►
Description
Deep dive session on What’s New in OpenShift 3.9 with Red Hat’s OpenShift Product Management team
A
B
Everybody
and
welcome
to
another
open
ship
Palooza
briefing
today
we're
going
to
hear
from
two
of
my
favorite
members
of
the
open
ship
product
management,
team
mark
curry
and
Steve
Pfeiffer
on.
What's
new
in
red
hats,
open
ship
container
black
over
3.9,
we
heard
last
week
from
char.
He
did
a
wonderful,
deep
dive
on
storage
and
so
there'll
be
another
video
and
a
set
of
slides
up
shortly.
A
C
All
right,
let's
get
started,
so
we
talk
about
open
shift.
We
talked
about
how
it's
a
enterprise
kubernetes.
So
when
we
talk
about
that,
we
kind
of
build
it
up
from
a
kind
of
the
layers
of
the
platform
itself
and
so
we'll
go
through
this
presentation
actually
submit
from
the
top
down,
and
so
we'll
talk
about
some
of
the
services
that
run
on
the
platform.
C
Some
of
the
self-service
capabilities,
the
web
console
some
a
developer
experience
aspects
and
then
we'll
get
into
some
aspects
of
the
container
and
orchestration
cluster
management
pieces
who
marks
areas
of
expertise,
and
then
we
have
in
their
presentation
material.
In
the
end,
some
of
the
things
we've
pushed
out
just
do
to
sort
of
the
time
constraints.
There's
just
too
many
good
things
to
talk
about
in
such
a
short
period
of
time.
C
C
Of
course,
but
one
of
the
things
you
may
notice
is
one
one
thing
that
we
don't
have
a
3.8
release
on
this
picture
of
one
of
the
reasons
for
that
is
we
decided
to
jump
ahead
and
bundle
kübra
days,
198
and
199
in
a
single
3.9
offering.
So
when
you
do
the
3.9
upgrade,
it
will
just
silently
do
the
q18
upgrade
under
the
covers
and
then
move
you
up
to
the
1:9
based
platform
and
now
allowed
us
to
kind
of
sync
up
with
the
COO
renée's
releases.
C
So
that
was
a
high-level,
the
roadmap
and
the
schedules
for
the
releases.
We
look
about
the
sort
of
core
release
names
of
open
shipping
container
platform
3.9.
You
look
at
sort
of
the
extensibility
of
the
of
the
application
platform
itself.
So
one
of
the
things
that
we
expanded
on
was
in
37.
We
first
released
the
Service
Catalog
and
a
new
user
experience
we're
expanding
on
that
with
different
capabilities.
As
far
as
the
applicate
ansible
playbook
bundles
for
the
various
databases
bundling
in
some
additional
content
with
SEO
we'll
get
to
that.
C
So
Red
Hat
decision
manager
now
available
has
been
sort
of
rebuilt
or
architected,
with
containers
in
mind
and
OpenShift
as
a
platform
provides
a
high
performance
rules,
engine
based
on
drools,
seven,
the
popular
community
project
in
this
area,
and
then
additional
capabilities
around
the
rules,
editor
itself,
some
decision
tables
what
base
rule
authoring
and
so
forth,
and
then
some
additional
capability
around
those
rules
around
them
management
repository
for
those
rules
and
some
built-in
governance
to
help
you
control
both.
Who
is
updating
those
rules
and
using
them
for
what
so
rules
for
your
rules?
C
If
you
will
and
another
exciting
announcement
is
one
thing
we've
heard,
is
the
community
once
loves,
nodejs
and
loves
running
in
on
the
platform?
They
were
just
like
a
more
frequent
or
updated
release
cycle
for
the
nodejs
pieces
themselves,
so
happy
to
announce
as
part
of
the
Red
Hat
okeechobee
1
times
now,
no
js',
as
part
of
that
so
you'll
see
some
kind
of
dedicated,
tooling
and
boosters
to
help
you
deploy.
Nodejs
applications
get
started
with
some
specific
architectures
or
architectural
patterns
of
leveraging
nodejs
as
a
implementation
or
runtime
technology.
