What is OpenShift Container Platform?

Red Hat OpenShift Container Platform (OCP) is an enterprise Kubernetes distribution that adds security controls, developer tooling, CI/CD, monitoring, and a service mesh on top of upstream Kubernetes. It runs on Red Hat Enterprise Linux CoreOS, uses CRI-O as the container runtime, and ships as a complete platform rather than a base layer you assemble yourself. The analogy Red Hat uses is accurate: Kubernetes is the engine, OpenShift is the assembled car with safety systems and a manufacturer warranty.

OpenShift Container Platform ships as a complete bundle. The key components:

• Red Hat Enterprise Linux CoreOS (RHCOS). The immutable container operating system that runs control plane nodes. RHCOS is managed by the Machine Config Operator, which handles OS updates as part of cluster upgrades rather than separately. Worker nodes can use RHCOS, with RHEL worker nodes supported in certain configurations.
• CRI-O container runtime. OpenShift replaced Docker with CRI-O as the container runtime in version 4. CRI-O is a Kubernetes-native container runtime. OpenShift also integrates with Red Hat tools such as Podman and Buildah for container workflows.
• Security Context Constraints (SCCs). OpenShift's default security admission model. SCCs restrict container privileges by default. This breaks many standard Docker Hub images out of the box but provides a stronger baseline for regulated environments. SCCs are the most common source of friction when migrating existing workloads to OpenShift.
• OpenShift Pipelines. CI/CD built on Tekton, a cloud-native CI/CD framework for Kubernetes. Pipelines are defined as Kubernetes resources (Tasks and Pipelines CRDs). The developer console provides a visual pipeline editor and execution logs.
• OpenShift GitOps. GitOps workflow management built on ArgoCD. Provides bi-directional sync between Git repositories and cluster state, with a web UI for visualizing application sync status.
• OpenShift Service Mesh. A service mesh built on Istio and Envoy for traffic management, observability, and mutual TLS between microservices. Adds a significant operational surface on top of the base cluster.
• OperatorHub. A web GUI for browsing and installing Kubernetes Operators, including Red Hat certified operators, community operators, and Red Hat-authored operators. Operators are the primary mechanism for managing stateful applications (databases, middleware) on OpenShift.
• OpenShift Virtualization. Runs VMs alongside containers in the same cluster using KubeVirt. Provides a migration path for VMware workloads via the Migration Toolkit for Virtualization (MTV), which converts VMware VMDK images to KubeVirt-compatible volumes.
• OpenShift AI. Red Hat's enterprise AI/ML platform, formerly OpenShift Data Science. Provides model training, serving, and pipeline management on top of OpenShift. Includes Lightspeed, an AI-assisted operations feature for natural language cluster administration.
• Monitoring and logging. Prometheus and Grafana for metrics, with the OpenShift Logging stack (based on Elasticsearch or Loki with Fluentd) for log aggregation. Both are pre-configured and integrated into the developer and administrator consoles.

The key differences between OpenShift Container Platform and upstream Kubernetes:

• Self-managed on-premises: OpenShift Container Platform installed on bare-metal, VMware vSphere, or other on-premises infrastructure. The cluster runs entirely in the customer's own data center. Common in financial services, government, and healthcare where data cannot leave the premises.
• Self-managed on public cloud: OpenShift installed on EC2, Azure VMs, or GCP Compute Engine. The customer manages the cluster. Infrastructure costs and OpenShift subscription costs are separate.
• ROSA (Red Hat OpenShift Service on AWS): A fully managed OpenShift offering on AWS where Red Hat and AWS jointly operate the cluster. Subscription fees are consolidated with AWS billing. Available as a pay-as-you-go service.
• ARO (Azure Red Hat OpenShift): A fully managed OpenShift offering jointly operated by Red Hat and Microsoft on Azure. Similar model to ROSA.
• OpenShift Dedicated on GCP: A managed OpenShift service on Google Cloud.
• Air-gapped deployments: OpenShift supports fully disconnected installations for environments with no public internet access, required by defense, intelligence, and critical infrastructure organizations.

OpenShift is operationally heavier than managed Kubernetes services like EKS, GKE, or AKS. Key operational realities:

• Cluster upgrades: OpenShift upgrades the entire platform together via the Cluster Version Operator. This includes the control plane, worker nodes, RHCOS, and all integrated components. Upgrades are more reliable than manual Kubernetes patching but require careful planning, upgrade path validation, and testing in non-production environments first. Red Hat releases minor versions approximately every four months.
• Security Context Constraint management: Every containerized application that runs as root or requires elevated privileges needs an SCC configured. This is the most common operational friction for teams migrating standard containerized workloads to OpenShift.
• Operator management: Stateful services (databases, middleware, message queues) run via Operators. Managing Operator upgrades, CRD versions, and Operator-specific configuration is an ongoing operational task.
• Platform engineering team requirement: OpenShift at enterprise scale typically requires a dedicated platform engineering team with Kubernetes expertise plus OpenShift-specific knowledge. Red Hat offers certification programs (Red Hat Certified Specialist in OpenShift Administration) for platform engineers.

