for any container workload"

Customer Benefits
● Familiar to Kubernetes users. Native.
● Scale to 0 and autoscale to N based on demand
● Applications and functions. Any container workload.
● Powerful eventing model with multiple event sources.
● No vendor lock in

44

OPEN for the Public Sector 2019

 How does it work ?

Event fires Your code runs

f( )
Event Function (µ)Service
function main() {
return {payload: 'Hello world'};
}
45

OPEN for the Public Sector 2019

 Knative Overview - Components

"...an extension to Kubernetes exposing building blocks to build modern, source-centric, and
container-based applications that can run anywhere".

Build Serving Events

A pluggable model for An event-driven model Common infrastructure for
building artifacts, like jar that serves the container consuming and producing
files, zips or containers from with your application and events that will stimulate
source code. can "scale to zero". applications.

46

OPEN for the Public Sector 2019

 Common use cases…

● Processing web hooks Web

f( )
● Scheduled tasks (a la cron)
● Data transformation Mobile
● Mobile image manipulation
(compression, conversion, and so on) IoT
● Voice packet to JSON transformation
(Alexa, Cortana, and so on) DevOps Automation
● Mobile video analysis
(frame-grabbing) Focus on convenience and
● PDF generation business value, no distractions.
● Mobile/MBaaS /single-page apps
● Chat bots

47

OPEN for the Public Sector 2019

 When not to use serverless

● Real-time, ultra-low latency applications

● Long running tasks that can't be split into steps
● Advanced or complex observability and monitoring requirements
● Memory or CPU requirements are very demanding and specific
● Can't deal with cold-start...

48

OPEN for the Public Sector 2019

 CODEREADY WORKSPACES

● Browser-based Web IDE + Dev

Environment in pods
● Red Hat supported Eclipse Che Serving

● Bundled with OCP/OSD SKU

● Available on OCP and OSD
● Enabled via an operator
● RHEL 8-based stacks
(tools and runtimes)
https://www.youtube.com/watch?v=VwKEVeDy9TA
49

OPEN for the Public Sector 2019

 2019 Roadmap
Q2 CY2019 Q3 CY2019 Q4 CY19/Q1 CY20
OpenShift 4.1 OpenShift 4.2 OpenShift 4.3
● OpenShift Serverless (Knative) - DP ● Developer Console GA ● OpenShift Serverless (Knative) - GA

DEV
● OpenShift Pipelines (Tekton) Dev Preview ● OpenShift Serverless (Knative) - TP ● OpenShift Pipelines (Tekton) GA
DEV

DEV
● CodeReady Workspaces ● OpenShift Pipelines (Tekton) Tech Preview
● CodeReady Containers Alpha ● CodeReady Containers GA
● Developer CLI (odo) Beta ● Developer CLI (odo) GA ● Metering for Services
● Windows Containers

APP
● OperatorHub ● GPU metering
APP

● Operator Lifecycle Manager ● OperatorHub Enhancements

APP
● Service Mesh (~2 month after) ● Operator Deployment Field Forms
● Application Binding with Operators
● Application Migration Console ● Kubernetes 1.15 w/ CRI-O runtime
● Kubernetes 1.13 with CRI-O runtime ● Automated Installer for IBM Cloud, Alibaba,
PLATFORM

● RHEL CoreOS, RHEL7 ● Kubernetes 1.14 w/ CRI-O runtime RHV, Bare Metal Hardware Appliance

● Automated Installer for AWS
● Pre-existing Infra Installer for Bare Metal,
VMware, AWS
● Automated, one-click updates
● Multus (Kubernetes multi-network)
● Quay v3
● cloud.redhat.com - Multi-Cluster Mgmt
● OCP Cluster Subscription Management
HOSTED
PLATFORM
● Disconnected Install and Update ● Pre-existing Infra Installer for Azure, OSP,
PLATFORM ● Automated Installer for Azure, OSP, GCP GCP
● OVN Tech Preview ● OVN GA w/ Windows Networking
● FIPS Integration
● Federation Workload API
● Automated App cert rotation
● OpenShift Container Storage 4.2

● cloud.redhat.com - Multi-Cluster ● cloud.redhat.com - Subscription Mgmt

HOSTED
HOSTED

● Azure Red Hat OpenShift

50
● OpenShift Dedicated consumption Deployment Consumption Improvements
pricing ● Proactive Support Operator
June 2019
Open ‘19 Public Sector

Thank you

linkedin.com/company/red-hat facebook.com/redhatinc

youtube.com/user/RedHatVideos twitter.com/RedHat

51