C
A
lot
of
updates
around
the
Polka
chef
danceable
broker,
so
one
of
the
things
is
we
actually
created
a
an
upstream
community
or
around
the
broker
itself
called
the
automation
broker.
You
can
see
the
get
URL
there,
so
github
complex,
ansible,
playbook
bundle.
We
added
support
for
being
able
to
broker
behind
or
get
the
part,
maybe
the
play
books
behind
an
HTTP
proxy.
C
So
with
that
we've
we've
added
some
some
pretty
cool
experience,
improvements
too.
So
now,
when
you're
within
a
project
within
the
Service
Catalog,
you
can
within
a
project,
you
can
now
get
to
the
Service
Catalog
without
having
to
jump
back
out.
If
you
will
and
then
kind
of
navigate
through
through
so
easy
and
within
context.
C
This
one
is
the
one
I
use
a
lot
and
really
like
is
is
now
I
can
do
a
quick
search
for
whatever
I
want
to
add
to
the
platform.
So
I
can
just
type
database
like
you
see
here
in
this
example,
and
then
it'll
give
me
all
the
ones
that
are
tagged
a
database
and
then
give
me
a
quick
title
and
also
the
icon
for
what
the
service
is.
C
As
we
introduced
a
new
interface
there's
a
number
of
power
users
that
like
to
go
into
specific
projects,
or
they
want
to
see
just
the
list
of
projects
that
they
have,
and
so
we
now
set
the
ability
they
have
the
capability
to
set.
What
is
your
preferred
homepage?
So,
when
you
log
back
in
it'll,
bring
you
back
to
whatever
you
set
as
whatever
that
preference
is
and
as
as
demonstration
showing,
this
is
hopping
back
into
a
specific
project.
C
Another
key
thing,
especially
if
you're
in
a
environment,
some
regulations,
afar's
inactivity
timeout.
So
now
you
can
set
the
web
console
to
log
out
after
a
certain
period
of
time,
and
so
very
simple.
You
can
use,
set
bian
ansible
variable,
highlighted
below
just
give
it
the
number
of
minutes,
and
it
will
honor
that
if
you
don't
set
it
or
if
you
set
it
to
zero,
then
it
will
never
Messe
people.
But
one
other
thing
that
you
know
when
people
are
looking
at
running
OpenShift
and
the
web
console
and
not
too
many
times.
C
You
hear
people
ask
for
a
feature
to
run
as
a
pod,
but
by
doing
it
it
really
give
us
a
some
great
flexibility
and
enabled
us
to
do
a
couple
different
feature.
We've
been
wanting
to
so
want
it.
It's
sort
of
better
leverages
the
platform
itself
to
run
and
manage
it.
So
we
can
have
greater
flexibility,
but
also
a
you,
can
now
change
things
through
a
config
map.
So
if
there's
certain
parameters
within
the
web
console
you
want
to
change,
or
you
can
now
just
go
into
that.
C
So
they
can
coexist
and
use
the
docker
David
for
some
of
the
build
scenarios
and
then
making
the
open
ship
secrets
available
and
sort
of
Jenkins
jobs
via
the
Jenkins
as
credential.
So
some
very
useful
things
there
in
the
dev
experience
build
side
of
the
house
I
mentioned
using
mini
for
local
development,
so
mini
shift.
1.4
comes
with
a
lot
of
improvements
around
the
whole
add-on
system.
C
C
A
Thank
you
Steve,
so
go
ahead
and
start
off
for
first
here
with
our
networking
group,
so
that
the
network
engineering
team
has
really
focused
their
attention
on
stability,
scale,
performance
and
general
robustness
of
the
solution
over
anything
else.
This
release,
and
one
of
those
features
in
particular
that
received
attention,
was
semi-automatic,
namespace
wide
egress
IP.
So
it
really.
A
This
feature
was
actually
g8
in
37,
but
it
represents
the
first
half
of
a
larger
goal
of
delivering
automatically
generated
source
IP
addresses
per
project,
and
so
this
heavily
requested
feature
from
our
customers
is
useful
for
many
use
cases
the
most
common
being
filtering
of
traffic
at
the
edge
of
the
cluster.
