 Good morning. Good afternoon. Good evening. Welcome to another episode of ask and open shift admin here on redhead live streaming I am Chris short host showrunner producer, whatever you want to call me I will probably answer to it if it involves live streaming I am joined today by the wonderful and always wise Andrew Sullivan and Special guests Jimmy Alvarez. Hello, Andrew. How are you wonderful and wise man? I now I got to cut you a check Right Well, you know, I called Langdon professor and turns out he's gonna go be one So if I call you something you might turn into that maybe maybe I will be someday So I'll take wise. I don't want you to leave the company Thank you. I I don't either So yeah, glad to be here glad to see you. I know you've been going through some what rough weather there in Michigan So yeah, it's been happy that I've been on it's like two weeks and one weekend. Basically is what it felt like Yeah, so well, I'm glad that everything settled down and you're back in the house and everything so Yeah, welcome. Well, I'd say welcome back. Welcome. Yeah, you know, yeah No, like we did have to kind of just evac the house at one point on Sunday because it was like Nothing, right, like we had no like at that point it had become like no food in the house. No nothing kind of deal So someday we spent most of the day at my sister-in-law's house and then Monday I spent running around trying to get access to the internet somehow some way it hadn't been fully restored At my in-laws and everything else. So like they were in zones that weren't supposed to have power But they did so it was just a mess, right? Like Monday was just a mess so Yeah, well, I've never seen infrastructure outages like this before though because every hurricane I've ever been through I had a cell phone and it worked well speaking of hurricanes and Florida and specifically Miami. So today's guest is Jimmy Alvarez So Jimmy not to throw you under the bus, but if you don't mind introducing yourself No, no, not at all. So thank you Andrew and Chris. So yeah, Jimmy Alvarez I'm a technical marketing manager here at Red Hat. So and yeah, I know outages and power outages and hurricanes all too well That is for sure. It's funny that you say that you never lost Cell phone signal Chris during a hurricane because that's the first thing that goes So I must have had some special cell phone or something. I guess so Maybe you maybe you got a tower nearby or something I mean, I was a military so we were constantly moving around so that oh that is probably that is probably why it's military That would explain it but but yeah, so we're excited to be here with you guys today Yeah, well happy to have you and and I am excited for today's topic I can see that's the folks who are watching the streamer as well We've already got like six questions five questions in here. So it's awesome. Yeah So we're we're setting up the we're putting the ball on the tee there for you to Hit it off right so we try to place t-ball here not not baseball or anything So hello everyone, welcome to the stream. So this is the ask-and-open shift administrator office hour So what that means is that's like all of our other office hour streams. We are here for you We are here to Answer questions kind of on whatever it is that is top of mind for you If you're having issues if you have questions about open shift in general, whatever that may be that's what we're here for We also have a theme or a topic for each one of our episodes and today that is around the and Jimmy help me out here the red hat advanced cluster manager for Kubernetes Management for Kubernetes Managed for Kubernetes. Yeah, I was close very close. So I won't go into details here I will admit that this is so ACM as we lovingly refer to it is something that I have a very little personal experience with so I'm looking forward to learning a lot about ACM about the capabilities about why it is interesting and useful for us as administrators But before we get into all of that I do want to Go through kind of our tradition here on the ask-and-admin hour of the top of mind topics if you will so things that We have seen come up in the last week or so usually since the last show or other things that have bubbled up That I want to be sure to bring up with you all our audience right trying to address real-time things that we see Or that we are aware of to make sure that you are also aware of them And the first one of those is one that hopefully isn't news at this point You've been hearing about it for the last month and that is open shift 4.8 is available It is fully GA out and go you can use it today I think it might even actually be in the upgrade channels if you're on 4.7. I don't remember let me check Yeah, so I know I was able to well I had a 4 7 19 cluster that I upgraded to 4.8 dot 0 RC 3 using the candidate channel But that doesn't mean anything because remember candidate channel is not supported Correct. Let's see. Let's see if I can bring up the upgrade graph here Get into my cluster for some reason so You don't need to get into that cluster. I do see it on the update. I do see it on the update channels I leave at least from an ACM perspective. So that's cool Let's see. So if I'm on stable 4.7 Target version. Nope. There there is not yet. I think that You know, let me share my screen here. Yeah, please do You the one I want you are the one I want there we go So this is the OCP upgrade graph. I'll post this link into the Channel or a chat there words words are hard So this is the official kind of way to track upgrade paths, etc You can see here. I'm upgrade path if I'm my current channel is stable 4.7 I'm on 4.7 not 19 and I want to go to 4.8.2. There is no path available I think if we go to fast 4.7 though, we might yeah Yeah, so 4.7 21 is here and 4.7 21 you can go to 4.8.2 So if if you are on the bleeding edge so to speak if you're willing to use the fast channel You can in a fully supported manner go from 4.7 to 4.8 today So lots of lots and lots and lots and we've talked about this here on this stream. We've talked about it in the what's new Stream dedicated stream all of that over the last month You'll also see a number of blog posts coming out on open shift calm right lots of stuff going on around the That release and that happens later last night Eastern time Eastern US time. So This morning you should have come in and have access to those bits if you're if you're wanting to adopt I'll also note so a couple of statistics that I saw this morning. So this release has or addressed almost 200 epics Right. So yeah, there's a lot of stuff that happened inside of there Even if it isn't necessarily always apparent and something like 1,100 bugs were addressed So be sure to read the if we go to Docs there is a 4.8 version of the docs now Nice soon as my internet loads it be sure to check out the release notes as always Deprecated remove features is important one bug fixes important ones and known issues Always always always if you don't read anything else and the release notes always be sure to look at the known issues before you do an update Yeah, I almost wish those were like first Yeah, I know instead of way down here at the bottom. You probably can't even see how tiny my little scroll wheel is there But yeah, they are there Also, note that with the release of Openshift 4.8 Openshift 4.5 has now rolled off the support wagon So if you are on 4.5, I would definitely recommend that you update as soon as possible Note that 4.6 is an EUS release But you do have to specifically I don't I think there's an specific entitlement for the EUS channel So not just anybody can use you EUS. You have to have the EUS entitlement to use EUS I think Be sure to check with your account team if that's something you're