Red Hat unveils OpenShift 4.18: Enhanced security and virtualization experience

Red Hat OpenShift accelerates cloud-native innovation and modernization across hybrid cloud environments, providing a trusted, comprehensive, and consistent application platform that helps enterprises innovate more quickly. Available in self-managed or fully managed cloud service editions, OpenShift offers a comprehensive suite of integrated tools and services tailored to support cloud-native, AI, virtual and traditional workloads — driving agility and scalability across every deployment.

Based on Kubernetes 1.31 and CRI-O 1.31, Red Hat OpenShift 4.18 focuses on core and virtualization enhancements, and adds further improvements in secrets and certificate management. This article highlights the latest OpenShift 4.18 innovations and key enhancements. For a comprehensive list of updates and improvements, refer to the OpenShift 4.18 Release Notes.

Enhance network flexibility with User Defined Networks and Border Gateway Protocol for pods and virtual machines

OpenShift 4.18 promotes User Defined Networks (UDNs) to general availability from its previous technology preview status in OpenShift 4.17.  UDNs are the first in a forthcoming series of OpenShift networking enhancements designed to bring data center networking concepts into Kubernetes and support seamless integration between OpenShift’s OVN-Kubernetes cluster network and existing external networks, along with targeted networking solutions that cross over that boundary.  Specifically, UDN improves the flexibility and segmentation capability of the default layer 3 Kubernetes pod network by enabling custom layer 2, layer 3 and localnet network segments that act as either primary or secondary networks for container pods and virtual machines (VMs) using the default OpenShift OVN-Kubernetes networking. UDN augments OpenShift’s Multus-enabled secondary Container Network Interface (CNI) capability by providing a comparable experience and feature set to all network segments.

UDNs uniquely provide support for common VM networking use cases, such as providing a VM static IP assignment for its lifetime, and a layer 2 primary pod network for the live migration of VMs between nodes, all of which is fully integrated with Red Hat OpenShift Virtualization. UDN also has other advantages that are not unique to VMs. For example, UDN segments are isolated for stronger multi-tenant environments without requiring Kubernetes (Admin) Network Policy, but network policy is still supported with UDN for finer-grained microsegmentation. Users can leverage UDN to create networks with overlapping subnets, and primary UDNs have full support for services, egressIPs and routes. 

Integrated with UDN and built directly into OVN-Kubernetes is full support for Border Gateway Protocol (BGP) as a routing protocol for UDN pod and VM addressability and VPN support. BGP enables dynamically exposing cluster-scoped network entities into a provider’s network, as well as programming BGP-learned routes from the provider’s network into OVN. This is particularly useful for integration with third-party load balancers needing direct access to backend OpenShift pods. In the future, we plan to extend BGP support with Ethernet VPN (EVPN), allowing for the extension of a UDN segment into another OpenShift or a provider network.

Deploy OpenShift across multiple vSphere vCenter clusters

Customers can now deploy OpenShift across multiple vSphere vCenter clusters, without shared storage, for high availability. Multiple vCenters can only be configured during installation, and this capability is not configurable after installation.

Accelerate registry mirroring with oc-mirror v2’s performance boost

The oc-mirror plugin gives customers who require disconnected clusters the ability to install an OpenShift cluster from a mirrored set of OpenShift container images in a private registry. oc-mirror v2, a tool for creating mirror registries in OpenShift environments, has reached general availability and includes several major enhancements including:

• Faster performance
• More control over image deletion
• Enclave support
• Caching to avoid redundant downloads during subsequent mirroring while also reducing network bandwidth consumption

We’ve also added Helm charts support, so charts can be mirrored with oc-mirror, just as you would other content including registries in enclave environments. We’ve also added proxy support to enable proxies and pull-through caches. 

To use oc-mirror v2, users switch to v2 by using the --v2 command line argument. For example, to create an archive by mirroring to disk, you would use the following command: oc-mirror --v2 -c /home/user/imagesetconfig.yaml file:///home/user/oc-mirror-workspace.