So
why
am
I
repeating
it
here
in
our
what's
new
slides
439,
because
a
great
deal
of
work
has
gone
into
it
for
this
release
to
enhance
its
stability?
A
Almost
as
if
it
were
a
gentle
of
the
three
seven
release
feature,
so
those
that
want
to
use
it
in
39
will
have
an
improved
user
experience.
They'll
be
able
to
they'll
be
using
the
code
base
that
will
be
used
in
follow-on
development
to
enhance
the
feature
where
the
AJ
and
also
eliminate
the
need
for
the
admin
to
manually
configure
the
project's
IP.
So
look
for
this
to
change
to
automatic
from
semi-automatic
in.
A
The
next
thing
is:
is
in
3:9
we're
supporting
our
own
age,
a
proxy
rpm
for
consumption
by
the
router,
so
in
earlier
versions
of
H,
a
proxy
meaning,
Asia,
proxy
1/8
or
older,
a
route
configuration
change
could
or
would
necessarily
cause
an
outage,
the
other
just
small
for
small
clusters,
but
it
grew
with
the
size
of
deployment.
So
we
needed
to
address
the
issue.
The
diagram
on
the
right
is
a
flow
demonstrating
the
problem
so
upon
starting
the
starting
up
of
the
services
this.
A
It
would
generate
a
new
process
with
a
new
configuration
and
then
what
it
tried
to
do
is
bind
to
all
this
imports,
and
if
you,
this
is
a
brand
new
instance
starting
up
it
would,
it
would
generally
succeed.
But
if
this
was
saved,
for
example,
an
upgrade
or
an
update,
it
likely
would
fail,
and
the
reason
being
is
because
something
else
had
already
bound
to
the
port.
A
So
during
that
time,
third,
there
was
a
finite
amount
of
time
whereby
between
when
it
was
asked
to
release
the
port
and
when
it
would
actually
try
again
to
try
to
bind
to
the
port
and
eventually
after
trying,
you
would
either
succeed
and
then
it
would
let
the
old
process
know
it
could
quit
or
would
fail
and
just
tell
the
old
process
to
continue
taking
care
of
the
incoming
connections.
So
what
we
aim
to
do
was
remove
that
black
hole
part
and
so
in
3
9.
A
In
this
case,
when
a
proxy
1
8
sees
no
difference
between
updates
and
upgrades.
What
happens
instead
is
a
new
process
is
used
with
a
new
configuration
and
the
listening
sockets
file
descriptor
is
transferred
from
the
old
process
to
the
new
process,
almost
as
if
it
was
using
the
duplicate,
command
and
function.
So
the
connection
is
never
closed
and
also
all
the
state
information
comes
over
with.
So,
in
that
sense,
the
change
is
seamless,
there's
no
outage,
and
also
this
is
going
to
enable
our
ability
to
do
things
in
the
future.
Like
http/2.
A
But
the
next
one
so
I'm
transitioning
now
to
the
master
group,
so
our
master
group
they're
the
ones
they
do
a
lot
of
things,
but
they
are
the
ones
that
are
primarily
responsible
for
rebasing
the
newest
versions
of
kubernetes,
into
open
shelves,
and
so
they
have
a
tremendous
amount
of
work
that
they
do
so
I'm
going
to
hit
some
of
the
highlights
of
some
of
the
things
that
they
did
for
3:9
in
addition
to
that
rebase.
So
the
first
one
is
is
a
simply
stated
staple
sets.
A
Daemon
sets
and
deployments
are
now
stable
and
supported,
so
they
are
moving
from
tech
preview
to
GA
in
open
ship
3:9.
If
you'd
like
additional
information
about
what
these
things
are
or
what
they
do,
we
have
some
links
here
to
the
upstream
vein:
kubernetes
documentation
that
describes
them
in
more
detail.
A
The
next
one
central
audit
capabilities,
so
central
auditing,
provides
the
ability
to
audit
items
that
admins
would
like
to
either
view
and/or
trace.
So
some
examples
of
the
kinds
of
information
that
they
might
be
interested
in
is
listed
in
the
two
bulleted
sections
of
the
slide,
and
this
is
definitely
not
a
complete
list,
but
they're
the
ones
that
I
thought
were
interesting
is
what
fit
on
the
slide.
