Author: Sumon
Last Updated: January 2026
Intended Audience: DevOps Engineers, SREs, Platform Engineers, and Technologists with Linux, Networking & Cloud Experience
Scenario: Simple, Real-World Use Cases
- What is OpenShift?
- Why Use OpenShift?
- Key Features of OpenShift
- Pros and Cons of OpenShift
- OpenShift vs Other Platforms (Kubernetes, Rancher, etc.)
- OpenShift Architecture Overview
- Core Components & Services
- Installation Methods – From Laptop to Enterprise
- Real-World Enterprise Usage – With Official Examples
- Getting Started: Your First OpenShift Project
- Hands-On Labs: Deployments, Services, Ingress, RBAC & More
- Advanced Scenarios: Affinity, Node Selectors, Autoscaling
- Operational Best Practices
- Troubleshooting Common Issues
- Further Learning & Resources
Red Hat OpenShift is a container application platform built on top of Kubernetes. It adds enterprise-grade features like built-in CI/CD, security policies, developer tooling, and multi-tenant management—making it ideal for organizations that want to run Kubernetes at scale, securely, and with operational simplicity.
Think of it as Kubernetes++: All the power of Kubernetes, plus Red Hat’s hardening, support, and developer experience.
Key facts:
- Developed and maintained by Red Hat (now part of IBM).
- Certified Kubernetes distribution (CNCF compliant).
- Available in multiple flavors: OpenShift Container Platform (OCP), OpenShift Dedicated (OSD), Azure Red Hat OpenShift (ARO), and CodeReady Containers (CRC) for local development.
| Problem | OpenShift Solution |
|---|---|
| Raw Kubernetes is complex to secure & operate | Built-in SCC (Security Context Constraints), automatic CVE patching, integrated auth (OAuth, LDAP, SAML) |
| Developers struggle with YAML & CLI | Developer Console (GUI), Source-to-Image (S2I), Tekton Pipelines |
| No native CI/CD | OpenShift Pipelines, GitOps via Argo CD, ImageStreams |
| Multi-team isolation is hard | Projects = Namespaces + RBAC + Quotas |
| Day-2 operations are manual | Cluster Operators, OperatorHub, Monitoring Stack (Prometheus, Grafana) |
OpenShift is designed for teams that need production-ready Kubernetes without building everything from scratch.
| Category | Feature | Description |
|---|---|---|
| Core | Kubernetes + Enhancements | Full K8s API + Red Hat additions |
| Security | SCC, Network Policies, Image Scanning | Enforces pod security, scans container images |
| Developer UX | Web Console, Dev Spaces, CLI (oc) |
GUI + powerful CLI with shortcuts |
| CI/CD | Tekton Pipelines, BuildConfigs | Git-triggered builds & deployments |
| Automation | Operators | Manage apps/services declaratively (e.g., databases, Kafka) |
| Observability | Logging, Monitoring, Tracing | Integrated stack out-of-the-box |
| Networking | Ingress (Routes), Service Mesh | Expose apps securely with TLS |
| Storage | CSI Drivers, Dynamic Provisioning | Supports AWS EBS, Azure Disk, Ceph, etc. |
- Enterprise-Grade Security: SCC, FIPS compliance, SELinux integration.
- Developer-Friendly: No need to learn raw K8s to deploy apps.
- Fully Managed Options: ARO, OSD reduce operational burden.
- Red Hat Support: 24/7 SLA-backed enterprise support.
- Integrated Toolchain: No need to bolt on Prometheus, Grafana, etc.
- Cost: Licensing can be expensive (though CRC is free).
- Complexity: Learning curve for pure K8s users (extra layers).
- Vendor Lock-in Risk: Some features (e.g., Routes, ImageStreams) are OpenShift-specific.
- Resource Heavy: Minimum 4 vCPUs + 16GB RAM for CRC.
Verdict: If you need production Kubernetes with security, compliance, and ease-of-use, OpenShift is worth it. For learning K8s basics, use
minikubeorkind.
| Platform | Based On | Best For | Key Difference |
|---|---|---|---|
| OpenShift | Kubernetes | Enterprises, regulated industries | Built-in security, CI/CD, support |
| Vanilla Kubernetes | — | DIY teams, cloud-native purists | Maximum flexibility, no opinionated layers |
| Rancher | Kubernetes | Multi-cluster management | Lightweight, UI-focused, less opinionated |
| EKS/AKS/GKE | Managed K8s | Cloud-native apps on AWS/Azure/GCP | Simpler setup, but you add security/tooling |
| K3s | Lightweight K8s | Edge, IoT, labs | Minimal footprint, not for enterprise |
OpenShift = "Batteries included, enterprise grade, Red Hat backed."
OpenShift follows a control plane + worker node model (like Kubernetes), but with Red Hat enhancements:
+--------------------------------------------------+
| Control Plane (Master) |
|--------------------------------------------------|
| - API Server (with OAuth) |
| - etcd |
| - Controller Manager |
| - Scheduler |
| - OpenShift-Specific: |
| • OAuth Server |
| • Image Registry Operator |
| • Cluster Version Operator (CVO) |
| • Machine Config Operator (MCO) |
+--------------------------------------------------+
+--------------------------------------------------+
| Worker Nodes |
|--------------------------------------------------|
| - kubelet, container runtime (CRI-O) |
| - OpenShift SDN (OVN-Kubernetes or OpenShift-SDN)|
| - Monitoring agents (Node Exporter, etc.) |
+--------------------------------------------------+
+--------------------------------------------------+
| External Services |
|--------------------------------------------------|
| - Identity Provider (LDAP, GitHub, etc.) |
| - Storage (NFS, Ceph, Cloud Volumes) |
| - Load Balancer (for Ingress) |
+--------------------------------------------------+
Note: OpenShift uses CRI-O (not Docker) as its default container runtime.