interested in So continuing on from last week last week we talked about and just to let's go to Openshift.com slash blog as always we always have this blog post that comes out after the show and Down here. We can see that we were talking about helm so there was a An article on the new stack that came out that we talked about last week. There was also a CVE that Red Hat has released We released this back in June you can see but the core of it was that there was a Bug in helm client that would send credentials to every repository Is a part of the URL even if it wasn't the right repository Hmm So what I had mentioned then was that hey keep an eye on the repository keep an eye on the clients because we're we're going to update them And sure enough they have been updated So I'll switch over to 4.8 here. So the docs here walk through how to update the clients We can also go to and you can see here if I just copy this link out and We'll paste it into the window You can see that latest is now pointing at 3.6.2 You can see we know that because these two are updated at the same time So again, and I'll let me grab this link here. I'll post that into the chat so If you're using helm if any of your app teams are using or devs are using helm Please encourage them to update that binary To the most recent version available in order to avoid that particular security issue Can we wait for announcements blog post about new 4.8 GA release So the blog post should be out today as far as I know And then we'll be following up over the coming week or so with like specific Announcements around features and capabilities and going into more detail there I Think open ship virtualization also shipped today. I think windows containers or windows nodes will be updated In the next week or so so they should be pretty close behind and then there's a bunch of other stuff That'll all be coming out as well. So I Saw a question about that in the Kubernetes slack around. Hey, there's no documentation in 4.8 for windows Windows nodes. Well, that's because The many of the features are decoupled from the open shift release so service mesh serverless Open ship virtualization windows nodes all of those are decoupled from open shifts release I mean just so happens at this time open ship virtualization released at the same time, but that's not always true So as those release, you'll see their documentation get bad added back in here Trying to review I see all of these questions around ACM we'll talk about those In just a moment. So I'm kind of I'm not ignoring them. We see them. We'll get to them I'm just looking for the ones at the moment That we can address real quick For some reason my computer has ground to a halt. So yeah, I saw your video was stuttering a little bit Imroche yes, so the Thank you for the warning About the domain changes. So yes, if you aren't aware, we briefly alluded to this last week So open shift calm slash blog and I think most of the open shift calm content is migrating to cloud dot red hat calm and Cloud dot red hat calm is migrating to console that red hat calm. So whereas normally and do I have it up here? Yeah, so this is cloud that red hat calm if I change this to console that red hat calm. I think it will work Yeah So this this will be the new URL So just don't be alarmed. Don't be concerned if you see that that changes. It is a red hat domain It is a sanction change. It should be a transparent change So tomorrow or whenever that change happens when you go to open shift calm slash blog It'll automatically redirect you over to the right place Something about all the SEOs Hmm that thing Yeah, yeah, that's important. I guess turns out I can't stream and slack at the same time gotta pay those bills sometime So the last two kind of quick kits here so somebody asked about using a cluster-wide proxy at install time with They asked specifically about vSphere IPI, but it really applies to any of the other install methods So if I go to the docs here So I am I am in the docs and I'm at the installing on any platform installing on any platform, right? So in the docs here, we have this configuring the cluster-wide proxy during installation And it basically says hey put the proxy config into the install config dash YAML For whatever reason they did not put this section of the documentation into the others so like if I come up here to vSphere and I choose Here vSphere with customizations, right? There is no proxy Right, if I you see I did a search for proxy and nothing comes up in the table of contents It still applies for all those you basically follow the exact same process of sticking that information into the install config that YAML it'll it'll apply it immediately And all that other stuff so I don't know why it's in it's not in all of these other sections other than redundancy reasons Maybe but it does work. It is fully supported. You can absolutely do that with IPI on vSphere rev open stack so on and so forth and The last one I have got is a vCenter permissions for UPI We periodically get questions. I see folks in our internal chat and stuff like that say, you know Oh, my customer was trying to do this and they keep getting this error and it's it boils down to a permissions error inside of vCenter So Remember and we talked about this when Catherine was on the stream After deployment, there's effectively no difference between an IPI cluster and a UPI cluster Other than with IPI the worker nodes will have been provisioned via machine set In theory with UPI you can absolutely go in and create a machine sets and Provisioning worker nodes the exact work and for nodes or whatever the exact same way But you have to have the same set of permissions So I'll do the same thing here. So I'm I'm in the docs So if we go to installing installing on vSphere and then installing a cluster on vSphere, this is the default IPI documentation Then has this breakout of permissions down here Oops, I'll post that into the chat as well so There's two ways that this is used So one if you have no intention of ever using machine sets with your UPI But you do want to use the storage provisioner You still need to have at least some of these permissions inside of here Usually the one that that folks miss is this There's add new disk and remove disk those two are super important for you know Being able to actually attach discs to the virtual machines Also, be sure to pay attention to where the permissions are applied at so if you apply the permission to Somewhere where the VMs don't end up like I applied it specifically to this cluster or to this resource pool and then my VMs land in a different cluster That means that that permission isn't there so The kind of default generic answer is oh just put it at the at the root level But that may not be what you want You may not want your you know your service account effectively for open shifts to have that much permission across all of vCenter So just be cognizant of that usually the one that I think ends up biting people Is they'll say oh well we gave you admin and they gave admin on The if you look in the hosts and VMs view right on the cluster But over in the data center view or the data store view rather there's no permissions over there So yes, they can create VMs, but you can't create this or you can't attach this So just pay attention to where these these things actually need to be applied That's all I got so oh, yeah quick quick and easy for relatively quick and easy so cluster manager ACM. Yeah, I said that right cluster manager, right? cluster manager. Yes. Yeah, you did say right so Jimmy, I know we've got a bunch of questions here So I think before we get into questions. I want to give you a couple minutes to kind of Set the stage of what is ACM? What is the role of ACM and where