Still wondering whether to pick Kubernetes or OpenShift to orchestrate your containers in 2026? The question comes up in nearly every industrialisation project I support. The short answer: both rely on the same engine, but they answer very different contexts. This in-depth guide compares Kubernetes and OpenShift — architecture, security, developer experience, costs, use cases — to help you choose the platform that fits your organisation.
Estimated reading time: 12 minutes.
Table of contents
- What is Kubernetes?
- What is OpenShift?
- Kubernetes vs OpenShift comparison table
- Detailed technical differences
- Which one for which use case?
- CLI:
kubectlvsoc - Real-world costs in 2026
- What about alternatives (OKD, Rancher, EKS)?
- FAQ
What is Kubernetes?
Kubernetes (often shortened to K8s) is the de facto standard for container orchestration. It is an open source project initially launched by Google in 2014, donated to the CNCF and now maintained by a wide community. Kubernetes provides the foundational building blocks to:
- deploy and orchestrate containers on a cluster of machines;
- manage application lifecycle (rolling updates, rollback, scaling);
- expose those applications through services and ingress;
- provide a declarative model (YAML manifests) to describe the desired state.
Kubernetes is an engine. It does not ship with a polished web console, integrated user management, a CI/CD pipeline, an image registry or out-of-the-box observability. You need to assemble these pieces yourself through third-party projects (Prometheus, Grafana, Argo CD, Harbor, Keycloak…).
What is OpenShift?
Red Hat OpenShift Container Platform (OCP) is an opinionated Kubernetes distribution sold by Red Hat. OpenShift is not a fork of Kubernetes: it is upstream Kubernetes plus a coherent set of integrated, certified and supported components.
OpenShift ships out of the box with:
- a complete web console (Developer + Administrator);
- integrated authentication (LDAP, OIDC, htpasswd…);
- an internal image registry;
- native CI/CD pipelines (Tekton via OpenShift Pipelines);
- native GitOps (Argo CD via OpenShift GitOps);
- a complete monitoring stack (Prometheus, Alertmanager, Grafana);
- certified operators via OperatorHub;
- strict default security policies (SCC, RBAC, NetworkPolicy);
- a dedicated node OS: Red Hat CoreOS (RHCOS).
Concretely, where Kubernetes hands you a car engine, OpenShift delivers the entire car — body, dashboard and after-sales service included.
Kubernetes vs OpenShift comparison table
| Criterion | Kubernetes (vanilla) | OpenShift Container Platform |
|---|---|---|
| Vendor | CNCF (open source) | Red Hat (commercial, K8s-based) |
| Licence | Apache 2.0 | Red Hat subscription |
| Equivalent version | Kubernetes 1.30 / 1.31 | OCP 4.16 / 4.17 |
| Node OS | Your choice (Ubuntu, Debian, RHEL, Flatcar…) | Red Hat CoreOS (immutable, mandatory) |
| Web console | Minimal dashboard, optional install | Full console (Dev + Admin) |
| Authentication | Bring your own (Keycloak, Dex…) | Built-in OAuth (LDAP, OIDC, htpasswd) |
| CI/CD | Third-party tools (Argo CD, Tekton…) | OpenShift Pipelines + GitOps included |
| Image registry | External (Harbor, Quay, ECR…) | Internal Image Registry included |
| Default security | Permissive — optional SecurityContext | Strict — restricted-v2 SCC by default |
| Upgrades | Manual or operator-driven | Orchestrated, OTA, with rollback |
| Support | Community (or cloud provider) | Red Hat 24/7 included with subscription |
| Cost (50 cores) | Free (except managed cloud) | ~30,000 €/year |
| Target audience | Teams comfortable with the ecosystem | Enterprises wanting an integrated platform |
Detailed technical differences
1. Default security
This is the most structuring difference. OpenShift enforces by default the restricted-v2 SCC: pods cannot run as root, the UID is randomly assigned per namespace, and Linux capabilities are dropped. As a result, many public Docker images (official NGINX, MySQL, Redis…) won’t start as-is.
On vanilla Kubernetes, those images start happily — often as root — and nobody complains. It is more convenient for proofs of concept, but it is also massive security debt in production. On Kubernetes you can (and should) enforce Pod Security Standards, but the configuration is on you.
# Typical OpenShift rejection when an image runs as root:
$ oc apply -f deploy.yaml
Error from server (Forbidden): error when creating "deploy.yaml": pods is forbidden:
unable to validate against any security context constraint:
[provider "restricted-v2": Forbidden: not usable by user or serviceaccount,
spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000700000, 1000709999]]2. Routes vs Ingress
Kubernetes uses Ingress resources (and increasingly the Gateway API). OpenShift also offers a Route resource, predating Ingress and still active. An OpenShift Route looks like this:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: app-front
namespace: prod
spec:
host: app.example.com
to:
kind: Service
name: app-front
port:
targetPort: 8080
tls:
termination: edge
insecureEdgeTerminationPolicy: RedirectOpenShift can read standard Ingress resources too (they get translated to Routes behind the scenes). Your Kubernetes manifests stay portable.
3. Image Stream and Source-to-Image (S2I)
OpenShift introduces the ImageStream, an abstraction on top of the registry that decouples the image reference from its tag. Combined with Source-to-Image (S2I), OpenShift can build an image directly from a Git repository, with no Dockerfile required.
It’s a real comfort for Java, Python or Node developers — something Kubernetes does not provide natively (you’d use Buildah, Kaniko or Tekton instead).
4. Operators and OperatorHub
The Operator Lifecycle Manager (OLM) and OperatorHub are native in OpenShift. With a few clicks in the console you install a monitoring stack, a certificate manager, a Vault operator or a Postgres operator: they are installed, watched and updated automatically.
