Professional Documents
Culture Documents
01 OpenShift
01 OpenShift
GENERAL DISTRIBUTION
… so you want to do
containers and Kubernetes?
GENERAL DISTRIBUTION
But Why?
GENERAL DISTRIBUTION
"THE ONLY SUSTAINABLE ADVANTAGE YOU CAN HAVE
OVER OTHERS IS AGILITY, THAT’S IT.
BECAUSE NOTHING ELSE IS SUSTAINABLE."
-Jeff Bezos, Founder Amazon
SOFTWARE DEVELOPMENT IS CHANGING
7
2017 State of DevOps Report https://puppet.com/system/files/2017-09/2017-state-of-devops-report-puppet-dora.pdf
What are containers?
GENERAL DISTRIBUTION
WHAT ARE CONTAINERS?
It Depends Who You Ask
INFRASTRUCTURE APPLICATIONS
– kernel namespaces
– SELinux, sVirt, iptables
– Docker
VIRTUAL MACHINES AND CONTAINERS
Hypervisor Hypervisor
Hardware Hardware
Application Application
Clear ownership boundary Dev
IT Ops OS dependencies between Dev and IT Ops OS dependencies
(and Dev, sort of)
drives DevOps adoption
Operating System and fosters agility Container Host
IT Ops
Infrastructure Infrastructure
VM VM 10 per
APP APP
Server CONTAINER CONTAINER 100 per
LIBS LIBS
Server
GUEST OS GUEST OS
APP APP
HYPERVISOR LIBS LIBS
HOST OS HOST OS
SERVER SERVER
GENERAL DISTRIBUTION
WHAT IS KUBERNETES?
17
WHY DO CONTAINERS NEED KUBERNETES?
GENERAL DISTRIBUTION
KUBERNETES IS THE CONTAINER
ORCHESTRATION STANDARD
3 YEARS AGO TODAY
Fragmented landscape Kubernetes consolidation
Red Hat bet early on Kubernetes. It has now become the dominant orchestration ecosystem
GENERAL DISTRIBUTION
OPENSHIFT CONCEPTS
OVERVIEW
A container is the smallest compute unit
CONTAINER
CONTAINER
CONTAINER
IMAGE
BINARY RUNTIME
IMAGE REGISTRY
CONTAINER
IMAGE REGISTRY
myregistry/frontend myregistry/mongo
frontend:latest mongo:latest
frontend:2.0 mongo:3.7
frontend:1.1 CONTAINER mongo:3.6 CONTAINER
frontend:1.0 IMAGE
mongo:3.4 IMAGE
POD POD
DEPLOYMENT
role: backend
Invoke
Backend API BACKEND SERVICE
172.30.170.110
role: backend
ROUTE
app-prod.mycompany.com
> curl http://app-prod.mycompany.com
BACKEND SERVICE
Container
C Cc
Image
C C C
C C C C
Pod C
● Hardware or virtualized
C C
c
C C C
C C C C
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
API/AUTHENTICATION
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
API/AUTHENTICATION
DATA STORE
RHEL RHEL RHEL
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
PHYSICAL
PHYSICAL
VIRTUALVIRTUAL
PRIVATEPRIVATEPUBLIC PUBLICHYBRID HYBRID
API/AUTHENTICATION
DATA STORE
RHEL RHEL RHEL
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
When new image pushed to registry, registry notifies OpenShift and passes
along image information including:
■ Namespace
■ Name
■ Image metadata
Various OpenShift components react to new image by creating new builds and
deployments
API/AUTHENTICATION
DATA STORE
RHEL RHEL RHEL
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
C C
DATA STORE
RHEL RHEL RHEL
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
C C
DATA STORE
RHEL RHEL RHEL
HEALTH/SCALING
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
SERVICE LAYER
C C C
DATA STORE
RHEL RHEL RHEL
HEALTH/SCALING C C C C
C
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
SERVICE LAYER
C C C
DATA STORE
RHEL RHEL RHEL
HEALTH/SCALING C C C C
C
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
SERVICE LAYER
C C C
DATA STORE
RHEL RHEL RHEL
HEALTH/SCALING C C C C
C
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
SERVICE LAYER
C C C
CI/CD DATA STORE
RHEL RHEL RHEL
EXISTING C C C C
HEALTH/SCALING
AUTOMATION
TOOLSETS
C
RED HAT
ENTERPRISE LINUX
RHEL RHEL RHEL
ENTERPRISE LOAD-BALANCER
Application
Dev and Ops Traffic
User
GENERAL DISTRIBUTION
= +
made easy
= +
made easy
= +
made easy
● Docker, Red Hat et al. June 2015
● Two specifications
○ Image format
■ How to package an OCI Image with sufficient information to launch
the application on the target platform
○ Runtime
■ How to launch a “filesystem bundle” that is unpacked on disk
● Version 1.0 of each released July 19th 2017
● Distribution spec started in April, 2018.
65
Red Hat Development Model CONFIDENTIAL Customer facing
66
How Do We Deliver OpenShift? CONFIDENTIAL Customer facing
CONTAINER PLATFORM
DEDICATED
67
OPENSHIFT CONTAINER PLATFORM
ANY
CONTAINER
ANY
Laptop Datacenter OpenStack Amazon Web Services Microsoft Azure Google Cloud
INFRASTRUCTURE
Ops: Dev:
● Software Defined Network ● Automatically Triggered Deployments (CICD)
● Persistent Storage ● Integrated Customizable Pipelines (CICD)
● Container Native Storage (CNS / SDS) ● Build and Deployment Configurations
● Log Aggregation and Analysis ● Weighted AB Testing
● Monitoring | Telemetry ● Stateful Workloads (Storage, StatefulSets)
● Capacity Management ● Workload Containerization
● Egress Routing for Enterprise integration ● Self-service
● Router Sharding ● User Experience
● Full Stack Support ● ...