does it fit in and then we'll dig into these questions and and you may Incidentally answer some of these along the way Totally. Yeah, absolutely. So well, let's start with what is advanced cluster manager for Kubernetes, right? So advanced customer manager for Kubernetes really allows you to kind of manage All of your clusters regardless of them being open shift or not So, you know having multiple open shift clusters, right? It's fantastic But it can be a little bit of a management Niner You know having to log in to each individual console to kind of monitor things, right? Find resources Deploy applications, right? It can be a little bit cumbersome, especially in a you know, large environments, right? So ACM really helps you simplify that. It also allows you to kind of manage You know public cloud Kubernetes clusters, right? So not only the kind of managed solutions that you know, we provide right like Rosa for example, but also You know clusters that you might build through a public cloud, right that are open shifts So through AWS through Google through Azure It just helps you kind of centralize everything. So from an administrator perspective It really helps to have that consistency when you're building clusters because you can build all the clusters directly from ACM It helps you manage them the day-to-operations, right? And it also helps you apply, you know, governance and security around them so you can have policies We provide several out of the box to kind of get you going and It allows you to kind of manage those policies, right? And deploy new policies. So whatever those might be, you know policies based on standards like PCI or HIPAA or NIST Or whatever those might be actual policies that are created by your own company, right? So, you know each individual company like for example, I was working with a financial institution here last week That had a very specific way of having namespaces, right? So when they were building Creating namespaces to the poor applications They wanted a very specific namespace. So they created a policy to make sure that every single application that got deployed follow that pattern So you can kind of see here the benefits are endless When it comes to it, I'm going to interrupt you there because I think that that is a great leaping point to one of the questions that that's which is Rackam or you know advanced cluster management and ACS advanced cluster security So there is some overlap when it comes to things like security policies there So can you kind of expand on the role of each one? You know where they overlap where they Accelerate succeed individually Yeah, so so there there is a lot of overlapping with those two. So for those just a little bit of history, right? so ACS Used to be called stack rocks. So stack rocks was an acquisition that we did earlier on this year Fantastic product right and now became ACS So of course with that, you know, there comes some There's some policies and some governance and securities that overlap right ACS really what it focuses on is You know do a policy management Very very well, I mean they do very advanced policy management, and you know ACM those more basic kind of policy management So I think the overlap it's clear, right? If you kind of need both as a matter of fact, we have You know a bundle that we call open shift plus that it actually includes both products As of right now, they currently don't integrate so there's no real integration between the two products Too new right? I mean we just acquired the product. We're just going through renaming the product, right? And doing that, but there will be integrations of both ACM and ACS, right? So right now they kind of remain separate products just because ACS and again I'm not an expert on ACS So, you know don't ask me to go deeper on that because I really don't know ACS just like you know Andrew was saying he doesn't know ACM. I don't know ACS But I do know enough that there are much more advanced policies that you can do with ACS And it's a complementary thing on top of ACM So an ACM specifically targets multi cluster, right? I've got five or ten or five hundred clusters and I want to apply policies across all of those Does ACS do that or is ACS more targeted at individual clusters? No, ACS can do multi clusters as well. It can do it can do several clusters. It's just it's more around There are a lot more out-of-the-box policies and they're more complex type of policies, right? You know ACM does There's two ways that you can do policies on ACM, right? Like you can do it to inform you that you might have an issue or you can enforce a policy, right? Where ACS can go a little bit deeper than just that, right? It can be constantly iterating and changing and going back and forth. So It does a lot more again, you know from a high level, right? I don't know. I'm not an ACS expert And just to put a plug in for those guys and Chris not to put you on the spot They have they have a stream as well. I don't I think it's monthly So We're working on two different streams one's kind of the community focused once it's open source and then yeah I think it's the first Tuesday of the month. We do the ACS show, okay But definitely subscribe to the calendar or look at the calendar and search for it as you see fit Yeah, we'll definitely be doing a lot more of integrations, right? So right now like I said, it's just too new still You know the ACM ship was already moving ACS. Can I like kind of come in right behind it, right? So they will be doing a lot more integrations here shortly. So You know, I think the the bundle that we just came out with the OpenShift Plus bundle I think it's a fantastic You know bundle that includes all the tools to really help you manage all your OpenShift clusters, right? So, yeah, yeah platform plus is nice, right? Because it's it's OpenShift container platform. It's ACM it's ACS and it's Kwe or key UK or Australia So, yeah, it's it's a really powerful set of tools that can be combined into, you know Even greater and I know we're working on a bunch of stuff to showcase and highlight how all those things work Absolutely. Yeah. Yeah, we we're gonna have a lot of You know use case driven Examples that we will publish it shortly. So so it's definitely safe to for those but So, yeah, let me perhaps I think it will be a good idea unless you see some other questions coming up So there is there's a bunch of questions. There's a bunch of questions. So I think So DMI 3 I see your questions around metrics So I think we'll address that next because I have a feeling Jimmy's gonna want to demo something for that So so the next one from MR Can we sync with two OpenShift clusters using? Rackam and I don't know if that's like can I deploy the same applications to two clusters, right? Can I make the two clusters look equivalent which to me sounds a lot more like get ops? So maybe maybe it might be helpful to understand the difference between the capabilities of get ops and ACM Yeah, absolutely. So, um, so maybe for that, let's let's go through some visuals, right? So, um, let me go ahead and Kind of fire up my my demo here and Again, my my demo environment is kind of funny. I was telling this to Andrew earlier the demo gods were not with me We just had a release Candidate last night. So I just updated it. So if you see any kind of weird things It's just you know, it's a brand new release that I literally billed last night, but So from an applications perspective, right? If we look at Deploying like, you know, what we were talking about deploying the same exact application Into two different clusters, right This is where we start getting into a little bit of get ops, right and and you know, right had really has a good a Good way of doing this. We have multiple ways