Operator Lifecycle Management  delivers enhanced security and GitOps integration

Operator Lifecycle Management (OLM) has transformed OpenShift 4, helping users install, update and manage the lifecycle of all operators and associated services running across their clusters. OLM also enables complementary solutions such as  Red Hat Advanced Cluster Management for Kubernetes, Red Hat Advanced Cluster Security for Kubernetes, Red Hat OpenShift Service Mesh and Red Hat OpenShift Virtualization, while unlocking advanced workloads like GPU, Precision Time Protocol (PTP) and SR-IOV networking Building on these achievements, OLM is advancing toward more streamlined APIs and enhanced declarative integration with Red Hat OpenShift GitOps.

Key OLM enhancements include:

• Simplified API: A single, streamlined ClusterExtensions API for managing operators
• Declarative workflows: Seamless GitOps and zero-touch provisioning integration to reduce the risk of human error
• Continuous reconciliation and optional rollbacks: Improved reliability through persistent reconciliation that automatically resolves operator installation failures and provides optional rollbacks
• Enhanced update control: Users define desired versions, including optional Z-stream auto-updates for security fixes
• Strengthened security: Enhanced security with user-provided ServiceAccounts, which limits the need for OLM's access to necessary permissions

While OLM v1 initially supports a select set of operators, we're actively expanding compatibility. OLM v0 is also fully supported throughout OpenShift 4's lifecycle.

Extending choice for greater hybrid cloud innovation

OpenShift 4.18 expands bare metal support for customer-managed OpenShift across major cloud providers. 

On Google Cloud, OpenShift now supports C3 bare-metal for direct hardware access, alongside C4, C4A and N4 machines for general-purpose workloads including databases, caches, web servers and more.

For Oracle Cloud Infrastructure (OCI), OpenShift offers flexible deployment options through both Assisted Installer (connected deployments) and Agent-based Installer (restricted network deployments) for bare metal in addition to VM shapes. Red Hat OpenShift on OCI bare metal includes integration with OCI Cloud Controller Manager (CCM) and OCI Container Storage Interface (CSI), which provide storage integration and management capabilities that are supported by Oracle. For on-premises deployments in customers’ data centers, OpenShift in Oracle Compute Cloud@Customer and Oracle Private Cloud Appliance are also now generally available.

For customers considering virtualization in the public cloud, OpenShift Virtualization in OCI  is available as technology preview for customer-managed clusters. This is in addition to OpenShift Virtualization on Red Hat OpenShift on AWS.

Accelerate virtualization modernization with Red Hat OpenShift Virtualization Engine

Red Hat OpenShift Virtualization Engine is a new virtualization-centric offering for customers who want to run dedicated OpenShift environments for running and managing VMs only. OpenShift Virtualization Engine delivers key OpenShift Virtualization capabilities that are purpose built for customers looking to migrate from traditional virtualization platforms.

Focused exclusively on virtualization, OpenShift Virtualization Engine simplifies operations and reduces complexity when paired with powerful tools like Red Hat Ansible Automation Platform for comprehensive virtual infrastructure automation and Red Hat Advanced Cluster Management for Virtualization for centralized VM lifecycle management. Backed by Red Hat’s open source expertise, global ecosystem and trusted support, OpenShift Virtualization Engine enables organizations to meet today’s virtualization demands.

Effortless VM storage live migration

Support for migrating storage classes for running and stopped VMs delivers additional functionality  in OpenShift Virtualization with Migration Toolkit for Containers. Specifically, storage live migration lets customers select Persistent Volume Claims (PVCs) tied to a specific storage class and migrate them to a different class, regardless of whether the associated workloads are active or idle. This is especially useful for onboarding new storage appliances, retiring legacy infrastructure, or rebalancing workloads using local storage. The migration process, which can be time-intensive, is fully managed by an operator, providing reliability and minimal disruption. With this enhancement, OpenShift Virtualization not only simplifies storage management but also boosts confidence in the platform's ability to handle dynamic storage requirements without compromising workload integrity.