A
So,
looking
at
this
list,
you
can
see
the
level
of
detail,
that's
now
possible
to
audit
enabling
that
auditing
is
fairly
straightforward.
It's
a
matter
of
configuring,
as
you
see
on
the
right-hand
side,
it's
a
matter
of
configuring,
the
auditing
in
the
master,
config
and
then
restarting
the
service,
to
put
it
into
effect.
So
the
example
provided
here
is
a
really
simple
one.
There
are
definitely
additional
and
more
advanced
customizations
that
can
be
specified
for
the
level
and
types
of.
A
The
master
group
also
added
support
for
deployments
to
OC
status,
so
the
one
of
the
responsibilities
of
the
master
team
is
the
CLI,
and
this
feature
is
an
example
of
the
kinds
of
enhancements
they
do
to
continually
improve
the
user
experience
so
prior
to
39
when
executing
the
OC
status
command.
It
would
not
show
nested
information
about
deployments.
An
example
of
what
that
looked
like
is
in
the
Box
in
the
upper
right
side
of
the
slide
with
3
9.
A
You
the
next
one,
is
dynamic,
admission
control
or
follow
up
so
extensible
admission
becomes
tech
preview
in
open
ship,
3
9
and
we're
targeting
GA
of
this
feature
and
3
10.
So
an
admission
controller
is
a
piece
of
code
that
intercepts
requests
to
the
kubernetes
api
server
prior
to
the
persistence
of
the
object.
But
after
the
request
is
authenticated
and
authorized
so
for
incoming
requests,
there
are
2
admission
phases:
they
can
go
through.
There's
the
mutation
phase
and
the
validation
phase,
as
shown
in
the
flow
diagram.
A
A
The
other
phase
validation
allows
inspection
of
validation
of
the
resource
content
and
it
enforces
any
invariants
on
that
content.
So
an
example
of
this
might
be
inspection
of
an
image
tags
that
might
have
been
forced
into
ash
awesome.
The
admission
controller
could
be
written
that
prevents
certain
types
of
images
or
shot
image
shot
combinations
from
running.
If
you'd,
like
more
information
about
this
one
of
our
lead
engineers,
David
EADS,
wrote
a
really
great
blog
article,
that's
linked
to
here.
In
addition
to
the
up
screen
Doc's
like.
A
So
it's
really
a
liability
thing
so
feature
gates
enable
this
selectivity
for
each
of
the
master
components
in
kubernetes,
such
as
the
API
server,
the
controller
manager,
the
scheduler
and
the
API,
so
I'm,
sorry
in
the
master
server,
so
using
key
value
pairs
in
their
corresponding
Hamel
configuration
to
do
that
selectivity.
So
each
feature
should
probably
be
individually
enable
disabled
in
each
component.
A
Unless
you
really
understand
what
exactly
is
using
it,
but
probably
specified
in
all
of
the
different
components
for
most
users
to
be
on
the
safe
side.
So
you
would
specify
these
these
configurations
in
all
the
API
server,
controlled
manager,
scheduler
et
cetera,
so
in
the
examples
shown
below
we
see
them
being
configured
in
this
particular
case
in
the
API
server
and
in
the
cubelet.
A
So,
on
the
one
on
the
Left,
we
see
the
CPU
manager
feature
which,
if
you're
unfamiliar
with
it,
has
the
capabilities
of
things
like
CPU,
pinning
being
enabled
on
the
API
server
to
use
its
beta
version
and
the
one
on
the
right.
We
see
an
example
of
the
device
plug
in
alpha
feature
being
enabled
on
the
cube.
A
Switching
gears
a
bit
now
we'll
talk
a
little
bit
about
the
reference
architecture,
implementation
guides
from
our
end-to-end
provider
integration
group.
So
this
group
has
been
doing
a
lot
of
work
to
bring
all
of
our
reference
architecture.
Implementation
guides
up
to
the
latest
release
in
this
case
to
open
ship
3
9.
So
the
reference
architecture
guides
won't
GA
right
at
3
9
because
they
have
to
be
q8
against
the
actually
released
version
of
OpenShift
3
9,
so
expect
them
to
become
available
approximately
4
to
6
weeks
after
the
GA
of
3
9.