of Doing it by either you can deploy an application directly from ACM You know based on a yaml that you have By directly connecting it into a get repo, right? So you can literally select your give repo URL You can select your path, right? And you can select your branch And deploy the application, right? I need to make a little bigger Jimmy. Yeah. Yeah little bigger Please Yeah, the only problem with going up in the sizes. I think it might look a little bit odd But hopefully hopefully they don't there's a sweet spot between odd and readable. Yeah, it's this it's this readable and odd Not odd. Is this this good? I mean, I think you could go up one more in it. Okay. We'll go a little more We'll go one more. We'll go one 150. There you go. Yeah, all right. All right, cool Okay, so hopefully everybody can see apologies for that But so you can see here again, like you can select a pre branch Right a branch and a path right to being to be able to do Deployment directly from get you also saw, you know when I selected the repo type and then I'll go ahead and cancel this one But when I selected the repo type, you can also do helm charts and object storage So that's one way of doing application deployment to multiple clusters That will look exactly the same Right the other way is using the get-offs, which is we leverage Argo CD. So we use the upstream Project for Argo CD and we are able to kind of you can do Argo CD in several ways Right, so you can see here that I have an Argo CD here instance, right? With an application that I've deployed For example, let me look at this one. This one is a good example So you can see here that I can actually see the application I can see this is uploaded to two clusters, right? I can kind of troubleshoot in this case again, there is some Refresh issues from me rebuilding the environment last night. So it's not fully showing you all the information So this is not deployed, but it really is but You know, once you you can see and troubleshoot and basically Work with the application directly from ACM without having to work with it from Argo If you feel like working it from Argo, you can launch into the Argo context. Actually, there you go There was a sick failure. So ACM is actually reporting properly here as to what's going on with this application, right? What this allows you to do, right? Argo CD for a lot of customers. They really Use it for the point applications, but Argo CD can be very complicated It does not allow you to really manage your clusters So it only does one thing really well, which is application deployment and that's it which which is fine But if you're looking a little bit more than that if you're going to look beyond Just the point applications and and and managing applications, right? And it kind of being able to deploy the same application to multiple clusters then ACM is your answer because then you're able to Kind of take labels, right? And actually deploy the application to multiple clusters. So you can see for example, another application here that That I have Let's see this one. I think yeah So this one is deployed to two different clusters So this was deployed to the log cluster and the unknown cluster is that one cluster that I have that I haven't I haven't revealed it yet So that's why it's it's a short or read here But once I reveal my cluster with my proper label, then it will automatically Re-deploy that application automatically the moment that I assign a label to it. So that's how that works So yeah, yeah, that's really cool. Yeah, I don't have to do anything other than employ a new cluster and right I'm gonna use that to change directions on you a little bit. I'll let you finish that thought of So I know one of the things that I learned early on about ACM is it can deploy clusters for you And I think that's probably where you're going next So, yeah, so I guess, you know, one what does that look like and and Andrew's head immediately goes to where can I deploy clusters? Can I deploy them cloud on-prem? Disconnected and and to from a management experience What does that look like and there's a couple of questions in here specifically about like metrics? Yeah, okay. So so before I go into that, let me just finish one last thought about the applications here because it's important to to know this right so like like I was saying right that I rebuild this whole ACM environment and Because I rebuild it with a new release right I had to load up all these applications back up, right? So I actually leverage get I get repo to actually reload all these applications and because my cluster is not does not exist within a NCM instance just yet. I haven't imported it. That's why it shows here as unknown, but if I went ahead and actually Imported that cluster assigned that label. It will just automatically deploy. So think about How easy it is for you to get up and running again if you have a failure, right a cluster failure massive cluster failure You'll be able to get your application up and running very quickly. So something to keep in mind. We're talking about that You in a certainly answered another question in chat that I had already answered in chat, which is yeah You can if you haven't if you have an existing cluster, you can absolutely import it. Yep Yeah, exactly exactly. So so yeah, so let's talk a little bit about clusters and managing clusters, right? Which is what, you know, the administrators will really be caring about so you can kind of see here to have a couple of clusters that I've deployed Let's walk through the create cluster flow is pretty straightforward You can see here basically all of the different types of cluster Platforms that we support. So obviously we only deploy currently OpenShift clusters into all of these other platforms, right? So AWS Google Cloud Azure VMware vSphere, which is a large amount of our customers that run, you know, OpenShift We can also deploy into the Red Hat OpenStack platform, right? Within, you know Local environment and then BirdMetal So lots of options when you're building clusters as to where you're going to deploy Of course, as I mentioned earlier on you're able to import any type of cluster that you have. So The dog is very happy about something. So the dog is very excited. It's okay. It happens So So yeah, so you can import any type of different type of clusters, right? So if you build a native AWS cluster, right? You can bring it into ACM and do some management granted There is a limited type of management that you can do but you can still deploy applications You can apply policies and all of that, right? But to build a cluster is pretty simple I select, you know The the platform that I'm going to do I have some credentials that I need to configure In order to obviously, you know, deploy these clusters You can configure as many credentials as you want for as many platforms as you want. So pretty easy there Then you provide some cluster details, right? So say my new cluster, right? you can Add this to a cluster set and I'll go into what cluster set is in a minute. It's very very very cool So and tie there for me and then of course you can pick your release image This is where also you can kind of start seeing the integrations with the rest of the platform So we were talking about The OpenShift plus for example that includes ACM, ACS as well as Quay You can see here that we're pulling images directly to Quay You don't necessarily have to use Quay. You can use your own image repo You know ACM also works in offline Disconnected type of environment. So for example telco use cases where you want to just deploy clusters offline As long as you have a repo that ACM can access then you can deploy clusters, right? You can specify any labels here. So you can you know do I've been using it