Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
10
July 2018
OCP 3.10 - The Efficient Cluster
● Resource Management
● Descheduler (tech preview), CPU Manager, Ephemeral Storage,
HugePages
● Resilience
● Node Problem Detector, HA egress pods with DNS
● Workload Diversity
● Device Manager, Windows Containers (dev preview)
● Installation Automation
● TLS node bootstraping, static pods
● Security
● Etcd cipher coverage, Shared PID namespace options, more secured
router
Self-Service / UX
Feature(s): OpenShift Automation (Ansible) Broker
● Enhance error messages, so when a provision request fails the error is preserved and displayed to end user in
web console
● Allows APB to return custom error messages that gets surfaced by service catalog if a provisioning operation fails
● Eases troubleshooting and improves customer experience
3
AWS AMAZON WEB SERVICES
Service
Broker
Service Broker New AWS Services:
Lex
Polly
Rekognition
SageMaker*
* Coming soon!
Self-Service / UX
How it Works:
● Indication that there are multiple routes
● Annotate route that you’d like to be
primary
console.alpha.openshift.io/overview-app-route: ‘true’
Self-Service / UX
CDK 3.4:
● OpenShift Container Platform v3.9.14
● Image caching is enabled by-default
● HyperV users can assign a static IP to CDK
● Hostfolder mount using SSHFS (Technical preview)
● Uses overlay as the default storage driver
kubeletArguments: resources:
Feature(s): HugePages, CPU Manager, Device Manager ... requests:
feature-gates: cpu: 1
- CPUManager=true memory: 256Mi
cpu-manager-policy: limits:
- static cpu: 1
Description: We spoke about Device Manager here. CPU cpu-manager-reconcile-period: memory: 256Mi
Manager Policy allows you to tell kube that your workload - 5s
kube-reserved:
ubelet
requires an affinity to a CPU core. Maybe your workload - cpu=500m
device
needs CPU cache affinity and can’t handle being bounced Result: manager
around to different CPU cores on the node via normal fair
# oc exec pod-name -- cat /sys/fs/cgroup/cpuset/cpuset.cpus
share scheduling on linux. HugePages allows you to request 2
# oc exec pod-name -- grep ^Cpus_allowed_list /proc/1/status
that your workload consume a specific amount of Cpus_allowed_list: 2
HugePages.
HugePages
How it Works: When you start the node problem ● AbrtAdaptor: monitors the node for kernel
detector you tell it a port to broadcast the issues it problems and application crashes from journald
find over. The detector allows you to load
sub-daemons to do the data collection. There are 3 ● CustomerPluginMonitor: allows you to test
for any condition and exit on a 0 or 1 should
as of today. Issues found by the problem daemon you condition not be met.
can be classified as “NodeCondition” which means
stop node scheduling or “Event” which are only
informative.
Tech
Node Preview
1. Master: /etc/origin/master/master-config.yaml
Feature(s): Protection of Local Ephemeral Storage kubernetesMasterConfig:
apiServerArguments:
feature-gates:
Description: Control the usage of local ephemeral - LocalStorageCapacityIsolation=true
storage feature on the nodes in order to prevent controllerArguments:
feature-gates:
users from exhausting all node local storage (logs, - LocalStorageCapacityIsolation=true
ubelet
empty dirs, copy on write layer) with their pods and device
manager
abusing other pods that happen to be on the same 2. Node: /etc/origin/node/node-config.yaml
kubeletArguments:
node. feature-gates:
- LocalStorageCapacityIsolation=true
How it works:
● Registry provides an endpoint for
Prometheus metrics
● Route must be enabled
● Users with the appropriate role can access
metrics using their openshift credentials
● An admin defined shared secret can still be
used to access the metrics as well
Installation
Feature(s): Run control plane as static pod
How it Works:
● In 3.10 and newer, control plane components (etcd, API, and controller manager) will now move to
running as static pods
● Goal is to reduce node level configuration in preparation for automated cluster configuration on immutable
infrastructure
● Unified control plane deployment methods across Atomic Host and RHEL; everything runs atop the kubelet.