A
All
of
the
cloud
provider
remarks
are
planned
to
be
updated,
with
the
only
guide,
that's
at
risk
right
now
being
the
Google
cloud
platform
guide,
but
we
hope
that
won't
be
the
case.
Also.
The
reference
architecture
for
Reve
is
targeting
rev
4,
but
the
release
date
for
it
is
very
close
to
that
of
the
ref
park
for
these
dates.
So
it
may
actually
fall
back
to
four
one
and
we've
it
updated
later.
A
big
change
in
the
refworks
this
time
around
is
the
deprecation
of
what
have
been
unsupported
glue
code.
A
The
glue
code
that
I'm
referring
to
is
the
ancillary
scripts,
the
playbooks,
github,
repos,
etc.
That
have
been
used
in
the
past
and
were
unsupported.
So
the
plan
is
to
move
all
of
that
glue
code
functionality
into
the
provisioner
code
provided
by
the
Installer
itself,
so
that
we
can
in
fact
support
you,
and
that
brings
us
to
the
end
of
this
briefing.
B
C
Yes,
so
the
there
really,
you
can
think
of
it.
There's
not
really
even
that
3.8
there,
one
that
does
exist,
but
the
the
upgrader
will
do
a
sort
of
a
silent
skip
of
it.
It
will
upgrade
first
to
the
3/8
and
then
once
it
verifies
that
it's
stable,
it
will
move
it
to
3
9.
So
if
you
happen
to
end
up
on
a
3/8
release,
then
that
was
a
problem,
and
so
it
should
be
completely
transparent
to
you.
We've
we've
done
this
on
a
number
of
our
test
clusters.
C
We're
running
this
on
our
open,
shipped
online
starter
clusters
and
we
have
a
mix
of
39
and
we
actually
ran
one
of
them
with
the
3
8
bits
to
just
verify
it
for
a
week
back
in
January,
and
now
we
have
it
fully
running
on
3
9.
So
yes,
yes,
you
might
see
it,
but
you
should.
You
should
never
see
it.
It
should
just
work
seven
to
three.
B
Yeah
he's
asking
the
upgrade
question:
yeah
cool:
are
there
any?
Yet?
There
is
another
question
that
just
come
in
from
plummet.
Do
you
have
examples
of
admission
hooks
used
for
secure
deployment,
change,
ie,
depreciating
the
obsolete
software,
verifying
attributes
of
pala
containers
to
check
they
passed,
QA
or
other
promising
open
source
framework
around.
A
Yeah
I
think
you
know,
rather
than
provide
all
the
details
here.
I
would
strongly
recommend
you
check
out
David's
blog,
you
can
google
for
it
or
follow
the
link
in
the
presentation,
but
he
talks
about
a
lot
of
really
good
examples
and
provides
links
to
all
sorts
of
additional
information
about
enabling
web
hooks
and
the
image
from
the
process.
C
So
yes,
so
the
as
mentioned
the
deployments
are
coming
out
of
tech
preview,
so
there
g,
8,
+,
3,
9
and
so
they'll
coexist
in
the
3.
9
release
and
they'll
continue
to
coexist
until
we
find
that
the
deployment
feature
of
Corinna's
meets
the
requirements
are
everything
that
the
deployment
can
fix
did
and
then
we
would
have
a
migration,
but
for
that
for
now,
they'll
just
coexist.
C
B
Not
I
want
to
thank
you
both
for
an
awesome
presentation
and
I
will
again
grab
the
slides
from
you
and
take
the
video
and
make
it
available
as
quickly
as
possible,
probably
tomorrow,
on
blog
that
OpenShift
comm,
along
with
a
number
of
the
references
and
resources
that
were
mentioned
in
this
talk.
So
thanks
again,
we
look
forward
to
this
next
week.
I
think
we
have
kubernetes
1.10
update
scheduled
with
derek
derek
carr.
So
while
this
was
focused
on,
what's
I
noticed
at
p,
3.9
next
week
is
going
to
talk
a
little
bit
more
just
generically.