is a free text field So I'll be using just simply environment Type today equals prod all right and the beauty of this is that you can turn on and the turn off the YAML So you can kind of see as you're building this right you can see the the YAML updating You can select obviously, you know, whatever region in the US you want to deploy this, right? one of the cool features about OpenShift 4.8 is the single node deployment, right? And from an ACM perspective we support that as well So for again telco use cases a single node might be something that it's useful, right? Or there's many other use cases, but that's one that just comes up That single node itself is still tech preview, but it's really cool that we're already supporting it across all these things I also want to highlight that I think it's awesome that if you you can see the YAML there It's using Hive behind the scenes, right? All of these deployments. So yeah Yeah, that that to me is really awesome as well I really like this it builds the YAML and shows you to so that way if you wanted to you can simply copy and paste it out Hey, exactly. That was gonna be my thing right at the end, right? Like you you're getting a little bit ahead here for me, but that's perfect But I can actually go in here. So for the workers pools, right? I can set this to zero and as long as I have my release image for open shift to be 4.8 and above, right? You know, I'll be able to kind of just have one master node again tech preview, but it works already. We're really supporting it Networking type right not gonna get into that This one's pretty interesting. So with ACM 4.0.3, which will be released here shortly I am showing you something that's on release yet, but 4.0.3 will be released here in in a few weeks in the name Within a week actually You'll have the ability to integrate your cluster bills With the Ansible Automation Platform. So if you use Ansible today Right, and I know Chris you are an ex Ansible guru So this is this one is for you We can actually go ahead and integrate and do pre and post jobs. So for example, I can pick You know an Ansible job template, right? You can add one here I'll show you how that looks great, but it allows you to run An Ansible job in two phases. You can do it during the installation phase You can do a pre or a post and then you can also do it through an upgrade So if you're doing an upgrade of your ACM or your, you know, open shift cluster Then you're able to run a pre and post test So you can imagine the possibilities here endless, right? So you can integrate, you know, some use cases samples You can integrate this with say service now To be able to kind of open up a ticket to make sure that your cluster as you're building your cluster, right? There is a ticket saying hey, I build a brand new cluster, right? I said, okay You can have a pause and wait until that ticket gets approved before it actually goes and provision the cluster, right? Which, you know, it might be useful for a lot of organizations, right? So the possibilities are endless here when you can do another use case I can think of over top of my head is Beesphere when you're building clusters OCP clusters on Beesphere, you may need to set up DNS You need to set up a lot of like things that not necessarily related with the bill of the cluster But you know, they need to happen, right? The administrative tasks that need to get done. You can automate all of that through This right so you can integrate it with with ansible automation platform and automate all of that, right? So I've seen folks do some really cool things with that too. I saw I talked with one customer who was creating custom operators To interact with their external resources. So I have a storage operator. I think they were using netapp So they they used ansible to create an operator to interact with their Netapp storage device so that when they went to create a new cluster They created a new object in open shift which created a new volume on their netapp Which then added it into vCenter and then when they used hive to deploy the cluster it used that new data store specifically for that cluster like just That's also crazy really interesting stuff, you know around what folks are doing there Yeah, I mean, you know people's often forget that You know, just because we can very easily now build these clusters, right? There are a lot of things underneath the covers that still need to get done, you know storage networking, right? firewall rules You name it, right? They need to get done underneath the covers to make sure that you you can provision these right so You know all of those tasks that are mundane that are repeatable that, you know Administrator has to manually sometimes do it. You can automate them now with ansible and ACM and you can integrate them as seamless, right? So as Andrew was mentioning, obviously all of this is hive I can actually go ahead and take all of this and copy it, right? I can copy all of my Cluster YAML for my cluster definition as well as my installation configuration and I can take this and put it into a git repo So now if I'm building clusters and I want all my cluster images to be exactly the same Then there you go. I'll have that. Oh, I would have to do is just come in here copy and paste Up we go. That's it. Simple. You can get kind of meta there, right of you can yeah You can deploy clusters now using GitOps to then use GitOps to deploy applications into those clusters said, yeah It's what we call inception. Yeah For those of you who remember that movie fantastic movie if you've never seen it highly recommend it really great movie All right, so as we go back here and we get redirected so my cluster is now being built I Have a couple of other clusters that are still kind of kind of building This one was trying to run a pre hook because I had selected my ansible and NFL. I wanted to see that Right. I wanted you actually to fail. So that's fine. We'll go dive into that white AFL here in a minute But what I wanted to talk about Here is some technology preview things that we're adding with ACM 2.3 that will interest a lot of administrators One of them being the cluster set. So cluster sets really allows you to kind of take clusters and kind of group them together right to Do things like access my role role access, right? So for example, if you want to segregate Say specific clusters that you know, perhaps somebody, you know, say your dev team has access to but maybe you know You know another dev team might not have access to or another QA team might not have access to right you can do that with Cluster sets you can also do things like deploy some arena So now we can actually and for those of you that might not know some arena It allows you to have direct networking between OCP clusters is an open open source project that Very cool allows you to kind of really have that great communication without really having to open a configure much more Networking right you can come from here directly and actually install that into a cluster So I can actually say I want my local cluster, right? I can specify all my configuration here and deploy, you know some arena It also allows you to like I said have access groups and we follow the same access groups as OCP so whatever is configured within your OCP cluster, right? You can have all your different users you can do it by group and we have the same roles, right? So either a cluster set admin or a cluster set view So you can either see it or administer it all of this the Submariner thing that integration is really cool to me That's something I'm I'm excited about and wanting to play with you know that that one of those mythical days when I have free time I think it also opens. I know, right? Yeah, I think it also and Mariano kind