● The standard upgrade process will migrate existing clusters automatically
Installation
Feature(s): Bootstrapped Node Configuration
POD
How it works: The OpenShift egress
router runs a service that redirects EGRESS EXTERNAL
egress pod traffic to one or more EGRESS ROUTER
POD SERVICE POD SERVICE
specified remote servers, using a INTERNAL-IP:8080 IP1
Whitelist: IP1
pre-defined source IP address that can
be whitelisted on the remote server. Its POD NODE
IP1
EGRESS_DESTINATION can now
specify the remote sever by FQDN.
Networking
Feature(s): Document and test a supported way of How it works:
expanding the serviceNetwork
1. Update the master-config.yaml to change the
Description: Provide a supported way of growing the serviceNetworkCIDR to 172.30.0.0/16
service network address range in a multi-node 2. Delete the default clusternetwork object on the
environment to a larger address space. master:
# oc delete clusternetwork
For example: default
3. Restart the master API service and the
serviceNetworkCIDR: 172.30.0.0/24
controller service
172.30.0.0/16 4. Update the ansible inventory file to match the
change in (1) and redeploy the cluster
Note: This DOES NOT cover migration to a different 5. Evacuate the node one by one and restart the
range, JUST the increase of an existing range. iptables and atomic-openshift-node services
Security
Feature(s) : Specify whitelist cipher suite for etcd
How it Works:
● Configure etcd to add --cipher-suites flag with
the desired cipher suite
● Restart etcd, apiserver, controllers, etc
● TLS handshake fails when client hello is
requested with invalid cipher suites.
● If empty, Go auto-populates the list.
Tech
Security Preview
How it Works:
● The feature gate PodShareProcessNamespace is set to false by default
● Set 'feature-gates=PodShareProcessNamespace=true'
in apiserver, controllers and kubelet
● Restart apiserver, controller and node service
● Create a pod with spec "shareProcessNamespace: true"
● oc create -f <pod spec file>
Description: Introduce CSI sub-system as tech • Create a new project where the CSI components will
preview in 3.10 run and a new service account that will run the
components
• Create the Deployment with the external CSI attacher
• External Attacher and provisioner and DaemonSet with the CSI driver
• Create a StorageClass for the new storage entity
• External Provisioner • Create a PVC with the new StorageClass
• Driver registrar
• See:
• CSI Drivers shipped: None (use
https://github.com/openshift/openshift-docs/blob/maste
external/upstream) r/install_config/persistent_storage/persistent_storage_
csi.adoc
Tech
Storage Preview
Containers / Atomic
● Atomic Host deprecation notice, as Red Hat
● Docker 1.13 CoreOS will be the future immutable host option.
● Docker-latest deprecation ○ Atomic supported in 3.10 & 3.11
● RPM-OSTree package overrides
Storage
Security
● Virtual data optimizer (VDO) for dm-level dedupe
● Unprivileged mount namespace and compression.
● KASLR full support and enabled by default. ● OverlayFS by default for new installs (overlay2)
● Ansible remediation for OpenSCAP ○ Ensure ftype=1 for 7.3 and earlier
● Improved SELinux labeling for cgroups ● Devicemapper continues to be supported and
available for edge cases around POSIX
(cgroup_seclabel)
● LVM snapshots integrated with boot loader (boom)
CRI-O v1.10
Improvements include:
Description: CRI-O is an OCI compliant
implementation of the Kubernetes Container ● crictl CLI for debugging and troubleshooting
Runtime Interface. By design it provides only the ● Podman for image tagging & management
runtime capabilities needed by the kubelet. CRI-O is ● Installer integration & fresh install time
designed to be part of Kubernetes and evolve in decision: openshift_use_crio=True
lock-step with the platform. ● Not available for existing cluster upgrades
CRI-O brings:
CNI Networking RunC
Kubelet
● A minimal and secure architecture Storage Image
● Excellent scale and performance
● Ability to run any OCI / Docker image
● Familiar operational tooling and commands
Questions