Improve service mesh support with Red Hat OpenShift Service Mesh 3.0

Red Hat OpenShift Service Mesh 3.0 includes a new simplified operator for managing Istio and deploys a Red Hat distribution of the Istio.io project rather than the Maistra.io project used previously. Based on Istio 1.24 and Kiali 2.4, Red Hat OpenShift Service Mesh 3.0 introduces  Istio’s multicluster topologies support, canary updates of the Istio control plane and istioctl. Integrations with Red Hat OpenShift Observability, cert-manager Operator for Red Hat OpenShift, OpenShift Virtualization and OpenShift GitOps are also added in this release.

Simplify TLS management with cert-manager v1.15 and istio-csr

The latest release introduces cert-manager Operator for Red Hat OpenShift v1.15 with technology preview of the powerful istio-csr agent, enabling seamless integration to secure Red Hat OpenShift Service Mesh workload and control plane components. With the istio-csr agent, the istio agent running on OpenShift Service Mesh retrieves certificates from cert-manager and signs them before passing the signed certificate to workloads running on the service mesh. This isto-csr integration marks an important step in expanding cert-manager’s role within OpenShift. 

Building on its existing capabilities such as managing certificates for the ingress controller and apiserver, cert-manager extends its reach to even more critical areas of OpenShift’s network communications. This is valuable for large enterprises concerned with centralizing TLS certificate management and reducing reliance on multiple independent Certificate Authorities that must be managed for a cluster as they can simplify operations, enhance security and reduce administrative overhead across clusters.

Secure secrets confidently with Secret Store CSI Driver Operator

We are pleased to announce that the secrets store container storage interface (CSI) driver operator is now generally available. Initially introduced as technology preview in OpenShift 4.14, This represents OpenShift’s first step in creating a vendor-agnostic ecosystem for managing credentials and other sensitive information. With this release, workloads running on OpenShift clusters can more seamlessly connect to external secrets managers to more securely consume secrets without storing them persistently on the cluster. Secrets store CSI driver operator enhances credentials security in a cluster by making the cluster unaware of secrets. 

The operator starts and manages the driver daemonset which receives requests from workloads for specific secrets and leverages a vendor-developed plugin to authenticate against an external secret manager. Once authenticated, the plugin retrieves the required credentials and passes them to the operator to mount into the running workload as an ephemeral volume. This approach offers significant value for users operating in highly regulated environments or those who cannot risk persisting Kubernetes secrets in etcd. Additionally, secrets store CSI driver operator enhances complementary solutions, such as OpenShift GitOps or OpenShift Pipelines, enabling them to more securely and declaratively consume secrets from an external secrets manager.

Effortless cluster hibernation with automated recovery

Shutting down or hibernating an existing OpenShift cluster is an effective way to reduce operating costs when the cluster is not in use. Now, in OpenShift 4.18, cluster administrators no longer need to perform complex manual steps required to gracefully restart a cluster. This new release brings significant improvements to the cluster control plane’s ability to automatically recover from expired certificates after extended shutdowns of up to 90 days. The OpenShift control plane relies on numerous certificates to provide secure communications across its components, with critical certificates managing encrypted traffic between the API server, controller manager and other core services. Newly installed single node OpenShift clusters can now be shutdown and recovered automatically without requiring any backups for up to one year, and self-managed high availability clusters in the cloud can be suspended for up to 90 days and recovered with just CertificateSigningRequest (CSR) approvals.

Try Red Hat OpenShift 4.18 today

Get started today with the Red Hat Hybrid Cloud Console and take advantage of the latest features and enhancements in OpenShift. To find out what’s next, check out the following resources:

• What’s New and What’s Next in Red Hat OpenShift
• What’s New in Red Hat OpenShift 4.18 - Key Updates and New Features
• Ask an OpenShift Admin: What's New for Admins in 4.18 & 2024 Year in Review
• Red Hat OpenShift Virtualization Engine Overview
• In the Clouds (E41) | Virtualization Shift featuring Chuck Dubuque
• OpenShift YouTube Channel
• OpenShift Blogs
• OpenShift Commons
• Red Hat Developer Blogs
• Red Hat Portfolio Architecture Center

A complete list of the Red Hat OpenShift 4.18 updates are in the Red Hat OpenShift 4.18 Release Notes. Send us feedback through your Red Hat contacts, message us at OpenShift Commons slack, or create an issue on GitHub.