Red Hat OpenShift — More Than Just Kubernetes !

In the recent past I was working in a digital transformation project for a bank where new channel applications had been developed to run on Kubernetes cluster. I had several conversations with technical leaders and developers of the bank on the choice of Kubernetes platform — specially on IBM Red Hat OpenShift Container Platform (OCP), AWS Elastic Kubernetes Service (EKS) or Azure Kubernetes Service (AKS). I realised that for many developers OpenShift was just another Kubernetes platform or another PaaS. Even for some of the developers’ question was that they did not understand how OpenShift is aligned with Kubernetes!

In this blog post I’ll briefly discuss on some of the technical capabilities of IBM Red Hat OpenShift Container Platform (OCP) which make it not just a Kubernetes platform but a platform with more additional components to run Enterprise scale Kubernetes applications. This post will neither describe details about cloud native application development on OpenShift, nor refer to any business success stories of OpenShift. Please refer to https://www.Openshift.com for those details. This blog is mainly aimed for developer and administrator community to get a high level understanding about what OpenShift offers to them for faster and secure enterprise scale application development/deployment in Kubernetes . I shall use the term OpenShift and OCP interchangeably, but they mean same OpenShift platform in the context of this post.

Red Hat OpenShift 3 was one of the first Kubernetes solutions which came in market way back in 2015, June. Since then, Red Hat OpenShift is 100% certified Kubernetes platform along with AWS EKS, Azure AKS and many more. Please check Cloud Native Computing Foundation (CNCF) for more details. However, there are more things in OpenShift which makes the life of developers and operators easier to transition to containers and Kubernetes world and in turn helps enterprises to realize their hybrid cloud transformation strategy.

Any developer or administrator who works in Kubernetes environment need following as a minimum -

- Linux platform distribution to run Kubernetes

- Good command line interface to run all Kubernetes commands

- Networking to connect all required services

- Ingress facility to bring traffic within the cluster

- Storage for stateful services

- Monitoring, Logging/Tracing utilities

- AuthN/AuthZ to enable platform access

Along with these, developers/administrators need a runtime and other dependent services to build, test and deploy applications.

Let’s look at some of the points below from the perspective of administrators, developers and operators and try to clarify why Red Hat OpenShift is more than just Kubernetes.

Kubectl/Command Line Support — While talking about OpenShift, this is one of the first questions I got from developers community that in OpenShift, the famous kubectl was not supported. Hence many developers used to think OpenShift is not 100% Kubernetes ! It’s true that most of the administrators, developers and operators in OpenShift community prefer to use user friendly CLI oc and odo as it provides higher level CLI abstraction on Kubernetes CLI. However, OpenShift not only supports kubectl CLI and Kubernetes APIs, but OpenShift also powers its upstream evolution. Red Hat is one of the co-leader Kubernetes CLI Special Interest Group (SIG) .

Tooling Support — Today’s cloud native application developer community seek to get support from not just commercial tooling, but from an ecosystem of open source tooling so that they can easily build, deploy and test applications. They look for containers build support, CI/CD support, easy configurations of networking, storage, log management and monitoring tools support. OpenShift helps developers to build applications of their choice of language runtimes, OpenShift DevOps pipeline capabilities, databases, messaging, API development and management, analytics, AI/ML and more. OpenShift has been innovating functionalities of these tools to make it more developers’, administrators’ and operators’ friendly. For example, few years back many developers struggled to deploy containerised applications using then popular choice of CI tools Jenkins. Now based on Tekton project, OpenShift Pipelines have made it easier to build Kubernetes style CI-CD pipeline, without depending on central team to maintain a CI server, its plugins, configurations etc. Integrated Developer Environment (IDE) like Red Hat CodeReady Workspace powered by Eclipse Che or popular IDEs, like VSCode and IntelliJ, through plugins provide a developer friendly ecosystem. OpenShift also supports Red Hat certified tools from independent software vendors (ISV).