● System Certifications and Patching
● ...
Security:
● Container Security and Isolation (SELinux, etc) ● Secured Registries
● Multi-tenancy ● Automated Deployment Patching
● ...
71
THE POWER OF THE OPENSHIFT ECOSYSTEM
GENERAL DISTRIBUTION
Developers want
to be productive and
have choice
Choice of architectures
Choice of programming languages
Choice of databases
Choice of application services
Choice of development tools
Choice of build and deploy workflows
GENERAL DISTRIBUTION
Photo: rawpixel on Unsplash
HOW OPENSHIFT ENABLES
DEVELOPER PRODUCTIVITY
BUILD TEST DEPLOY
LINUX WINDOWS*
* coming soon
GENERAL DISTRIBUTION
IT Operations needs
secure, efficient and
controlled processes
Automated* provisioning
Automated installations
Automated security scanning
Automated upgrades
Automated backups
GENERAL DISTRIBUTION
AUTOMATED CONTAINER OPERATIONS
Fully automated day-1 and day-2 operations
AUTOMATED OPERATIONS
Infra provisioning Full-stack deployment Secure defaults Multi-cluster aware
Vulnerability scanning
GENERAL DISTRIBUTION
Community vs. Enterprise - Security Example
Dec 2018 - Critical (9.8 of 10) Kubernetes Security Vulnerability CVE-2018-1002105,
⬤
Certifications Common Criteria certifications ◯ ◯
RHEL and RHEL Core OS
OCP vs DIY Kubernetes
Security
Containers wrapped in SELinux custom contexts via MCS ⬤ ◑ ◯
Full SELinux container security
Much stronger than the basic namespace protection
⬤ ◑ ◯
Single Sign-On support (OAuth, SAML) ⬤ ◑ ◯
SLA, defect escalation, end-of-life policy management ⬤ ◯ ◯
Support portal ⬤ ◯ ◯
Production support ⬤ ◯ ◯
Support
Product developers provide support ⬤ ◯ ◯
Ability to file request for enhancements ⬤ ◯ ◯
Access to project leads (Clayton Coleman, Jeremy Eder, etc) ⬤ ◯ ◯
OCP vs DIY Kubernetes
Multi-tenant experience ⬤ ◑ ◯
Graphical experience ⬤ ◑ ◯
Developer Innovation Labs quick start/support ⬤ ◯ ◯
productivity
Influence product roadmap (RFE submissions) ⬤ ◯ ◯
Access to project leads ⬤ ◯ ◯
CI/CD integration - support for Jenkins, Git and most other
industry standards
⬤ ◑ ◯
*OpenShift’s container image registry is much more feature-rich and capable than the base registry provided as part of Docker containers
OCP vs DIY Kubernetes
hardening
Security fixes
100s of defect and performance fixes
200+ validated integrations
Middleware integrations
(container images, storage, networking, cloud services, etc)
9 year enterprise lifecycle management
Certified Kubernetes
GENERAL DISTRIBUTION
Why Red Hat?
GENERAL DISTRIBUTION
Red Hat Confidential. NDA Required.
4 years+
4 years+
2 years+
~2 years
~2 years
~2 years
<2 years
<2 years
<2 years
v1.0
v1.1
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
v1.10
v1.11
v1.12
v1.13
v1.14
88
Kubernetes versions
KUBERNETES SIGs & WGs- ENGINEERING LEADERSHIP 21 of 43
CONFIDENTIAL Customer facing
API AUTO
APPS ARCHITECTURE AUTH AWS
MACHINERY SCALING
CONTRIBUTOR
DOCS GCP IBM CLOUD INSTRUMENTATION MULTICLUSTER NETWORK
EXPERIENCE
PRODUCT
NODE OPENSTACK RELEASE SCALABILITY SCHEDULING
MANAGEMENT
SERVICE
STORAGE TESTING UI VMware WINDOWS
CATALOG
GENERAL DISTRIBUTION
LEARN.OPENSHIFT.COM
GENERAL DISTRIBUTION
RED HAT SERVICES FOR OPENSHIFT ADOPTION
RED HAT OPEN INNOVATION LABS RED HAT CONTAINER ADOPTION PROGRAM
TO SHOW YOUR TEAMS HOW OPENSHIFT AND MODERN TO BEGIN A COMPREHENSIVE PROGRAM (INCLUDING OPEN
DEVELOPMENT PRACTICES CAN DRIVE INNOVATION: START INNOVATION LABS): START WITH THE 12-WEEK RED HAT
WITH A 4- TO 12-WEEK LABS RESIDENCY CONSULTING CONTAINER PLATFORM PILOT
GENERAL DISTRIBUTION
CONTAINER ADOPTION PROGRAM
Red Hat
Open Innovation Labs Cloud Native Mentoring
(offsite)
[1] The Total Economic Impact of Red Hat Consulting’s Container Adoption GENERAL DISTRIBUTION
Program and Open Innovation Labs, Forrester, 2018.
THANK YOU
GENERAL DISTRIBUTION