of prompted a question here around continuous cost optimization and application placement make once we start talking about like cluster groups that now have Submariner between them and all this other stuff. Is there any? Integration with like cost management or other tools to say like, oh, you know This cluster which is using maybe spot instances instead of on-demand instances, right? I want to shuffle application workload over there Automatically and then if the spot instances start getting reaped by you know, AWS or Azure or whatever platform I'm using You know keep keep deploying them or redeploy them onto one of the on-demand clusters or something like that Right. Um, so currently we do not have any integrations with cost management. Unfortunately You know us as we as for the viewers, right? So within cloud.redhat.com There is what we could have the cloud the cost management tool that allows you to see your You know open-shift cluster costs, right? Regardless of what cloud it might be, right? But currently we do not have an integration with it. We are working on integrating into that You know the first step You know, you got to remember also ACM is kind of like a fresh product Really been on the on on the red hat market, right? Because it used to be a product from the IBM portfolio that kind of we brought it into Red hat just because it made more sense It's been like almost a year and a half So we were working mostly with and prioritizing the platform integration first with Ansible because we felt that our customers You know will be using that more exact to automate some of the tasks that we talked about earlier But integration with costing is coming. We do have one cool integration here That I will want to show here in a second with red hat insights. So we can actually integrate with Open had open shift. I know whatever it's called red hat insights for open shift. I think it's called I don't know. I think that's right clarify the name I clarify the name for me It it we have too many names too many acronyms to kind of keep track of everything I feel but We do have integration with that that allows you to see any kind of issues any kind of problems that you might have with your Clusters, and I'll show you that in a minute. So But yeah For the audience sorry to interrupt you Jimmy, we will be talking about insights next week with John Spinks nice Awesome. So yeah, we'll be talking. We'll be diving deep into that Perfect. So we'll definitely be talking about you'll be talking about red hat open shift for insights. I believe it's called And I I want to make sure because we've got a 15 ish minutes left. I want to make sure that we hit DMI three Their their question about metrics across multiple clusters and I know we touched on kind of the the down low side of things you know the the in the weeds back when we had the Who is it David or a Brian Bowdoin on where we talked about Thanos and all that other stuff So seeing the other side of that now, I think we will be interesting But yeah, I just want to get through this last part of a cluster because it's very important and then we'll go and talk a little bit about metrics So cluster pools, I wanted I wanted to talk about this because we're really excited again This is this is another technology preview thing, but Basically what this allows you to do is create pools of clusters that can be sitting on a hibernation state Until you bring them online, right? So think of this use case of you wanted to Perhaps scale up your clusters or your applications, right? Due to a high demand season, right? So maybe maybe you have a lot of traffic coming into your application and you need more Clusters behind it to be able to do that, right? So with ACM now you have the ability to take these We lost your audio Jimmy Audio gone we got you something else try to connect to his device That happened to me recently. Yeah, like I connected a set of Bluetooth Headphones everything is so close together. Yeah, and my kids turned on the TV and it hijacked my Suddenly I was listening to I think my daughter was watching Shira and Netflix or something See, I always use the wired connection because there's no Bluetooth involved that way I know for a fact it won't just jump devices on me and like it's happened before and that's why I've Unwired only from this point. Yeah analog will never go away says I'm Roshan chat. That's pretty much true Yeah, Apple likes to think for you which I found to be a little bit dangerous at times Yeah, I mean it just works not necessarily the way you want Let's say I you know, I recently switched to using Apple TV and I discovered that if you have AirPods apparently you don't have to connect them to the TV You can have them connected to your phone which will connect to the TV and then you can have audio from your TV through the air pod Mm-hmm, and you know, it's I recently showed My mother actually that hey, you can use your laptop and your cell phone together to make phone calls. Yes And yeah, so yeah Apple. Thanks. Thanks Apple for thinking for us. Sometimes it's good. Sometimes it's not good. Yeah So I'm kind of looking through the chat here to see if there's any questions. So one I saw it's valid voli key Apologies, if I'm completely mispronouncing names Does advanced cluster manager come bundled with open shifters at a separate product with a different license slash subscription model? So the answer is both yes and no So I answer this in the chat, but to verbally answer So if you're using platform plus entitlements, then ACM is included for those clusters If you're using the okay e or ocp entitlements, then it would be an add-on So and you can you can have and we talked about this. I don't know if we've talked about it I think it's in the subscription guide, which I saw in Roche link to where you can have an OPP cluster right so an open shift platform plus cluster that is, you know connected into ACM You can have other clusters that are individually licensed all connecting into the same ACM And also ACM is considered an infrastructure workload So you can deploy an open shift cluster that does nothing but act as a hub if you will for an ACM deployment And you don't there's no open shifts entitlements associated with that unless you're also hosting other, you know application workload on there so You know effectively if you if you need those resources in order to do the management piece and a lot of other stuff then It's it's certainly an option There's another question. I was gonna answer in here. Can you can you hear me now? Hey, we can't hear you. There we go Finally, I apologize Apple products anyways, let me just go through this real quick I know that we have less than you know, 10 minutes left. Do we have a hard stop today Chris? We do not Okay, please feel free. Oh, okay. Cool. Cool. Excellent. Alright, so just very quickly I wanted to go through the hibernation So as I said being able to take clusters in and out of hibernation, right? so think of this for a spot instances or Any other type of, you know instances that you be able to kind of take and just kind of hibernate put them away So they're not actually You know spending money and having them up and running, but then you can bring them into the cluster pools So for scaling out on applications things like that. It's really cool Now you can actually do this all through here. You can scale your cluster pools So right now for example, I have my cluster pool to two instances I can go and scale it say I'm gonna go ahead and add a third instance, right? And it will automatically go and start building that instance for me I don't have to configure go through the installation got nothing It's already based on the first cluster that I build the first cluster pool that I created