On vanilla Kubernetes, OLM exists but must be installed manually. Most teams skip OLM and install operators via Helm chart or kustomize, taking version tracking into their own hands.
5. Orchestrated upgrades
OpenShift performs over-the-air upgrades through the Cluster Version Operator: you pick a target version in the console, and the cluster upgrades RHCOS nodes, the API server and every operator following a validated upgrade graph. It’s one of the great strengths of OCP in production.
On vanilla Kubernetes, upgrades depend on your install: kubeadm upgrade, a cluster operator (Cluster API, kOps, kubespray) or a managed cloud task (EKS, GKE, AKS). You need to master the entire chain.
Which one for which use case?
Pick Kubernetes (managed or vanilla) if:
- You have a senior DevOps team comfortable with the CNCF ecosystem.
- Your infrastructure already runs on AWS, GCP or Azure and you want to use EKS / GKE / AKS.
- You want full control over costs (no subscription fees).
- Your architecture is highly standardised and well tooled (GitOps, Terraform, Crossplane).
- You’re fine building the developer platform yourself.
Pick OpenShift if:
- You operate in a regulated industry (banking, healthcare, energy, government).
- You need a contractual 24/7 support agreement.
- Your target is on-premise (bare metal, VMware vSphere) or hybrid.
- Your developer teams are not (yet) Kubernetes experts.
- You want a ready-to-use integrated platform: console, CI/CD, monitoring, security.
- You already invest in the Red Hat ecosystem (RHEL, Ansible, RHACM, RHACS).
From experience, in the engagements I’ve led — including the migration of more than 50 applications at the National Bank of Canada from OpenShift 3.11 to OCP 4.x — OpenShift delivers a clear ROI in large on-premise organisations. In a small agile team running on AWS, EKS will be a better fit.
CLI: kubectl vs oc
The OpenShift client oc is a superset of kubectl: every kubectl command exists in oc, plus a few OCP-specific additions.
# Kubernetes
kubectl get nodes
kubectl get pods -n monitoring
kubectl apply -f deploy.yaml
kubectl logs -f pod/app-xyz
kubectl exec -it pod/app-xyz -- /bin/sh
# OpenShift — same commands plus extras
oc get nodes
oc get pods -n monitoring
oc apply -f deploy.yaml
oc logs -f pod/app-xyz
oc rsh pod/app-xyz # handy alias for exec -it
oc new-project demo # create project (= namespace + metadata)
oc new-app python:3.12~https://github.com/me/app # S2I build from Git
oc adm top nodes
oc whoami --show-server
oc adm policy add-scc-to-user anyuid -z default # tweak an SCCGood news: your Kubernetes manifests (Deployment, Service, ConfigMap…) are 100% compatible with OpenShift, provided they respect the SCC policies. Your kubectl skills carry over directly.
Real-world costs in 2026
The raw cost of an OpenShift subscription is often quoted as a deal-breaker. You should compare like for like.
- OpenShift Container Platform on-premise: Red Hat per-core subscription. Order of magnitude: ~600 €/core/year for the Premium tier (negotiable).
- EKS / GKE / AKS: ~70 USD/month for the control plane per cluster, plus the cost of the nodes.
- Kubernetes vanilla on-premise: 0 € licence, but factor in the engineering time to build and maintain the platform.
In practice, I’ve measured at several customers that OpenShift’s TCO is competitive once you account for: the FTEs needed to build and maintain a vanilla Kubernetes platform, the cost of incidents avoided thanks to Red Hat support, and the productivity gains for developers thanks to the integrated console and pipelines.
What about the alternatives?
- OKD: the 100% open source flavour of OpenShift, with no Red Hat subscription. A great option to validate OCP in a POC, but no official support.
- Rancher (SUSE): a multi-cluster Kubernetes management platform. Excellent for managing many small clusters, lighter than OpenShift.
- Tanzu (VMware): the Kubernetes offering integrated with vSphere, attractive for VMware-centric organisations.
- EKS / GKE / AKS: the managed Kubernetes services from the major clouds. Lightweight, quick to provision, but they don’t deliver the same vertical integration as OpenShift.
FAQ
Is OpenShift a fork of Kubernetes?
No. OpenShift uses upstream Kubernetes (no proprietary patches) and adds integrated components on top. When Kubernetes 1.31 ships, an OpenShift release follows a few months later.
Will my Helm charts work on OpenShift?
Yes, Helm 3 works natively. The only pitfall is Security Context Constraints: some public charts don’t comply with restricted-v2. Either tune the values, or assign a less strict SCC to the chart’s ServiceAccount.
Can I install OpenShift locally to learn?
Yes: OpenShift Local (formerly CRC) runs on a developer laptop (16 GB RAM minimum). For a more production-like target, OKD or a SNO (Single Node OpenShift) cluster do the job nicely.
Do I need Red Hat certifications to operate OpenShift?
Not strictly, but it’s strongly recommended. Red Hat Certified Specialist in OpenShift Administration (EX280) and Containers and Kubernetes (EX180) are great benchmarks to validate a team’s skills.
Which platform should I pick to migrate away from vanilla Kubernetes?
It depends on your target. If your teams already master Kubernetes and your destination is the public cloud, stick with managed Kubernetes. If you’re multi-cloud or on-premise and want to standardise the platform with contractual support, OpenShift is a great candidate — exactly the situation I was given at the National Bank of Canada (50+ applications migrated with 80% fewer manual errors).
Need help choosing or migrating?
Architecture, OpenShift 3.x → 4.x migration, hardening, team enablement — I’ve been helping clients with these topics for 7 years. Tell me about your context and I’ll come back with a concrete plan within 24 hours.
Related upcoming articles: “HashiCorp Vault on Kubernetes”, “OpenBao, the open source alternative to Vault”, “Terraform best practices for structuring your modules”.