Running Kubernetes in the Federal Government

KubeCon 2018: Running Kubernetes in the Federal Government – John Osborne, Red Hat

Tackling security compliance is a long and challenging process for agencies, systems integrators, and vendors trying to launch new information systems in the federal government. Each new information system must go through the Risk Management Framework (RMF) created by the National Institute of Standards and Technology (NIST) in order to obtain authority to operate (ATO). This process is often long and tedious and can last for over a year. Open Control is a new standard by 18F, an agency bringing lean start-up methods to the U.S. Government, in order to address ATO repeatability. Red Hat has worked with 18F to help create a Kuberenetes implementation based on Open Control to automate much of the ATO process for Kubernetes systems.


Using the Yeoman Camel-Project generator to jump start a project

The Red Hat Fuse Tooling team recently broadened its focus from a cross-platform, single-IDE (Eclipse) approach to a cross-platform, cross-IDE approach (Eclipse, VS Code, Che), starting several concerted efforts to provide tools that work across platforms and development environments. Supporting VS Code has become a priority that led us to explore using the Yeoman framework for project and file generation to provide developers a way to jump start their Fuse/Camel development efforts.

This article describes the Yeoman framework and the new Yeoman-based Camel-Project generator the Fuse Tooling team created, and it shows how to install and run the generator.

Continue reading “Using the Yeoman Camel-Project generator to jump start a project”


Integration of container platform essentials (Part 5)

In Part 4 of this series, we looked into details that determine how your integration becomes the key to transforming your omnichannel customer experience.

It started with laying out the process of how I’ve approached the use case by researching successful customer portfolio solutions as the basis for a generic architectural blueprint. Now it’s time to cover more blueprint details.

This article discusses the core elements in the blueprint (container platform and microservices) that are crucial to the generic architectural overview.

Continue reading “Integration of container platform essentials (Part 5)”


Eclipse Che 7 is Coming and It’s Really Hot (4/4)

Eclipse Che 7 is an enterprise-grade IDE that is designed to solve many of the challenges faced by enterprise development teams. In my previous articles, I covered the main focus areas for Eclipse Che 7, the new plugin model, and kube-native developer workspaces. This article explains security and management of Eclipse Che 7 in enterprise deployment scenarios as well as release timing.

Enterprise Grade Cloud IDE

Eclipse Che has gained a great deal of interest in large enterprises that are moving to containers and want to standardize the developer workspace and remove intellectual property (source code) from hard-to-secure laptops. There are a number of features needed in order to make Che a simple-to-manage tool for these large and often private environments. Organizations want to secure workspaces, deploy them on new infrastructure, and make it easier for teams to collaborate while maintaining developer autonomy.

For those reasons, we are working on a number of different facets to make Eclipse Che easier to run and simpler to administer and manage.

Eclipse Che 7 — timing?

There is A LOT that is coming with Eclipse Che 7. We spent a lot of time redefining the project’s foundations for the future, making it more enjoyable to use, easier to adopt by large enterprise, and able to support its community growth.

We are all very excited about this new version. In the following weeks, you’ll be reading more about the new capabilities and how they have been built. Eclipse Con Europe was a great event where we were able to unveil a lot of the work we’ve been doing. Now it is time to share it with a broader audience.

It’s available today: when you create a new workspace from the latest Eclipse Che release, you can select Che 7 stacks. You can test it now, and you can post feedback or report bugs — those are always helpful and valuable !

Eclipse Che 7 early beta will be available in February with GA-level Che 7 planned for March.

Try Eclipse Che 7 Now!

Want to try to the new version of Eclipse Che 7?  Here’s how:

Click on the following factory URL:

Or Create your account on che.openshift.iocreate a new workspace and select “Che 7” stack.

Try Eclipse Che 7 on OpenShift

You can also test on your local machine, by installing the latest version of Eclipse Che, See Quick Start with Eclipse Che.

Want to learn more?

My articles about Eclipse Che 7:

That’s it for the fourth article introducing Eclipse Che 7. I hope you enjoyed this series.

See also

For information about Che running on Red Hat OpenShift, see CodeReady WorkSpaces for OpenShift (currently in beta) and Doug Tidwell’s article and videos, CodeReady Workspaces for OpenShift (Beta)–It works on their machines too. Doug covers stacks and workspaces and factories to help  you get started with Che.


