Red Hat OpenShift 4.14, based on Kubernetes 1.27 and CRI-O 1.27, is now generally available. This article highlights notable updates in this release for OpenShift developers.

Enhanced security for workloads

OpenShift now has a Secret Store CSI Drive Operator that lets customers mount secrets from third-party secret management systems like Azure Key Vault, AWS Secrets Manager, AWS Systems Manager Parameter Store, through a provider plug-in. Secret auto-rotation allows the operator to be configured to sync with the external secret storage every two minutes and then automatically rotate if the secret has changed. Now sensitive data like passwords, bearer tokens, and certificates can be stored and managed in a centralized secret storage that is external to the cluster. More information on tested configurations can be found here. The Secret Store CSI Driver Operator is in Technology Preview and available via the OperatorHub. A complete secrets management solution will require the Operator from Red Hat OpenShift and the third party Secret Store CSI Providers that plug into external secret management systems. We hope to work with our partners to certify the providers as we look to make the solution Generally Available in a future release.

The operator can also sync secrets and create Kubernetes secrets. Now sensitive data like passwords, bearer tokens, and certificates can be stored and managed in a centralized secret storage that is external to the cluster. The Secret Store CSI Drive Operator is in Technology Preview and available via the OperatorHub.

Security Context Constraints (SCCs) control permissions for the pods in a cluster that define what actions a pod can do and what resources it can access. They are created by default during installation, when operators are installed, or when OpenShift platform components are installed or customized versions can be created. Customized SCCs or new higher priority SCCs that override out-of-the-box SCCs can cause preemption issues that could make core workloads malfunction. OpenShift 4.14 adds a SCC Preemption Prevention feature that pins your workload to a specific SCC to stop SCC preemption issues.

Hosted control planes for multi-cluster deployments

With hosted control planes, multiple cluster control planes as workloads can be hosted on the hosting service’s cluster nodes, resulting in 3 times the infrastructure cost savings, 2 times faster provisioning time, better reliability, and improved resiliency. Hosted control planes on bare metal is now generally available.

Hosted control planes with OpenShift Virtualization, which allows you to run hosted control planes and OpenShift Virtualization virtual machines on the same OpenShift cluster, will be generally available in the coming weeks. This combination enables running and managing virtual machine workloads next to container workloads.

Deploy applications at the edge or anywhere you want

Red Hat OpenShift Virtualization is now available on AWS and Red Hat OpenShift Service on AWS.

Red Hat OpenShift 4.14 includes MicroShift 4.14. MicroShift is an enterprise-ready lightweight version of OpenShift used in Red Hat Device Edge. It is optimized for usage with resource-limited devices at the edge like vehicle systems, drones, and IoT gateways.

Build modern cloud-native applications

The Red Hat build of Quarkus 3.2 improves developer productivity. With the quarkus deploy command, you can directly deploy Quarkus applications to Red Hat OpenShift without changing your project dependencies or configuration. To learn more, see What's new in the Red Hat build of Quarkus version 3.2.

Migration Toolkit for Applications 6.2 includes migration waves for project managers and architects to break the portfolio into different waves and execute the adoption in an iterative way; OpenShift monitoring integration to provide metrics for installation; and integration with Jira so that applications in the inventory can be exported as Jira issues and report status to the migration toolkit.

Migration Toolkit for Runtimes 1.2 provides support for Java 17 that includes decompilation and analysis of applications based on Java 17. It is also compatible with the Eclipse plug-in for Java 17. The operator is based on the Quarkus and the Quarkus Operator SDK. New rulesets and targets are supported for OpenJDK 21, Red Hat JBoss Web Server 6 (Tomcat 10), Camel 4, Red Hat JBoss Enterprise Application Platform 8 (generally available in late 2023) and Java/Jakarta EE to Quarkus migrations.

Improve developer productivity

Use the Developer Console to discover Red Hat Developer tools. In the Developer Console, you can now find odo; access the Terminal step of the guided tour; OpenShift IDE extensions, VS Code Knative IDE and IntelliJ Knative Plugin using the Create Serverless form; and discover Red Hat OpenShift Dev Spaces. There are also two new quick starts available: Installing Cryostat Operator and Get started with JBoss EAP using a Helm Chart.

Serverless Function Samples are now in the Sample Catalog.

You can now test your serverless function after it has been deployed (Figure 1).

Test action for Serverless function
Figure 1: Test action for Serverless functions

Cluster admins can change the default timeout period for all new instances of the Web Terminal and provide a new image as the default image for all new instances of the Web Terminal (Figure 2).