| Component | Purpose | OpenShift-Specific? |
|---|---|---|
| Projects | Namespaces with extra RBAC & quotas | ✅ Yes |
| Routes | Ingress with TLS termination | ✅ Yes |
| ImageStreams | Track container image versions | ✅ Yes |
| BuildConfigs | Define build strategies (Docker, S2I) | ✅ Yes |
| DeploymentConfigs | Legacy deployment controller (now use Deployment) |
|
| Operators | Automate app lifecycle (e.g., PostgreSQL Operator) | ✅ Yes |
| Security Context Constraints (SCC) | Pod security policies | ✅ Yes |
| Machine Config Operator | OS-level node management | ✅ Yes |
-
CodeReady Containers (CRC)
- Single-node OpenShift on your laptop.
- Uses Podman and libvirt (Linux) or Hyper-V (Windows).
- Free for developers.
- Requirements: 4+ vCPU, 16GB+ RAM, 30GB disk.
- Lab Guides: Install-OpenShift-CRC-Ubuntu
-
OpenShift Local (successor to CRC)
- Newer, smoother experience (uses
crcCLI).
- Newer, smoother experience (uses
| Method | Description | Use Case |
|---|---|---|
| Installer-Provisioned Infrastructure (IPI) | Automated cluster on AWS/Azure/GCP/vSphere | Cloud or virtualized environments |
| User-Provisioned Infrastructure (UPI) | You manage VMs/networking; OpenShift installs on them | On-prem, air-gapped, custom networking |
| Assisted Installer | GUI-driven install for bare metal | Edge, data centers |
| OpenShift Dedicated (OSD) | Fully managed by Red Hat on AWS/GCP | No ops team needed |
| Azure Red Hat OpenShift (ARO) | Jointly managed on Azure | Azure-centric orgs |
Tip: Start with CRC → move to IPI on AWS → then OSD/ARO for production.
- Challenge: Needed secure, scalable platform for 100+ microservices.
- Solution: Migrated to OpenShift Container Platform on-prem.
- Result: 70% faster deployment, unified security policy across teams.
- Source: Red Hat Customer Success – ING
- Challenge: Comply with FedRAMP, run containers securely.
- Solution: OpenShift with FIPS 140-2, SCC, and air-gapped registry.
- Result: Achieved IL5 compliance.
- Source: DoD DevSecOps Reference Architecture
- GitOps: Argo CD + OpenShift for declarative deployments.
- Service Mesh: OpenShift Service Mesh (based on Istio) for observability.
- Hybrid Cloud: Run workloads across on-prem + AWS using Red Hat Advanced Cluster Management (RHACM).
Assume you’ve installed CRC and logged in via
oc login.
oc new-project my-first-app# Deploy NGINX from Docker Hub
oc new-app nginx:latest --name=my-nginx
# Check pods
oc get pods
# Expose as Route (OpenShift Ingress)
oc expose svc/my-nginx
oc get routeYou’ll get a URL like my-nginx-my-first-app.apps-crc.testing — open it in browser!
All examples use standard Kubernetes YAML + OpenShift-specific features.
# nginx-app.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.25
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: nginx-route
spec:
to:
kind: Service
name: nginx-service
tls:
termination: edgeApply:
oc apply -f nginx-app.yaml
oc get route nginx-route# developer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-first-app
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: my-first-app
subjects:
- kind: User
name: developer@example.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io# Build Ruby app from GitHub
oc new-app https://github.com/sclorg/ruby-ex.gitOpenShift auto-detects language and builds image!
spec:
template:
spec:
nodeSelector:
disktype: ssdaffinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values: ["cache"]
topologyKey: "kubernetes.io/hostname"oc autoscale deployment/nginx-deployment --cpu-percent=50 --min=2 --max=10- Never run as root: Use SCC to restrict privileges.
- Use ImageStreams for version control of container images.
- Enable Network Policies to isolate namespaces.
- Monitor with OpenShift Monitoring Stack (do not install your own Prometheus).
- Rotate credentials via OAuth identity providers (not local users).
| Symptom | Likely Cause | Fix |
|---|---|---|
Pod stuck in Pending |
Insufficient resources / no matching node | Check oc describe pod, node selectors |
Route not resolving |
Ingress controller down | Check oc -n openshift-ingress get pods |
Image pull error |
Private registry auth missing | Create docker-registry secret |
Permission denied |
SCC too restrictive | Assign anyuid SCC or custom SCC |
CRC fails to start |
Hypervisor not enabled | Enable VT-x/AMD-V in BIOS |
Use:
oc logs <pod>
oc describe <resource>
oc get events --sort-by=.metadata.creationTimestamp- 📘 Official OpenShift Documentation
- 🎥 Red Hat OpenShift YouTube Channel
- 🧪 OpenShift Interactive Learning Portal
- 💬 OpenShift Commons Community
- 🐙 GitHub: OpenShift Examples
Final Note: OpenShift isn’t just Kubernetes—it’s a platform for building, deploying, and running secure applications at scale. Start small (CRC), experiment, then scale to production with confidence.
✅ Ready to contribute?
This guide is designed as a living document. Fork it, extend labs, add your real-world examples, and share with your team!
“OpenShift turns Kubernetes from a toolbox into a factory.” — Sumon, DevOps Practitioner