This is the most common reason enterprises evaluate alternatives. Northflank provides the same governance capabilities as OpenShift, RBAC, SSO, audit logging, BYOC, and SOC 2 Type 2, with a managed platform layer that eliminates the need for a dedicated platform engineering team. Weights scaled to millions of users on Northflank without a DevOps team.

OpenShift Container Platform is the right choice when your organization needs a complete opinionated platform with a single vendor responsible for the full stack, default-deny security by default, air-gapped deployment capability, and Red Hat enterprise support.

It is the wrong choice when you do not have a dedicated platform engineering team, when per-core subscription costs at enterprise scale are not justified, or when you need the platform to be managed for you rather than by you.

Northflank is built specifically for the second case. The same enterprise controls OpenShift provides, RBAC, SAML and OIDC SSO, audit logging, network policies, BYOC into your own cloud or on-premises, and SOC 2 Type 2, on a fully managed platform that has been running untrusted code at scale since 2021. No platform engineering team required. No upgrade cycles to plan. No SCC configuration required for typical application deployments.

OpenShift is a self-managed enterprise Kubernetes platform you deploy and operate yourself. Northflank is a fully managed platform that runs Kubernetes underneath and provides the same enterprise controls, RBAC, SSO, audit logging, BYOC, and SOC 2 Type 2, without requiring a platform engineering team to operate or upgrade the cluster. OpenShift gives you more direct control over cluster configuration. Northflank removes the need to manage the cluster at all.

Kubernetes is the open-source container orchestration engine. OpenShift is a complete enterprise platform built on top of it. Kubernetes requires you to assemble CI/CD, monitoring, security policies, and a service mesh yourself. OpenShift ships all of that pre-integrated. The tradeoff is operational complexity and subscription cost. Platforms like Northflank provide a similar enterprise-grade experience on managed Kubernetes without the overhead of running OpenShift yourself.

ROSA (Red Hat OpenShift Service on AWS) is a fully managed OpenShift service jointly operated by Red Hat and AWS. It reduces the operational burden of running OpenShift by managing the cluster infrastructure. Subscription fees are consolidated with AWS billing and available in pay-as-you-go and annual commitment models.

Yes. OpenShift Virtualization, based on the open-source KubeVirt project, runs VMs alongside containers in the same cluster. The Migration Toolkit for Virtualization (MTV) converts VMware VMDK images to KubeVirt-compatible volumes, providing a migration path for existing VMware workloads.

OpenShift enforces a default-deny security model via Security Context Constraints (SCCs). Containers cannot run as root unless an SCC explicitly permits it. This is a strong baseline for regulated environments but requires SCC configuration for standard container images that assume root access. For teams that need enterprise security without SCC friction, Northflank provides default-deny networking, RBAC, audit logging, and SOC 2 Type 2 on a managed platform with no SCC configuration required.

Yes, relative to managed Kubernetes platforms. OpenShift introduces more operational responsibility because teams handle cluster upgrades, Operators, and security policies as part of running the platform. At enterprise scale, it often benefits from a dedicated platform engineering team. Teams that want enterprise Kubernetes capabilities without managing the platform layer itself can also evaluate Northflank, which provides a managed approach with built-in governance controls.

OpenShift Container Platform is a complete, opinionated enterprise Kubernetes platform. The depth of the integrated stack is its main advantage. The operational overhead, upgrade complexity, and per-core subscription cost are its main constraints.

For enterprises that need the same enterprise controls without operating the platform layer, Northflank is the off-the-shelf alternative: managed Kubernetes, self-serve BYOC, RBAC, SSO, audit logging, preview environments, GPU workloads, and SOC 2 Type 2, without a dedicated platform engineering team or upgrade cycles to manage.

• OpenShift vs VMware: key differences and how to choose: How the Broadcom acquisition is driving enterprises to evaluate OpenShift as a VMware migration target and where Northflank fits.
• Top managed Kubernetes hosting platforms: How managed Kubernetes platforms compare on control plane, BYOC, sandbox isolation, and enterprise controls.
• Best multi-cloud Kubernetes deployment platforms: How multi-cloud Kubernetes platforms compare on application deployment, CI/CD, and BYOC.