Red Hat OpenShift Virtualization
General Availability for Red Hat® OpenShift® Virtualization (RHOCPV) on IBM Z® and IBM® LinuxONE was introduced with Red Hat OpenShift Container Platform 4.19. With RHOCPV, you can host VMs within a Red Hat OpenShift cluster when you install the Red Hat OpenShift Virtualization Operator. Enhancements are installed in the UI and CLI to manage VMs and provide the runtime environment to start VMs by embedding KVM components into containers and provide management. The basic idea is to reuse what is available as container infrastructure management and the same ecosystem available for VMs. Red Hat OpenShift Virtualization must be installed within a Red Hat OpenShift Cluster setup on LPAR.
Resource sharing
As with the other hypervisor options, you can share resources among the LPARs and there is no difference on how to handle the resources. The VMs hosting the Red Hat OpenShift nodes are embedded in the underlying LPAR nodes and use the assigned resources. Thus said, resources can be used seamlessly. To share storage IO, several options are available to support migration options and IO performance. Possible options are, for example, Fusion Data Foundation or Storage Scale Container Native (CNSA).
Cluster HA/DR
Since the hypervisor is set up with Red Hat OpenShift as an underlying base, basic HA/DR options like restarting the VM are implemented automatically. Furthermore, all available Red Hat OpenShift HA/DR options can be implemented to secure the cluster.
IBM Secure Execution
With RHOCPV on IBM Z and IBM LinuxONE you can start guests in IBM Secure Execution mode. IBM Secure Execution is a security technology that is introduced with IBM z15 and LinuxONE III. IBM Secure Execution protects the boot image, the guest memory, and guest state boundaries for KVM guests. This allows to protect the guest even against the root user for that hypervisor. KVM is included in RHOCPV.
For details see Introducing IBM Secure Execution for Linux.
You can run RHOCPV on IBM Z and IBM LinuxONE with IBM Secure Execution enabled. At installation time, the guest is protected. After installation the cluster is protected by IBM Secure Execution, no matter if you have a single-node cluster, three-node cluster, or full cluster. During cluster installation, the root file system is encrypted with a unique key that is kept safe on the encrypted boot loader. The security boundary for a cluster that is installed with IBM Secure Execution is the full cluster against outside users. Within the protected cluster, all operations are the same as of for an unprotected cluster. Network connections are the same as well and need to be protected by using, for example, IPsec for encryption of data on flight.
For installation details see Installing RHCOS using IBM Secure Execution (Red Hat documentation).
Image management
RHOCP images can be maintained within RHOCPV, which simplifies cluster management. Further ISO images can be uploaded and built easily with the Agent-based setup.