It's gonna continue using that same configuration. Of course I can update the release image as well So you can select a new image So if there's a new image of open shift that you want to start using instead of you know An older one and keep the same parameters, then it will do that, right? It will leverage it using all of that so cluster pools. It's a fantastic way of Kind of managing your clusters, you know taking your clusters in and out of hibernation, right? so and bringing them into the The pool for deploying an application. So if say this cluster is hibernating And I want to bring it have a new application that I want to deploy then I can just assign You know, they're correct labels and the moment that that cluster comes online It will get that application instantly. So really cool way of managing your clusters there And then finally the discovered clusters This is also pretty awesome. So if you are using the cloud.orahad.com open shift Container platform over there. You're able to kind of discover those clusters and bring them into ACM now So you can actually manage those clusters directly from ACM so Another cool way to be able to bring those clusters you can kind of see here some of the some of those We have them all by good, right? so just out of curiosity to Tangent for a moment. Does ACM work disconnected? It does. It does. It does. Yeah, I mentioned that earlier But yeah, it does work disconnected. You can have it completely isolated again. I see I'm installs within an open shift cluster as an operator So you can have You know the operator install Completely offline and then you can deploy clusters as well and manage them as long as you have access to your offline repos Right for the images, right? Obviously, but all right, so somebody to ask earlier on about Thanos and the ability to have metrics. So our metrics we do things as I mentioned earlier We do have integration now with Red Hat OpenShift for insights or Red Hat if insights for OpenShift one of the two But it's basically using insights in the bottom, right? And you can see here if I go into my clusters real quick and I'm going to go into my local cluster You can see here in the status when it loads up that it's identified a CVE issue, right? So this is kind of like what insights does insights looks at CVE's and Risks and Whatever there might be security configuration health performance Anything in between and it brings them up for you to be able to see what's going on, right? You can click on it see what the issue is how to remediate it, right? Again, RC RC bill here does not have not painted this just yet, but you'll be able to see all of the issues that might be With that cluster. So that's one way that we do You know kind of monitoring for your clusters. The other way is through Grafana so if you notice on top here, we have a link to Grafana instance and Basically what we provide you is an out-of-the-box Dashboard with a lot of information about your clusters, right? So everything from how the API health is the API server health the at CD memory CPU, right? And you can see all of the information here. You also can go into your Dashboards over here and we have a brand new Dashboard that we are building for this release, which is the resource optimization Graphic that allows you to kind of see what's going on with your cluster and how you can optimize this cluster all of these You know, you can also create alerts. So you if you wanted to build alerts for say a certain threshold that your Cluster is going to go over you can build an alert and integrated with slack for example, so you're able to kind of Create alerts and automatically have it going to a slack channel. Say, hey You have an issue with cluster a cluster B cluster C whatever right? You can create queries. You can build your own custom dashboard pretty much everything that you can do with Grafana right you can you can you can do it with With you know, you can integrate once integrated here with a CM you can work with it, right? So it is Thanos underneath the covers, but Grafana is like what really, you know visualizes help you visualize this makes it all pretty so Daniel asks he's using ACM 2.2.1 and is wondering if the detecting or showing CVE functionality is new with 2.3 It is it is it's a brand new 203 functionality So yes, and I wasn't sure is that is it learning or getting that information from insights? Or is it just finding that information itself? It is getting that information from insights So, you know, you do need to have your cluster register to do cloud or I have a comment order for you to be able to see that information So, yeah, okay. Cool. Good to know. Yeah, absolutely Okay, so we have like one minute left. So let me go over they the governance Just very quickly right because I know there were some ACS questions and things like that So yeah, don't be afraid to spend a few minutes if you want to get through something because we don't we don't have a hard We don't need a stop unless you do. Yeah. Oh, okay. Great. Great Yeah, I should be okay for another 10 minutes or so. So all right So going into the governance, right? So you can kind of see here I have a couple of policies that I have deployed I have a certificate policy Right that that have deployed and you can kind of see here that all of my clusters are Compliant I can dive into that and see what the actual You know compliance is right so you can I can see all of my details. I can actually see the YAML so you can see you'll see the same recurring a Kind of theme throughout the product where you know, the YAML is always forefront, right? So it's always there for you to be able to kind of take this and move it into a gear repo if you wanted to right to kind of help you Kind of keep all of these policies as a matter of fact out of the box We have a get repo that you are able to kind of get you started with policies, right? So if you go to the The open source project Which is open cluster management by the way another thing to note for 2.3 that is important. We're finally open source. Yay Yes, yes, that took about a year and so but yes now we are fully open source. So yes Amazing so You can see here that we have two different kind of policies That you can kind of graph from so you can grab them from the stable folder or the community folders obviously as the names kind of you know allude to the communities for all everybody that you know want to contribute to putting You know any kind of policies in here and in the stable ones are the ones that we provide out of the box But you can kind of see here Maybe it gives you an idea of what some of the stuff that you can do right for example gatekeeper gatekeeper is You know the gatekeeper operator It's a fantastic way of enforcing policies right within your environments We can actually come in here and install the operator directly from ACM, right? So we already kind of provide you the raw YAML here. So I can go ahead and copy this YAML over here go to my ACM and Let's just create a policy see so you guys see how easy this is So I'm going to go ahead and paste all of my YAML in here and automatically Pre-populated everything except my namespace, so I'm going to go ahead and as you see that with my policies namespace and You'll see here that the mediation type. There's two types of remediation right inform Which allows you to just report the violation say the violation There's a violation and enforce will automatically go and actually enforce it, right? And it will continue to enforce it even if so say the cluster goes offline, right? For what a reason you recover it you bring it back online You have that same label assigned to that cluster It will automatically go and apply that policy when that new cluster comes online. So it's pretty cool