Red Hat ups its OpenShift Kubernetes hybrid-cloud game

Red Hat is releasing a new version of its OpenShift Kubernetes platform, OpenShift 4.3, with better container storage support via Red Hat OpenShift Container Storage 4.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

When they're not working on Linux, Red Hat is making it darn clear that job one is the hybrid cloud by way of Kubernetes. In its latest steps to support this, Red Hat is releasing its Kubernetes-based Red Hat OpenShift 4.3 and Red Hat OpenShift Container Storage 4 to provide multi-cloud Kubernetes container support.

OpenShift 4.3 is based on Kubernetes 1.16. Red Hat supports customer upgrades from OpenShift 4.2 to 4.3. 

Building on last fall's developer-friendly OpenShift 4.2, the new OpenShift release brings stronger platform security to Red Hat's Kubernetes take. Specifically, it brings the Federal Information Processing Standard (FIPS) compliant encryption (FIPS 140-2 Level 1) to OpenShift. FIPS validated cryptography is mandatory for US federal departments that encrypt sensitive data. 

When OpenShift runs on Red Hat Enterprise Linux (RHEL) booted in FIPS mode, OpenShift calls into the RHEL FIPS validated cryptographic libraries. The go-toolset that enables this functionality was already available to all Red Hat customers, but this bakes it into OpenShift.

The new OpenShift also supports etcd encryption. Etcd is a popular distributed key value store for storing data across clusters. This protects secrets at rest. Customers can encrypt sensitive data stored in etcd, providing better defense against malicious parties attempting to gain access to data such as secrets and config maps.

OpenShift also now supports Network-Bound Disk Encryption (NBDE). You can use this to automate encrypting remote Linux Unified Key Setup-on-disk-format (LUKS). With this, even if someone steals your physical storage devices, they still can't access your data.

Besides security improvements, the OpenShift 4.3 installer can deploy OpenShift clusters to customer-managed, pre-existing Virtual Private Networks and Virtual Private Clouds (VPN/VPC) and subnets on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). You can also install OpenShift clusters with private facing load balancer endpoints on AWS, Azure, and GCP. With this, you can use public cloud resources, while blocking our Joe Random Cloud User.

With roll your own VPN/VPC, and support for disconnected installs, you can have more granular control of your OpenShift installations. This also makes it easier to deploy your own security best practices across your organization's hybrid cloud no matter what platforms you're running it on.

In addition, OpenShift administrators have access to a new cipher configuration application programming interface (API). This enables them to select the encryption suites for the Ingress controller, API server, and OAuth Operator for Transport Layer Security (TLS). 

OpenShift 4.3 also makes it easier to manage its foundation with automated health checking and remediation. It also supports Kubernetes Operators. These are methods of packaging, deploying, and managing a Kubernetes application. Customers already have access to Certified and community Operators created by Red Hat and ISVs, but you can now register a private Operator catalog within OperatorHub for your own approved Operators. Red Hat claims, "Customers with air-gapped installs can find this especially useful in order to take advantage of Operators for highly-secure or sensitive environments."

To help make Operators safer Container Security Operator for Red Hat Quay is now available on OperatorHub.io and embedded into OpenShift's OperatorHub. This means you can use Quay and Clair vulnerability scanning on your Kubernetes-managed container images. With this, you can spot known container vulnerabilities before they can bite you in operations.

Using Operators, you can use Red Hat OpenShift Container Storage 4 to manage container storage across multiple public clouds from a single unified Kubernetes-based control plane. Calling back to the security theme of this OpenShift release, the latest Container Storage also brings enhanced built-in data protection features, such as encryption, anonymization, key separation, and erasure coding over multiple clouds. 

Based on Red Hat Ceph Storage, the new Container Storage 4 also features:

  • Easier deployment and greater automation through Rook's storage orchestration capabilities. With the Rook.io Operator, developers have Kubernetes-native, automated support for easier deploying, packaging and expansion of storage on Red Hat OpenShift.
  • Faster persistent volume creation, helping developers build, test, and release applications faster by reducing build times and improving continuous integration/continuous deployment (CI/CD) pipeline efficiency.

Sounds good, doesn't it? 

Eric Sheppard, IDC's Infrastructure Platforms and Technologies Group research vice president, said: "Container storage is a rapidly evolving space. Red Hat integrated its persistent storage services as first-class citizens into the OpenShift Container Platform, enabling customers to build the next generation of storage-intensive applications technology."

With these releases, Red Hat continues to make a good case for it as your hybrid-cloud platform of choice. 

Related Stories:

Editorial standards