January 15, 2020 | by Tushar Katarki
Today, Red Hat announces the general availability of Red Hat OpenShift 4.3, the newest version of the industry’s most comprehensive enterprise Kubernetes platform. With security a paramount need for nearly every enterprise, particularly for organizations in the government, financial services and healthcare sectors, OpenShift 4.3 delivers FIPS (Federal Information Processing Standard) compliant encryption and additional security enhancements to enterprises across industries. Combined, these new and extended features can help protect sensitive customer data with stronger encryption controls and improve the oversight of access control across applications and the platform itself.
This release also coincides with the general availability of Red Hat OpenShift Container Storage 4, which offers greater portability, simplicity and scale for data-centric Kubernetes workloads.
As a trusted enterprise Kubernetes platform, the latest release of Red Hat OpenShift brings stronger platform security that better meets the needs of enterprises and government organizations handling extremely sensitive data and workloads with FIPS (Federal Information Processing Standard) compliant encryption (FIPS 140-2 Level 1). FIPS validated cryptography is mandatory for US federal departments that encrypt sensitive data. When OpenShift runs on Red Hat Enterprise Linux booted in FIPS mode, OpenShift calls into the Red Hat Enterprise Linux FIPS validated cryptographic libraries. The go-toolset that enables this functionality is available to all Red Hat customers.
OpenShift 4.3 brings support for encryption of etcd, which provides additional protection for secrets at rest. Customers will have the option to encrypt sensitive data stored in etcd, providing better defense against malicious parties attempting to gain access to data such as secrets and config maps stored in ectd.
NBDE (Network-Bound Disk Encryption) can be used to automate remote enablement of LUKS (Linux Unified Key Setup-on-disk-format) encrypted volumes, making it easier to protect against physical theft of host storage.
Together, these capabilities enhance OpenShift’s defense-in-depth approach to security.
OpenShift is designed to deliver a cloud-like experience across all environments running on the hybrid cloud.
OpenShift 4.3 adds new capabilities and platforms to the installer, helping customers to embrace their company’s best security practices and gain greater access control across hybrid cloud environments. Customers can deploy OpenShift clusters to customer-managed, pre-existing VPN / VPC (Virtual Private Network / Virtual Private Cloud) and subnets on AWS, Microsoft Azure and Google Cloud Platform. They can also install OpenShift clusters with private facing load balancer endpoints, not publicly accessible from the Internet, on AWS, Azure and GCP.
With “bring your own” VPN / VPC, as well as with support for disconnected installs, users can have more granular control of their OpenShift installations and take advantage of common best practices for security used within their organizations.
In addition, OpenShift admins have access to a new configuration API that allows them to select the cipher suites that are used by the Ingress controller, API server and OAuth Operator for Transport Layer Security (TLS). This new API helps teams adhere to their company security and networking standards easily.
Available alongside OpenShift 4.3 today is Red Hat OpenShift Container Storage 4, which is designed to deliver a comprehensive, multicloud storage experience to users of OpenShift Container Platform. Enhanced with multicloud gateway technology from Red Hat’s acquisition of NooBaa, OpenShift Container Storage 4 offers greater abstraction and flexibility. Customers can choose data services across multiple public clouds, while operating from a unified Kubernetes-based control plane for applications and storage.
To help drive security across disparate cloud environments, this release brings enhanced built-in data protection features, such as encryption, anonymization, key separation and erasure coding. Using the multicloud gateway, developers can more confidently share and access sensitive application data in a more secure, compliant manner across multiple geo-locations and platforms.
OpenShift Container Storage 4 is deployed and managed by Operators, bringing automated lifecycle management to the storage layer, and helping with easier day 2 management.
OpenShift helps customers maintain control for day two operations and beyond when it comes to managing Kubernetes via enhanced monitoring, visibility and alerting. OpenShift 4.3 extends this commitment to control by making it easier to manage the machines underpinning OpenShift deployments with automated health checking and remediation. This area of automated operations capabilities is especially helpful to monitor for drift in state between machines and nodes.
OpenShift 4 also enhances automation through Kubernetes Operators. Customers already have access to Certified and community Operators created by Red Hat and ISVs, but customers have also expressed interest in creating Operators for their specific internal needs. With this release, this need is addressed with the ability to register a private Operator catalog within OperatorHub. Customers with air-gapped installs can find this especially useful in order to take advantage of Operators for highly-secure or sensitive environments.
With this release the Container Security Operator for Red Hat Quay is generally available on OperatorHub.io and embedded into OperatorHub in Red Hat OpenShift. This brings Quay and Clair vulnerability scanning metadata to Kubernetes and OpenShift. Kubernetes cluster administrators can monitor known container image vulnerabilities in pods running on their Kubernetes cluster. If the container registry supports image scanning, such as Quay with Clair, then the Operator will expose any vulnerabilities found via the Kubernetes API.
OpenShift 4.3 is based on Kubernetes 1.16. Red Hat supports customer upgrades from OpenShift 4.2 to 4.3. Other notable features in OpenShift 4.3 include application monitoring with Prometheus (TP), forwarding logs off cluster based on log type (TP), Multus enhancements (IPAM), SR-IOV (GA), Node Topology Manager (TP), re-size of Persistent Volumes with CSI (TP), iSCSI raw block (GA) and new extensions and customizations for the OpenShift Console.
Red Hat OpenShift is trusted by enterprises around the globe. This release comes at the heels of Red Hat’s recent win of the Ford IT Innovation award, which recognized Red Hat’s leadership in innovation enterprise Kubernetes.
OpenShift 4.3 is available now. We encourage current customers to check out these new capabilities through the Red Hat customer portal. New to Kubernetes and OpenShift? Try out OpenShift 4 in-browser, through either our hands-on lab (for operations) or learn.openshift.com (great for developers).