Cluster admin default image and/or timeout period for all cluster users
Figure 2: Access default image and/or timeout period for all cluster users

Support for v1 Tekton API

The Pipeline API version has been updated to v1 with the release of the Red Hat Pipeline operator 1.11.0. Learn more about the v1 release on

Pipeline user experience improvements

Show the PipelineRun duration (how long it takes to execute a pipeline with one or more tasks) on the PipelineRun details page, instead of having to go to the PipelineRun list view to see it. TaskRun duration, which is how long it takes to execute a task of one or more steps, is now shown in the Developer Console. Canceled pipelines will no longer be reported as failed in the pipeline metrics. Re-runs of PipelineRun will take the initial PipelineRun name into account rather than using the pipeline name, to avoid confusion in naming.

With the OpenShift Toolkit 1.5 IDE extension by Red Hat for Visual Studio Code and IntelliJ, you can easily bring your code into OpenShift by importing from Git and deploying the application directly to OpenShift, deploying your local workspace folder to OpenShift, or start your application development from a Red Hat supported devfile stack template. You can also now browse and install Helm charts and deploy them to a connected cluster. It is easier to connect and provision OpenShift clusters using Red Hat OpenShift Local, the Developer Sandbox for Red Hat OpenShift, Red Hat OpenShift Service on AWS, or Microsoft Azure Red Hat OpenShift. You can now develop, debug, and deploy applications on Podman using the Toolkit.

OpenShift Pipelines 1.12 based on Tekton 0.50

Tekton Chains is now generally available for use.

Tekton Results, which helps users logically group CI/CD workload history and separate longterm result storage away from the Pipeline controller, is in Technology Preview. You can bring in your own external Postgres database for storing records and external storage like Google Storage Buck or Amazon S3 for storing logs and events.

With Pipelines as code, you can expand a custom parameter within your PipelineRun resource by using the params field, extend the scope of the GitHub token at the following levels: repository-level and global-level, and set policies that allow certain actions only to members of a team and reject the actions when other users request them.

With the OpenShift Pipelines operator, you can configure the default SCC for pods that OpenShift Pipelines creates for pipeline runs and task runs. You can also set the SCC separately for different namespaces and configure the maximum (least restrictive) SCC that can be set for any namespace. We also support “options” field to enable additional configs for Tekton that are not currently added or supported by Red Hat.

OpenShift GitOps 1.10 based on Argo CD 2.8

There are three new dashboards available in the Admin Console for OpenShift admins managing their Argo CD instances: an overview of all your instances on the cluster, a detailed view covering each of the OpenShift GitOps components, and metrics for the gRPC service activity between components. To scale up GitOps usage, there is a new option to enable dynamic scaling of Application controller replicas, and a new configuration item to ignore frequently updated resources that may not be directly managed by Argo CD so that they don’t end up filling up your logs.

OpenShift Serverless 1.30 based on Knative 1.9

Serverless functions increase developer velocity; OpenShift Serverless provides templates for jumpstarting your application and does container creation for you. It is now available on IBM zSystems and Power using S2I builder for Quarkus, Node.js, and TypeScript.

Pipeline as Code for Serverless Functions is available as a Tech Preview. This integration improves automation and reproducibility. Serverless can now be installed on hosted control planes. Additional configuration options for net-Kourier, such as burst and QPS for performance gains, are now available.

Multi-container support for deploying multiple container pods through a single Knative Service is now GA, enabling users to deploy applications as a single unit, even if they are composed of multiple containers. Event Mesh with Knative Eventing integration with Service Mesh and Serverless Logic, which provides workflow capabilities for managing failures, retries, parallelization, and service integrations, is in Tech Preview.

OpenShift Service Mesh 2.4.3

OpenShift Service Mesh includes a gRPC extension for external authorization that allows users to delegate auth decisions to an external authorization system based on gRPC. Images for Service Mesh on ARM64 clusters is in Technology Preview, with plans to become generally available in 2.5. Service Mesh 2.5, which is based on Istio 1.18 and Kiali 1.73, will be available later this year and will include initial support for IPv4/IPV6 dual stack. A Developer Preview of the Sail Operator is available in OpenShift’s OperatorHub.

Next steps

To find out more about Red Hat OpenShift 4.14, including a list of new features and fixes, see Red Hat Simplifies and Expands Application Development with New Capabilities in Red Hat OpenShift or the release notes.

Ready to try Red Hat OpenShift?

Last updated: November 17, 2023