𧰠OpenShift (Red Hat) â Topo complet (1 â 17)
Kubernetes dâentreprise : sĂ©curitĂ© (SCC/SELinux), CI/CD (Tekton), GitOps (Argo CD), Operators, ObservabilitĂ©, Multi-cloud & Edge.
1) Introduction
OpenShift = Kubernetes + Sécurité + CI/CD + Gouvernance + Support Red Hat.
PaaSKubernetesCRI-O2) Architecture
API/etcd/Control Plane, Workers, Ingress/Router, Registry, OAuth, Operators.
Control PlaneRouter3) Versions
OCP (commercial), OKD (communautaire), Dedicated, Online.
OCPOKD4) OS & Infra
RHCOS (immutable), RHEL, Bare Metal/VMware/Cloud. SELinux, Podman, systemd.
RHCOSRHEL5) Installation
IPI/UPI, DNS/Load Balancer, ignition, disconnected, Day-2 ops.
openshift-installIgnition6) Sécurité
SCC, RBAC, OAuth/IdP, mTLS, Compliance Operator, NetworkPolicies.
SCCSELinux7) CI/CD & GitOps
Tekton Pipelines, Triggers, Argo CD, S2I. Dev â Build â Deploy.
TektonArgo CD8) Observabilité
Prometheus/Alertmanager, Grafana, Loki/EFK, Metrics & logging operators.
PromQLEFK9) Tarifs & Licences
OKD gratuit; OCP (Std/Premium), Dedicated (core-hour), support entreprise.
SupportSLA10) CLI (oc)
Login, new-project, new-app, get/describe/logs, adm, top, policy.
ocadm11) Multi-cloud & Edge
AWS/Azure/GCP/VMware/Bare Metal, RHACM, MicroShift/Edge.
RHACMEdge12) Cas dâusage
Banque/PCI, Santé/HIPAA, Telco/5G, Industrie, Public.
Compliance13) Docs & ressources
Docs OCP/OKD, Learning Portal, Operators Hub, Marketplace.
DocsTraining14) OpenShift vs K8s
Sécurité renforcée, console, S2I, registry intégré, GitOps natif.
Comparatif15) Avantages / Limites
+ SĂ©curitĂ©/Support; â CoĂ»t/ComplexitĂ© (vs k3s/EKS).
Pros/Cons16) Architecture type
Control Plane HA, Ingress/Router HAProxy, Registry intégré, Observabilité.
HARouter17) Conclusion & Next
Plateforme K8s dâentreprise, focus sĂ©curitĂ© & gouvernance. Prochaines Ă©tapes.
RoadmapOpenShift (OCP) est la plateforme conteneurs dâentreprise de Red Hat, bĂątie sur Kubernetes, avec CRI-O pour le runtime, Operators pour lâautomatisation, Tekton pour le CI/CD et Argo CD pour le GitOps. Elle offre un cadre sĂ©curisĂ© (SCC/SELinux), gouvernĂ© (RBAC/OAuth/IdP), et industrialisĂ© (Registry, Console, Routing, Monitoring).
- PaaS : build â deploy â run (S2I, pipelines, promotions).
- Sécurité : isolation forte, politiques strictes, conformité (CIS/NIST/PCI/HIPAA).
- Support : Red Hat (SLA, patches, CVE, lifecycle).
Résumé en 1 ligne
Exemple S2I (Node.js)
oc new-project demo oc new-app nodejs:18-ubi8~https://github.com/sclorg/nodejs-ex.git --name=hello oc expose svc/hello
OpenShift Ă©tend Kubernetes avec : Console Web, OAuth/IdP, Router HAProxy, Image Registry intĂ©grĂ©, Build/S2I, Pipelines Tekton, GitOps Argo CD, ObservabilitĂ© opĂ©rĂ©e. Le tout sâappuie sur RHCOS (immutable), CRI-O, et etcd (clĂ©/valeur).
[Dev/CI] â Git â Build (S2I/Tekton) â Registry â Deploy (Operators) â Route/Ingress â App
â---------------------- ObservabilitĂ© ---------------------â| Composant | RĂŽle | Notes |
|---|---|---|
| API Server | Front de lâAPI K8s/OCP | RBAC/OAuth, admission |
| etcd | Stockage Ă©tat cluster | HA, chiffrement au repos |
| Controller/Scheduler | Reconcile & placement Pods | Affinités/taints |
| Router (HAProxy) | L7, TLS, SNI, sticky | Exposition apps |
| Registry | DĂ©pĂŽt images interne | Quotas, pull-through |
| OAuth/IdP | SSO (LDAP, OIDC, GitHub) | Groupes & mappages |
| Operators | Lifecycle applicatif | Patterns CRD |
RĂ©seau Pod-to-Pod (SDN OVN-Kubernetes), Services (ClusterIP/NodePort/LoadBalancer), Routes/Ingress (L7). Les NetworkPolicies contrĂŽlent les flux est-ouest. Le Router gĂšre TLS/Edge/PassThrough/Reencrypt.