Integration of API management details (Part 4)

In Part 3 of this series, we started diving into the details that determine how your integration becomes the key to transforming your customer experience.

It started with laying out the process of how I’ve approached the use case by researching successful customer portfolio solutions as the basis for a generic architectural blueprint. Now it’s time to cover various blueprint details.

This article takes you deeper into specific elements (API management and reverse proxy) of the generic architectural overview.

Continue reading “Integration of API management details (Part 4)”


Security Considerations for Container Runtimes

The recording of my talk Security Considerations for Container RuntimesDan Walsh, Red Hat (@rhatdan)

Explain/demonstrates using Kubernetes with different security features for your container environment

General Concept

  • Run containers without root, period
  • Take advantage of all security features the host provides

Configuring CRI-O:

  • Run containers with read-only images
  • Limit the Linux capabilities running within your container
  • Set up container storage to modify the storage options in a more secure manner
  • Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers

Building images with security in mind.

  • Limit packages/attack surface of container images
  • Build container images within a locked down kubernetes container

Advances in User Namespaces

  • Demonstrate running each container with a different User Namespace
  • Configure system to take advantage of user namespace container separation, without taking a drastic speed hit

And many more…

You might find Scott McCarty’s article A Practical Introduction to Container Terminology helpful for a comparison of container runtimes.

See also Containers without daemons: Podman and Buildah available in Red Hat Enterprise Linux 7.6 and Red Hat Enterprise Linux 8 Beta.



Eclipse Che 7 is Coming and It’s Really Hot (1/4)

A better plugin model, a new IDE, and Kubenative Workspaces — Eclipse Che Is on Fire !

With this article, I am starting a series of articles highlighting the new capabilities which will be introduced with Eclipse Che 7. This article provides an overview of the areas of focus for Eclipse Che 7 as well as its new IDE and ability to use different IDEs such as Jupyter.


What a year for Eclipse Che! Release after release, Eclipse Che gets better and better thanks to the engagement of the community and your feedback.

As an open source project, the core values of Eclipse Che are to:

  • Accelerate project and developer onboarding: As a zero-install development environment that runs in your browser, Eclipse Che makes it easy for someone to join your team and contribute to a project.
  • Remove inconsistencies between developer environments: No more: “but it works on my machine….” Your code works (or doesn’t) exactly the same way in everyone’s environment.
  • Provide built-in security and enterprise readiness: As Eclipse Che becomes a viable replacement for VDI solutions, it must be secure and it must support enterprise requirements such as role-based access control (RBAC) and the ability to remove all source code from developer machines.

At the beginning of 2018 we shipped Eclipse Che version 6.0. That was a major milestone which added capabilities needed for developer teams and enterprises who wanted benefits from shared and rationalized developer environments. You can read more in the release note from Eclipse Che 6.0.

A few months ago, we announced during CheConf 18.1 the beginning of a new journey and a new chapter for Eclipse Che version 7. Seeing the interest from enterprises already using Eclipse Che and from the community that is building cloud-native applications, we organized the Che roadmap into 4 main areas:

  • Updates to the editor to increase the joy of development.
  • Plugins: Features to drive further growth in the Che ecosystem.
  • IDE tools running as microservices in containers to improve the fidelity between developer workspaces and production environments.
  • Enterprises: Features to support large scale use of Che.


We have integrated Eclipse Theia into Che to replace the GWT based IDE. Eclipse Theia has the foundation required to help us to enrich Eclipse Che.

Here is a small video showing the new IDE:


Only a few capabilities are shown in this video and there are a lot more to come. The most exciting ones are:

  • Monaco based editor: blazing fast and responsive editor, codelens and much more
  • Command Palette: Do everything without moving your hands from your keyboard
  • Task Support: Tasks from VS Code are extended and support Che Commands
  • Embedded Preview: Preview your application directly from the IDE, including Markdown preview.
  • Customizable layout: Adapt the layout using drag and drop.
  • And much more: Outline View, Search, Git

However, there is a substantial feature gap between Eclipse Theia and our current Che IDE. Most of this year has been spent adding needed features to Theia so that it can fully replace the current IDE. The Eclipse Che contributors have spent more than five years building web IDEs in the cloud. So when we decided to switch to Eclipse Theia, we naturally wanted to make good use of that experience to make the new IDE really substantial. And enterprise grade.