so go ahead and click create and Just like that. It's actually going through and deploying that gatekeeper You know configuration another thing to note here for 2.3. That's new is Another integration with ansible. Yes, Chris more ansible. So you can actually come in here and actually configure An integration pre and post integration with ansible, right? So I can select my ansible credentials here. I can select my job So, you know, whatever job you're gonna run here And you can save it you can add any extra variables. You can actually schedule it So the way this works is that you can manually run it so it runs once it can run Once the policy is detected there's a violation or it can disable completely the integration so From an ACM dot 2.3 perspective now we have a full end-to-end integration with ansible automation platform So from the cluster building, right? All the way to Governance and security and application deployment. It's all there So this is great for the great news for those customers that want to look into Enhancing and integrating again with those third-party data center tools so you'll notice that My cluster violation here. I have a Valuation of what's going on my cluster is not compliant, right? Why is it not compliant? Well, there's no there's no operator here, but no for for policy for gatekeeper so I'm gonna go ahead and Go back to my policies here and change my My enforcement level to actually enforce, right? When I enforce that and then in a few minutes it's gonna go ahead and go through and deploy the gatekeeper operator So think about you know the possibilities of this right if you have custom build operators You know Andrew brought up a great point about a net app operator that automatically created You know a storage within a storage device right to be able to deploy You know clusters or whatever You can actually go and build a policy here to do that You can also do You know many of the out-of-the-box policies that we have right as I talked about we have all of these Standards out of the box. So, you know, I'm not gonna go ahead and read them all But you can take a look at it on the screen here We have all the different categories again all of these categories all of these standards and all of these category Standards are all based You know around open shift. So great way to to be able to do that Is that relying on the compliance operator behind the scenes? No, no, it's not this is on this is his own We have our own compliance engine, but you can use the compliance operator and or OPA It's a matter of fact I have a policy here to deploy the compliance operator and we also have one out of the box within my Repo here. So you can kind of see here my compliance operator, right? And we provide you with some examples like for example essential late, which is a standard security Profile, right that you can actually go and kind of gets you kind of gets your fee wet, right? Into policies because this is a whole new world, right when it comes to policies, right? Yeah, very deep. I was just thinking that we we should probably have a stream with Kirsten To talk about all the layers of security and all of because I mean we said this at the beginning, right? There is some overlap. So understanding what each one brings and when it's appropriate to that type of stuff I think will be a Enlightening yeah, and and like the security features are just open shift by themselves versus what this adds Like that whole conversation like we basically just did that on the low power talking about, you know Yes, open shift has all these security things in place But you need to actually have multiple layers of security around your cluster including down to the container level. So, yeah Don't just rely on SCC's and se Linux to kind of get the job done Your apps are good too and that's a thing right over that's that's part of the thing right of the whole Defense in depth and multi layers because like those are important for like Enforcing and ensuring, you know strong isolation between those processes Well, that's not the same thing is applying like access policies and all you know All of these other controls and as well as securing and hardening the rest of the the cluster and aspects. So Jimmy, I don't know if you have anything else that you wanted to touch on or cover No, I think that's pretty much it. I mean, you know, besides obviously the new kind of look and feel right of ACM it looks a little bit more You know, we switch now to pattern fly so it's a little it's a little It's a little more look and feel similar to what OCD brings. Yeah consistency. What about what a concept, right? So And and then, you know, we we kind of move some menus around right so we now have our Credentials we have a main credential screen where you can configure, you know Not only your credentials for all of your providers But also for you know, open stack vSphere verb metal and from, you know The automation and all the type of credentials like answer one things like that You know, and I think that's pretty much it I mean, I didn't get to go into the visual web terminal But those of you that use ACM in the past will know what that is It's just basically a visual interface that allows you to interact with your clusters Without having to open a terminal window. So you know, right from here I always love that functionality right there. Yeah, it's all basically to it's pretty awesome I just deployed the the web terminal operator in my 4.8 cluster this morning. So yeah, it's it's nice I like it a lot. Yeah, I encourage everybody every admin to consider installing that. Yeah Well, it'll make it easier for the for like the streams and stuff as well because now I only have to share a browser window Yeah, that makes a big big big big big difference. Yeah, so all right Well, I know we're running a few minutes over. So thank you for our audience for staying on with us. So Jimmy Thank you so much for coming on today. I really appreciate this has been super helpful and enlightening to me I've been meaning for a while to deploy ACM and starts, you know, using it for the stuff that I do internally So maybe this will be the proverbial kick in the pants that I need So thank you again, really appreciate it audience. Thank you so much for joining us today If you have any questions if there's anything we didn't address Please feel free to reach out at any point in time. You can contact me via email Andrew Sullivan at redhead.com Or you can contact me on social media. So Twitter practical Andrew, which is the same So no no space or anything as you see in the chat if you've been watching on the streams Aside from that, I know that tomorrow the get-ups guide to the galaxy is happening I think I saw Christian posting about that But Chris, I'm sure you've I know you've posted the calendar in there a couple of times Be sure to subscribe to the calendar because we've got a bunch of stuff coming up That I think is all relevant and important. Yes. Yes, and we'll be discussing troubleshooting rail boxes in the next show which comes up at 2 p.m. Eastern 1800 UTC so Scott McBride and I will be breaking and fixing redhead boxes I specialize in breaking things So thank you again very much everyone, please join us next week where we'll be talking about Insights for open shifts with John Spinks And until then have a good rest of your day rest your week and as Chris likes to say safe Say stay safe out there, especially you Chris. Yes. Yes. I will try to follow my own advice. Yeah, I Saw the picture you posted earlier where it's saying more storms in your area. So yeah, best of luck to you Good luck. Good luck. Yeah, thanks. All right. Thank you. Jimmy. Thank you everybody. Take care guys Thank you so much for having me appreciate it. Thank you