Kubernetes Operators Support — OpenShift 4 fully support Operators which help in build, maintain and manage life cycle of applications on Kubernetes. Installation and upgrade of all OpenShift platform components now powered by Operators. Moreover, Red Hat launched both the Operator Framework and the vendor-independent OperatorHub.io, which enables the Kubernetes user community to find Operators and contribute. Certified Operators from Red Hat partners may also be available in the Red Hat Marketplace, thru OperatorHub , which is library of certified operators from Red Hat and its ISV partners. OPENSHIFT also includes SDK to build new Operators and Operator Life Cycle Manager to install updates and provide day-2 management of Operator- backed services. To know more about Operators read this blog of CoreOs.

Istio and Helm Support for improved Microservice capabilities– Today every cloud native applications is developed on distributed Microservice Service architecture. Developers and Operators look forward to get rid of burdens of managing, monitoring and providing security to run these Microservices. OpenShift Service Mesh based on open source project Istio provides that support for running Microservices with Kiali for visualisation, Jaeger for transaction tracing, and Prometheus for monitoring. OpenShift 4 onward versions support Helm 3 binaries as part of the installer to support for application deployment automation.

Increased Security to run Distributed Services — Today’s cloud native applications or modernised enterprise applications running on hybrid cloud environment needs more enterprise grade security support from underlying platforms. OpenShift fully supports fine-grained authorisation of pod creation and updates by Security Context Constraints (SCC). In simple terms, OpenShift does not allow to execute a container as root. SCC blocks execution of containers with root privileges on the cluster. SCC is basis of Pod Security Policies (PSP) which is still beta in upstream Kubernetes, however it is available in OpenShift from version 3.

Also with RBAC, OpenShift makes permissions management more efficient. With it, admins can easily delegate the appropriate level of access and authorization to different types of users . While RBAC in Kubernetes is optional, in OPENSHIFT it is default. It’s also key to achieving and maintaining compliance with standards like GDPR, PCI DSS, and HIPAA.

Integration of OpenShift with Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) is built in. Also OpenShift’s built-in OAuth server can be integrated with a variety of identity providers. With this, delegation of authorization to other users without sharing secrets/passwords, token monitoring to get insight about any service request etc. become easier with built-in OpenShift access control feature.

Container Network Interface (CNI) and Container Storage Interface (CSI) support –OpenShift supports Kubernetes CNI. It also includes a fully supported default Red Hat OpenShift software-defined network (SDN), based on Open vSwitch, providing networking multi-tenancy via network policies. As one of the contributor in CNI, Red Hat is now working with SDN vendors to build certified Operators for deployment, management and updates of SDN plugins.

Red Hat was one of the earliest contributors to CNI and is now working with SDN vendors to build certified Operators to manage the deployment, updates, and management of their SDN plugins.

Red Hat OpenShift also supports Kubernetes Container Storage Interface (CSI) to integrate with different storage providers. Red Hat OpenShift Container storage is based on Ceph®, Rook, and NooBaa and for customers who are looking for container-native storage. Like CNI, Red Hat OpenShift is also developing Operators to integrate with third-party storage provider

Serverless support with Knative — OpenShift’s serverless model is based on Knative. It makes life easier for developers to deploy event-driven apps that can scale up or down based on demand — including down to zero when not in use. Like AWS Lambda or Azure Functions, it helps developers to stay focus on just creating applications, not provisioning or maintaining infrastructures.

Hassle-free upgrades in sync with upstream Kubernetes — One of the biggest challenge for Do-It-Yourself (DIY) adoption of Kubernetes in enterprise scale application development is to manage upgrades in upstream Kubernetes or manage the varying release and upgrade schedules of different Kubernetes services providers . Red Hat’s over-the-air updates using Kubernetes Operators and Custom Resource Definition (CRDs) programmatically upgrading cluster capability makes upgrade possible without disturbing applications. It is also possible to install updates in disconnected cluster environment without internet access.

In summary, for large scale enterprise application development and deployment in Kubernetes, additional integrated capabilities such as above are always required for faster product roll out. While Kubernetes is at the core of Red Hat OpenShift platform, with additional capabilities, some of which are mentioned above, it significantly makes easier for developers, administrators and operators to fully operationalise a Kubernetes cluster and production scale containerised applications across a distributed hybrid cloud environment.