Red Hat Summit April 20: Technical Sessions and Demos — That you should not Miss!
This April Red Hat went virtual for their yearly summit and conducted full blown virtual experience from 27-Apr-20 to 29-Apr-20. There were many interesting & informative sessions conducted by Red Hatters. Some sessions that caught my interest are highlighted in this article to give you flavour of experience around Red Hat and innovation. If you registered for the event, then do not miss listening these sessions on demand else here is the gist of some sessions for your reference. Enjoy!
OpenShift 4.x and Beyond — Session conducted by Alex Crawford, Jessica Foresster, Marc Curry. Some of the updates shared about OCP 4.3 in this session:
· 4.3 onwards FIPS-140–2 supported and complaint clusters available. Users can install FIPS enabled clusters.
· Vertical pod autoscaler (general avaialbility)
· CNI (Multus)
· SR-IOV Device plug-in - through SR_IOV operator
· Operator hub advancements
· Glance of Product Road map
· etcd encryption available for config, secrets, oauth token, routes. etcd encryption through operators can be achieved to make it automaticFrom the private datacentre to the edge — One thing that always gets maximum attention in Red Hat summit year over year is session by Burr Sutter. He is long time Red Hatter and Director developer experience in the company. This time he presented with his team that included Jennifer, Ryan, Tracy and Liz blanchard. This is a must watch demo session for those who missed it and still have access to the session. This has been the most informative demo I attended/watched in a long time. His demo included audience engagement by gamifying applications that were running live across geographically distributed OpenShift clusters. This included leader board and all geography audience of around 2000+ people (or may be more) who were live playing this gamified demo session by Burr and his team.
Cherry on the top was the announcement in this session about their Advanced Cluster Management Preview. This is something we all have been expecting and waiting from Red Hat. Broadly this session included demos on following areas:
· OpenShift Dedicated demo with multiple sites/clusters connected· 5G Edge racks (mini racks) running OpenShift cluster· Advanced Cluster Management for Kubernetes - Demo with 17 clusters spread across Azure, Google, IBM, BareMetal, OpenStack and Amazon· Demo on Policy and governance using advanced cluster management
Container Security — Security with containers always remains a topic of ambiguity for users and clients. This session on container security was conducted by Urvashi Mohnani, Sally O’ Malley. This session went into some interesting intricacies of how security is achieved with Red Hat supported container runtime and CoreOS built-in features usage.
· OpenShift Tools for in-built security: CRI-O, Podman, Buildah, Skopeo
· Never give root privilege except for system tasks (and rarely required for some containers tasks)
· Major security constructs: privileges, syscalls, seccomp, selinux, user namespaces
· Its easy to disable a security feature then configuring it. Check what features are enabled and which ones are turned off by someone in your team? :)
· Currently there are 37 root privilege capabilities out of which 14 are by default enabled
· These 14 features were by default provisioned by docker back then in 2013
- These 14 features are: AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT
- AUDIT_WRITE - Was given to execute capabilities like ssh inside the container. Now that's not correct and podman exec or docker exec gives exactly this facility without exposing extra authority
- MKNOD - dangerous for attack from outside to your cluster. Now Buildah gives this facility without compromising security
- NET_RAW - Dangerous area for network. given for ping
- SYS_CHROOT - Not necessarily reqiured.· Allow images to specify capabilities as Image annotations/labels - e.g. LABEL "io.container.capabilities=SETUID, SETGID"
· How to limit SYSCALLS? At kernel level already OCP has SECCOMP enabled that takes care of limiting sys calls.
· Podman uses containers.conf that is central configuration feature - recently added will be available soon
Other interesting sessions — mix bag but indicates whole lot of innovations happening inside Red Hat products and portfolios:
· Quantum computing roundtable - Quantum computing research scientists (From Red Hat's Chris Wright and technology leaders from IBM, Microsoft, and Honeywell.) talking about their experiences along with case studies of quantum computing in realization. Good session if you are interested in knowing about quantum computing the science and computing combination its use cases, practical usage and research happening in this area· Demo - 5G and hardware accelerators - Extending the Open Hybrid Cloud Vision to Edge - using Red Hat OpenShift and NVIDIA hardware accelerators, operators etc. session by Sherard Griffin Director, Software Engineering, Red Hat and Chris Lamb - VP Compute Software, Nvidia· Build your own robot with Robo kits - and ROS (Robot Operating System) - session by Brian Gerkey Chief Executive Officer, Open Robotics with Red Hat products. This demo also highlights about open possibilities and information available for use· Production OpenShift Case Study - cnvrg.io. Cnvrg is a machine learning platform built on top of OpenShift and Kubernetes that helps teams deploy ML workloads ranging from research to production. Demo and session presented by Yochay Ettun Co-Founder & CEO. This is an engaging presentation to understand AI/ML complications that anyone deals while developing solutions using AI/ML and how cnvrg.io are solving these problems.