Internet â LB â OpenShift Router(HAProxy) â Service(ClusterIP) â Pods Pod â Pod : overlay OVN-K, politiques NetPol (deny/allow)
- OCP (On-prem/Cloud) : support Red Hat, marketplace, lifecycle.
- OKD : distribution communautaire (Origin), features proches dâOCP.
- OpenShift Dedicated : managé par Red Hat sur hyperscalers.
- OpenShift Online : PaaS public (développeur/POC).
Cycle de vie (exemple)
OCP 4.x : releases fréquentes, z-streams pour correctifs (CVE), Extended Update Support possible.
RHCOS : OS immuable basé sur rpm-ostree, mises à jour atomiques & rollback. IntÚgre CRI-O, kubelet, agents MCO (Machine Config Operator).
# Inspect version & rollback rpm-ostree status sudo rpm-ostree rollback
| Plateforme | Support | Notes |
|---|---|---|
| Bare Metal | Oui | IPI/UPI, Metallb (LB), iPXE |
| VMware vSphere | Oui | CSI/Cloud Provider |
| AWS/Azure/GCP | Oui | IPI natif (LB/DNS/Storage) |
| OpenStack | Oui | Provider intégré |
Hardening : SELinux enforcing, fapolicyd, auditd, journald forwardĂ©. Chiffrement etcd, clĂ©s TLS gĂ©rĂ©es par lâAPI, KMS externes possibles.
# 1) Générer l'infra & cluster (ex: AWS) openshift-install create cluster --dir=cluster --log-level=info export KUBECONFIG=cluster/auth/kubeconfig oc whoami && oc get nodes -o wide
Pré-requis : DNS publics (api, api-int, *.apps), LB L4/7, IAM (cloud), VLANs (on-prem), NTP/PKI.
UPI : tu fournis toi-mĂȘme lâinfra (PXE, LB, DNS, ignition) puis lâinstallateur ne fait que âjoindreâ les nĆuds.
openshift-install create manifests --dir=cluster openshift-install create ignition-configs --dir=cluster # DĂ©ployer ignitions via iPXE/HTTP, booter RHCOS, puis joindre.
Mode dĂ©connectĂ© : mirroring dâimages et dâOperators (quay â registry privĂ©).
oc adm release mirror \ --from=quay.io/openshift-release-dev/ocp-release:4.16.12-x86_64 \ --to=registry.local/ocp/release --to-release-image=registry.local/ocp/release:4.16.12
- MCO : gérer configs systÚme (chrony, sysctl, kubelet conf) via MachineConfig.
- ClusterVersion Operator : mises à jour contrÎlées (Channel, Overrides).
- ClusterAutoscaler/MachineAutoscaler : scale nodes auto.
oc get clusterversion oc get co # ClusterOperators oc get machinesets -n openshift-machine-api oc adm must-gather # bundle diag journalctl -u kubelet --no-pager | tail -200
Les Security Context Constraints encadrent les capacités des Pods : utilisateur, SELinux, volumes, hostPath, privs, etc.
# Associer un serviceaccount Ă une SCC "nonroot" oc adm policy add-scc-to-user nonroot -z app-sa -n prod
# Lier un rÎle "view" à un groupe LDAP mappé oc adm policy add-role-to-user view "CN=devs,OU=Groups,DC=corp,DC=lan" -n sandbox # OAuth : IdP OIDC, mappage groupes, scopes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: {name: allow-frontend, namespace: prod}
spec:
podSelector: {matchLabels: {app: backend}}
ingress:
- from: [{podSelector: {matchLabels: {app: frontend}}}]
ports: [{protocol: TCP, port: 8080}]Use Compliance Operator pour scanner CIS/NIST/PCI : profils, scans planifiés, remédiations (MachineConfig/Ansible).
Pipeline Tekton (extrait)
apiVersion: tekton.dev/v1
kind: Pipeline
metadata: {name: build-deploy}
spec:
tasks:
- name: build
taskRef: {name: buildah}
params: [{name: IMAGE, value: image-registry.openshift-image-registry.svc:5000/prod/app:latest}]
- name: deploy
runAfter: [build]
taskRef: {name: kubernetes-actions}
params: [{name: script, value: "oc rollout restart deploy/app -n prod"}]Argo CD (GitOps)
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata: {name: app-prod, namespace: openshift-gitops}
spec:
source: {repoURL: https://git/org/app-config.git, path: overlays/prod, targetRevision: main}
destination: {server: https://kubernetes.default.svc, namespace: prod}
syncPolicy: {automated: {prune: true, selfHeal: true}}# Pod CPU top
oc adm top pods -A
# PromQL: Util CPU moyenne (5m)
rate(container_cpu_usage_seconds_total{container!="",pod!=""}[5m])# Logs app oc logs deploy/app -f -n prod # Stack: Loki/Fluentd/Grafana ou EFK (Elasticsearch/Fluentd/Kibana)
# Alertmanager : routes â Slack/PagerDuty
# Exemple rule
- alert: HighErrorRate
expr: sum(rate(http_requests_total{status=~"5.."}[2m])) > 1
for: 5m
labels: {severity: warning}| Ădition | CoĂ»t | Support | Remarques |
|---|---|---|---|
| OKD | Gratuit | Communautaire | Idéal lab/POC |
| OCP Standard | Licence/cores | 8x5 | Cluster prod |
| OCP Premium | Licence/cores | 24x7 | Critique |
| OpenShift Dedicated | core-hour | Géré RH | Managed cloud |
Consulte les tarifs exacts avec ton partenaire Red Hat (dimensionnement, options RHACM, ACS, Quay, etc.).
