So I have been to Berlin this week, for the Openshift Commons Gathering and Kubecon, and of course to meet a few Berliners.
Openshift is Redhats distribution of Google Kubernetes, plus their own enhancements. It is available on your own machines as Openshift Origin (the GPL version) or OCP (Open Container Project). Redhat also operates dedicated and public clouds based on this. The Openshift Commons Gathering is a meeting of the Openshift Users Community, Commons.
Commons was a nice and fine gathering in the basement level of the BCC, a single track event with a nice mix of users reporting back their experience with Kubernetes and Openshift. In fact, Commons already had quite a bit of the content later duplicated in Kubecon, but in a smaller and less noisy setting.
Aparna Sinha outlined the new features in Kubernetes 1.6. A lot of existing features have been graduated from Beta to Stable or from Alpha to Beta. Interesting for us are the RBAC support, which allow access controls for roles with respect to namespaces and are necessary for mixed deployments in corporate environments, and dynamic storage provisioning, which are an important stepping stone on the path to hosting applications with state in a Kubernetes cluster.
RBAC assignments are dynamically done via the K8s API, and become active the moment you change them. RBAC assignments allow you to formulate sentences of the form “Subject predicate object” with users and roles as subjects, resources in namespaces as objects and a list of verbs such as “get”, “list”, “watch”, “create”, “update”, “delete” and similar. Sentences such as “Kris can list pods in production” can be used to formulate access control (PDF) permissions.
Dynamic provisioning allows you to create persistent storage volumes in an indempotent way on demand. The way it works is that you define storage classes (“disk storge”, “ssd storage”), which could be cut into volumes. Workloads mention claims to persistent volume, and if the volume does not exist yet, it is being partitioned and formatted as needed (otherwise, just claimed) by a pod. It is no longer necessary to preprovision such volumes.
Aparna also outlined future developments for Kubernetes, including improvement to StatefulSets (previously named Pet Pods, containing things like databases, Zookeepers or similar things), GPU support, Network Policy improvements, Multi Workload Scheduling and improvements to the Container Runtime Interface (which would allow other runtimes besides Docker to work better).
Work on a service catalog would allow to specify services outside of the cluster, how to access them, and the Service Catalog could interact with Network Policy definitions in order to allow such connections only if the external resources have been declared in a Deployment.
Clayton Coleman followed up with a similar outline of the future of Openshift 3.x – new features and future. Here he highlighted more CI/CD workflows being supported out of the box, support for the above mentioned StatefulSets, featuring predictable startup, uniqueness and experimenting with HA concepts. Openshift is also looking at remote registry support with local caching, and a number of defineable policies for that, as well as concepts such as authoritative registries.
Improvements are being made on Network Policy in a Tech Preview, allowing the definition of interaction rules between pods in different namespaces.
His outlook at the future mentioned the Service Catalog in sync with the Kubernetes outlook above, and a general focus on safety and security with improvements for secrets, improvements with respect to scheduling rules, and cluster health and reliability. Part of that is also Federation, which will make multi-zone deployments and their management easier.
(I missed a number of the later talks, because I have been in other meetings at the sidelines of the Gathering. But even then it was a nice grab bag of good news, and a lot of energy)