Overview

Red Hat OpenShift Dedicated provides managed, single-tenant OpenShift environments on the public cloud. Installed and managed by Red Hat, these clusters can provide additional resources as needed, use Red Hat JBoss® Middleware and partner services, integrate with an existing authentication system, and connect to a private datacenter.

Red Hat OpenShift Dedicated is a hosted service that provides developers and IT organizations with a cloud application platform for deploying new applications on secure, scalable resources with minimal configuration and management overhead. OpenShift Dedicated supports a wide selection of programming languages and frameworks, such as Java, Ruby, and PHP.

See https://www.openshift.com/dedicated for more information.

About This Update

Cluster upgrades to a new update of OpenShift Dedicated are scheduled to begin soon, per recent Red Hat communications; customers can check the OpenShift Dedicated Status page for their scheduled upgrade date. This topic has been updated to reflect the upcoming new features and changes.

The latest update of Red Hat OpenShift Dedicated uses Red Hat OpenShift Container Platform version 3.9, which is based on OpenShift Origin 3.9. New features, changes, bug fixes, and known issues that pertain to the latest updates of OpenShift Dedicated are included in this topic.

New Features and Enhancements

Dedicated Administrator Updates

Service Accounts

A reserved project called dedicated-admin will be created and maintained on each cluster. Any service account created within this project will have dedicated-admin permissions by default. Only dedicated-admin users will be able to manage service accounts within this project.

Oauthclientauthorizations

dedicated-admin users are now able to list and delete oauthclientauthorizations.

Scheduler statistics

dedicated-admin users can now access scheduler statistics for each node by using the oc describe node command.

Security

Documented Private and Public Key Configurations and Crypto Levels

While OpenShift Dedicated is a secured-by-default implementation of Kubernetes, there is now documentation on what security protocols and ciphers are used.

OpenShift Dedicated leverages Transport Layer Security (TLS) cipher suites, JSON Web Algorithms (JWA) crypto algorithms, and offers external libraries such as The Generic Security Service Application Program Interface (GSSAPI) and libgpgme.

Private and public key configurations and Crypto levels are now documented for OpenShift Dedicated.

Node Authorizer and Node Restriction Admission Plug-in

Pods can no longer try to gain information from secrets, configuration maps, PV, PVC, or API objects from other nodes.

Node authorizer governs what APIs a kubelet can perform. Spanning read-, write-, and auth-related operations. In order for the admission controller to know the identity of the node to enforce the rules, nodes are provisioned with credentials that identify them with the user name system:node:<nodename> and group system:nodes.

Networking

Support Our Own HAProxy RPM for Consumption by the Router

Route configuration changes and process upgrades performed under heaving load have typically required a stop and start sequence of certain services, causing temporary outages.

In OpenShift Dedicated, HAProxy 1.8 sees no difference between updates and upgrades; a new process is used with a new configuration, and the listening socket’s file descriptor is transferred from the old to the new process so the connection is never closed. The change is seamless, and enables our ability to do things, like HTTP/2, in the future.

Network Policy

Network Policy is now fully supported in OpenShift Dedicated using 3.9.

Network Policy is an optional plug-in specification of how selections of pods are allowed to communicate with each other and other network endpoints. It provides fine-grained network namespace isolation using labels and port specifications.

NetworkPolicies can be created that define what traffic to allow to specified projects and pods.

The allow-to-red policy example below specifies "all red pods in namespace project-a allow traffic from any pods in any namespace." This does not apply to the red pod in namespace project-b because podSelector only applies to the namespace in which it was applied.

Policy applied to project
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-to-red
spec:
  podSelector:
    matchLabels:
      type: red
  ingress:
  - {}

See Managing Networking for more information.

HSTS Policy Support

HTTP Strict Transport Security (HSTS) ensures all communication between the server and client is encrypted and that all sent and received responses are delivered to and received from the authenticated server.

An HSTS policy is provided to the client via an HTTPS header (HSTS headers over HTTP are ignored) using an haproxy.router.openshift.io/hsts_header annotation to the route. When the Strict-Transport-Security response in the header is received by a client, it observes the policy until it is updated by another response from the host, or it times-out (max-age=0).

Example using reencrypt route:

  1. Create the pod/svc/route:

    $ oc create -f https://example.com/test.yaml
  2. Set the Strict-Transport-Security header:

    $ oc annotate route serving-cert haproxy.router.openshift.io/hsts_header="max-age=300;includeSubDomains;preload"
  3. Access the route using https:

    $ curl --head https://$route -k
    
       ...
       Strict-Transport-Security: max-age=300;includeSubDomains;preload
       ...

Master

StatefulSets, DaemonSets, and Deployments Now Supported

In OpenShift Dedicated, statefulsets, daemonsets, and deployments are now stable, supported, and out of Technology Preview.

Add Support for Deployments to oc status

The oc status command provides an overview of the current project. This provides similar output for upstream deployments as can be seen for downstream DeploymentConfigs, with a nested deployment set:

$ oc status
In project My Project (myproject) on server https://127.0.0.1:8443

svc/ruby-deploy - 172.30.174.234:8080
  deployment/ruby-deploy deploys istag/ruby-deploy:latest <-
    bc/ruby-deploy source builds https://github.com/sclorg/ruby-ex.git on istag/ruby-22-centos7:latest
      build #1 failed 5 hours ago - bbb6701: Merge pull request #18 from durandom/master (Joe User <joeuser@users.noreply.github.com>)
    deployment #2 running for 4 hours - 0/1 pods (warning: 53 restarts)
    deployment #1 deployed 5 hours ago

Compare this to the output from OpenShift Dedicated 3.7:

$ oc status
In project dc-test on server https://127.0.0.1:8443

svc/ruby-deploy - 172.30.231.16:8080
  pod/ruby-deploy-5c7cc559cc-pvq9l runs test

Developer Experience

Jenkins Memory Usage Improvements

Previously, Jenkins worker pods would often consume too much or too little memory. Now, a startup script intelligently looks at pod limits, and environment variables are appropriately set to ensure limits are respected for spawned JVMs.

Template Instantiation API

Clients can now easily invoke a server API instead of relying on client logic.

See Template Instantiation for more information.

Chaining Builds

In OpenShift Dedicated on 3.9, Chaining Builds is a better approach for producing runtime-only application images, and fully replaces the Extended Builds feature.

Benefits of Chaining Builds include:

  • Supported by both Docker and Source-to-Image (S2I) build strategies, as well as combinations of the two, compared with S2I strategy only for Extended Builds.

  • No need to create and manage a new assemble-runtime script.

  • Easy to layer application components into any thin runtime-specific image.

  • Can build the application artifacts image anywhere.

  • Better separation of concerns between the step that produces the application artifacts and the step that puts them into an application image.

Web Console

Initial Experience

OpenShift Dedicated on 3.9 provides a better initial user experience with the Service Catalog. This includes:

  • A task-focused interface

  • Key call-outs

  • Unified search

  • Streamlined navigation

The new user interface is designed to really streamline the getting started process, in addition to incorporating the new Service Catalog items. These Service Catalog items are not yet available in OpenShift Dedicated.

Catalog from within Project View

Quickly get to the catalog from within a project by clicking Catalog in the left navigation.

Catalog tab

Quickly Search the Catalog from within Project View

To quickly find services from within project view, type in your search criteria.

Search the catalog

Select Preferred Home Page

You can now jump straight to certain pages after login. Access the menu from the account dropdown, choose your option, then log out, then log back in.