oc login https://api.cluster:6443 oc new-project sandbox oc new-app python:3.11-ubi9~https://github.com/user/repo.git --name=api oc expose svc/api oc get pods -A -o wide oc describe pod ...
oc adm top nodes oc adm policy add-role-to-user admin alice -n prod oc set image deploy/api api=image-registry.../api:1.2.3 oc rollout restart deploy/api -n prod oc get events --sort-by=.lastTimestamp
RHACM gÚre flotte multi-clusters (policy, placement, observabilité). MicroShift : OCP allégé pour Edge/IoT.
# RHACM - Policy (ex. enforce NetPol)
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata: {name: enforce-netpol}
spec: {disabled: false, remediationAction: enforce}- Banque/FinTech : microservices PCI DSS, isolation forte, secrets gérés.
- Santé : trajectoires HIPAA, audit logs, chiffrement, traçabilité.
- Telco : 5G/edge, CNFs, autoscale, faible latence.
Pattern â3 environnementsâ
dev â stage â prod Promotion via GitOps (PR/merge), images signĂ©es (cosign), politiques admission.
- Docs officielles OpenShift (OCP 4.x), OKD (community), Learning Portal.
- OperatorHub : Operators certifiés (DB, Observabilité, Messaging...).
- Best practices : multitenancy, quotas, security contexts, limits/requests.
Tip: crée un "Runbook" interne (SOP) : checklist install, patching, policy RHACM, backup etcd, DR testé.
| CritĂšre | OpenShift | Kubernetes pur |
|---|---|---|
| Installation | Installeur intégré IPI/UPI | kubeadm/kops/DIY |
| Sécurité | SCC/SELinux/OAuth/RBAC stricts | RBAC/PSP (dépr.)/PSA |
| Console | Web console complĂšte | Dashboard/Lens Ă part |
| CI/CD | Tekton/Argo intégrés | à installer |
| Registry | Intégré | Harbor/DockerHub externes |
| Support | Red Hat | Communautaire/Cloud vendor |
â Points forts
- Sécurité entreprise (SCC, SELinux, Compliance).
- ĂcosystĂšme intĂ©grĂ© : Console, Registry, Pipelines, GitOps.
- Operators & lifecycle automatisé.
- Support & cycle de vie maßtrisés.
â ïž Limites
- Coût licence/support.
- ComplexitĂ© dâexploitation (vs k3s/EKS managĂ©).
- Exigences infra (LB/DNS/PKI) plus strictes.
graph TD
U[Dev / Ops] -->|oc/Console| A[OpenShift API]
A --> B[Controller]
A --> C[Scheduler]
A --> D[(etcd)]
A --> E[Workers]
E --> F[Pods Apps]
E --> G[Image Registry]
E --> H[Router (HAProxy)]
I[Monitoring (Prometheus/Alertmanager/Grafana)] --> A
J[Git + Tekton + Argo CD] --> A
Remplace/complĂšte par une image PNG si tu prĂ©fĂšres (voir bouton âDiagrammesâ).
OpenShift apporte une opinion forte et sécurisée de Kubernetes, avec CI/CD & GitOps out-of-the-box, Operators et une gouvernance intégrée. Idéal pour des environnements régulés, hybrides et à grande échelle.
Next steps
- Valider lâarchitecture cible (HA, storage, rĂ©seau, IdP).
- DĂ©finir les guardrails (SCC, quotas, limites, policies RHACM).
- Mettre en place la supply chain (build signing, SBOM, scans).
openshift-install create cluster --dir=cluster --log-level=debug export KUBECONFIG=cluster/auth/kubeconfig oc get co && oc get nodes -o wide oc get clusteroperators | grep -v Available=True
# Post-install oc new-project demo oc new-app python:3.11-ubi9~https://github.com/user/repo.git --name=api oc expose svc/api oc get route -n demo
Place tes fichiers dans static/img/openshift/ puis remplace les sources ci-dessous.
Vue globale
CI/CD & GitOps