We’ve been working hard to bring:

  • Debug Adapter Protocol
  • Language Server Protocol
  • Commands
  • Preferences
  • Keybindings
  • Textmate Support
  • Security

In the following months, that new IDE will become the default IDE for your workspaces.

Different IDEs for different use cases

There is one more thing. Che will still provide a default web IDE for workspaces, but we also did important work in order to decouple the IDE so that it is possible to plug a different IDE into Che workspaces. There are a lot of cases where the default IDE will not cover the use cases of your audience, or you might have stakeholders who are using a dedicated tool that covers their needs instead of using an IDE. In the traditional Eclipse IDE world, that was done with RCP applications.

With Eclipse Che 7, you’ll be able to plug any tool you want into a Che workspace:

Here’s example showing Jupyter in a Che Workspace:


The team from Eclipse Dirigible is actually integrating their web IDE into Che workspaces too:

Eclipse Dirigible

You can read more about Eclipse Dirigible in Che Workspaces in this article on

That’s only the beginning!

That’s it for the first article introducing Eclipse Che 7.

My articles about Eclipse Che 7:

Get Involved!

Quick Start with Eclipse Che.

Join the community:

  • Support: You can ask questions, report bugs, and request features using GitHub issues.
  • Public Chat: Join the public eclipse-che Mattermost channel to discuss with community and contributors.
  • Weekly Meetings: Join us in our Che community meeting every second monday.
  • Mailing list:

Check out Red Hat CodeReady Workspaces for Red Hat OpenShift (Beta)

Built on the open-source Eclipse Che project, Red Hat CodeReady Workspaces provides developer workspaces, which include all the tools and the dependencies that are needed to code, build, test, run, and debug applications. The entire product runs in an OpenShift cluster hosted on-premises or in the cloud and eliminates the need to install anything on a local machine.

See the article CodeReady Workspaces for OpenShift (Beta) – It works on their machines too


Integration of external application details (Part 3)

In Part 2 of this series, we took a high-level view of the common architectural elements that determine how your integration becomes the key to transforming your customer experience.

I laid out how I’ve approached the use case and how I’ve used successful customer portfolio solutions as the basis for researching a generic architectural blueprint. The only thing left to cover was the order in which you’ll be led through the blueprint details.

This article takes you deeper to cover details pertaining to the specific elements (mobile and web application deployments) of the generic architectural overview.

Continue reading “Integration of external application details (Part 3)”


CodeReady Workspaces for OpenShift (Beta) – It works on their machines too

“It works on my machine.” If you write code with, for, or near anybody else, you’ve said those words at least once. Months ago I set up a library or package or environment variable or something on my machine and I haven’t thought about it since. So the code works for me, but it may take a long time to figure out what’s missing on your machine.

Code Ready Workspaces and Factories

Built on the open-source Eclipse Che project, CodeReady Workspaces solves this problem (and a couple of others that we’ll talk about in a minute) by delivering secure, sharable developer workspaces. Those workspaces include all the tools and dependencies needed to code, build, test, run, and debug your applications. The entire product runs in an OpenShift cluster (on-premises or in the cloud), so there’s nothing to install on your machine. Or mine.

Continue reading “CodeReady Workspaces for OpenShift (Beta) – It works on their machines too”


Achieving high-performance, low-latency networking with XDP: Part I

XDP: From zero to 14 Mpps

In past years, the kernel community has been using different approaches in the quest for ever-increasing networking performance. While improvements have been measurable in several areas, a new wave of architecture-related security issues and related counter-measures has undone most of the gains, and purely in-kernel solutions for some packet-processing intensive workloads still lag behind the bypass solution, namely Data Plane Development Kit (DPDK), by almost an order of magnitude.

But the kernel community never sleeps (almost literally) and the holy grail of kernel-based networking performance has been found under the name of XDP: the eXpress Data Path. XDP is available in Red Hat Enterprise Linux 8 Beta, which you can download and run now.

Continue reading “Achieving high-performance, low-latency networking with XDP: Part I”