The OpenShift vs Kubernetes debate has dominated cloud-native architecture meetings since Red Hat rebuilt its Container Platform on Kubernetes in 2019. Seven years later, the question is no longer “which orchestrator wins” – both run the same Kubernetes API – but which packaging, support model, and developer experience match a given workload. With Kubernetes 1.36 shipping on Red Hat OpenShift Container Platform 4.20 was released on October 21, 2025, with full support ending today, May 3, 2026; 4.21 was released February 3, 2026[1][4][5].20 reaching general availability on October 21, 2025, the gap between the upstream project and Red Hat’s enterprise distribution is narrower than ever in features yet wider than ever in price.
This guide compares the two platforms across 14 dimensions: pricing, performance, security, networking, storage, AI workloads, developer experience, ecosystem, and total cost of ownership at scale. We cite Red Hat list pricing of roughly $1,000 to $2,500 per 2-core pack per year for OpenShift Container Platform, AWS Marketplace ROSA rates starting at $0.076 per hour for reserved instances, and free upstream Kubernetes – a gap that translates to six- and seven-figure differences for production fleets.
OpenShift vs Kubernetes 2026: The Quick Verdict
OpenShift Container Platform 4.20 is Red Hat’s opinionated, fully integrated Kubernetes distribution that bundles Tekton pipelines, Argo CD GitOps, Istio service mesh, OpenShift Virtualization (KubeVirt), the Operator Lifecycle Manager, a developer console, and 24/7 enterprise support behind a per-core subscription. Upstream Kubernetes 1.36 is the raw, free, vendor-neutral orchestrator that ships only the control plane, kubelet, and core APIs – every operational concern from ingress to logging to authentication is delegated to add-ons you assemble yourself.
Pick OpenShift when you need a turnkey platform with a paid throat to choke, regulated-industry certifications such as FedRAMP High and PCI DSS, and a single vendor for support across the OS, container runtime, control plane, and developer tooling. Pick vanilla Kubernetes when cost, flexibility, and no vendor lock-in outweigh integration time, when your team has senior platform engineers, or when you already standardized on a managed service such as EKS, GKE, or AKS that handles control-plane operations for a fraction of OpenShift list price.
Specifications Comparison: 16-Row Spec Table
The table below distills the differences that matter when an architect picks between Red Hat OpenShift Container Platform 4.20 and upstream Kubernetes 1.36. Both run the same Kubernetes API, so workload portability is high, but installation footprint, supported lifecycle, included components, and base operating system diverge sharply. Numbers reflect the latest GA releases from Red Hat and the Kubernetes release team as of April 2026.
| Specification | OpenShift 4.20 | Kubernetes 1.36 |
|---|---|---|
| Latest GA release | October 21, 2025 | April 22, 2026 |
| Vendor / steward | Red Hat (IBM) | CNCF (vendor neutral) |
| License | Commercial subscription | Apache 2.0 (free) |
| Base operating system | Red Hat Enterprise Linux CoreOS | Any Linux (Ubuntu, Debian, RHEL, CoreOS, Talos) |
| Container runtime | CRI-O (mandatory) | containerd, CRI-O, Docker (deprecated) |
| Default network plugin | OVN-Kubernetes | BYO (Calico, Cilium, Flannel, OVN-Kubernetes) |
| Default ingress | HAProxy Router (built-in) | BYO (NGINX, Traefik, Contour, Istio) |
| Built-in CI/CD | OpenShift Pipelines (Tekton), GitOps (Argo CD) | None – install separately |
| Built-in service mesh | OpenShift Service Mesh 3 (Istio) | None – install separately |
| Built-in monitoring | Prometheus + Grafana stack pre-installed | None – install separately |
| Default pods per node | 250 (Red Hat tested) | 110 (kubelet default) |
| Default cluster size limit | 2,000 nodes per cluster (Red Hat tested) | 5,000 nodes (upstream tested) |
| Support window per release | 18 months full + 6 months maintenance | ~14 months upstream patches |
| Release cadence | Every 4 months | Every 4 months (3 per year) |
| Enterprise support | 24/7 Red Hat (Standard or Premium) | Community Slack and GitHub only |
| FedRAMP / PCI DSS / HIPAA | Yes (ROSA Gov) | Depends on distro / managed service |
The headline takeaway is what OpenShift includes that Kubernetes does not. Out of the box, an OCP 4.20 cluster ships an HAProxy ingress router, Prometheus and Grafana monitoring, the EFK logging stack, Tekton pipelines, Argo CD, Istio, OpenShift Virtualization for running KVM virtual machines as pods, and the OpenShift Web Console with both an admin and a developer perspective. A vanilla Kubernetes 1.36 control plane ships none of that – every cluster operator picks, installs, upgrades, and troubleshoots each component themselves. That packaging difference is the single largest reason the per-core OpenShift subscription costs what it does.
Pricing Showdown: $1K Per-Core Gap and Free Upstream
The price gap between OpenShift and Kubernetes is the single number most teams want before they read anything else. Upstream Kubernetes is free Apache 2.0 software with zero license cost – you pay only for the underlying compute, storage, and network. Red Hat OpenShift Container Platform list pricing as of 2026 ranges from roughly $1,000 to $2,500 per 2-core pack per year, depending on the edition (Container Platform versus Platform Plus), the support tier (Standard or Premium), and whether the deployment is self-managed or cloud-hosted.
| Pricing Model | OpenShift | Kubernetes |
|---|---|---|
| Self-managed list price (2-core pack) | $1,000–$2,500/year | $0 (Apache 2.0) |
| Self-managed list price (16-core node) | $8,000–$20,000/year | $0 |
| ROSA on-demand (m5.large worker) | $0.326/hour | EKS: $0.10/hour control plane |
| ROSA on-demand (m6a.xlarge worker) | $0.653/hour | EKS m6a.xlarge: ~$0.173/hour |
| ROSA reserved (4 vCPU, 3-year) | From $0.076/hour | EKS Savings Plan: ~$0.063/hour |
| Azure Red Hat OpenShift (4 vCPU) | From $0.171/hour + Azure VMs | AKS control plane: free or $0.10/hour |
| OpenShift Dedicated (4 vCPU) | From $0.171/hour + cloud infra | GKE Standard: $0.10/hour control plane |
| OKD (community OpenShift) | $0 | $0 |
| Premium 24/7 support uplift | +30–40% over Standard | Third-party (Mirantis, SUSE, VMware): varies |
| Annual cost for 100-node cluster (16 cores each) | ~$1.6M–$4M | $0 license + ~$1K EKS control plane |
For a representative 100-node production cluster with 16-core workers, OpenShift Container Platform self-managed Standard support lands somewhere between $1.6 million and $4 million per year in subscription fees alone, before any compute, storage, or networking is paid for. The same 100-node cluster on EKS costs roughly $876 per year for the managed Kubernetes control plane (ten cents an hour times one cluster), plus the EC2 worker fees you would pay either way. The OpenShift premium buys integrated tooling, certified operators, and Red Hat’s CVE backporting – whether that premium is justified depends entirely on the cost of the engineering hours you would spend assembling the same stack on raw Kubernetes.
Architecture Differences: CoreOS, CRI-O, and OVN-Kubernetes
The most visible architectural choice in OpenShift 4.x is that every node runs Red Hat Enterprise Linux CoreOS, an immutable, transactionally updated operating system whose configuration is owned by the Machine Config Operator. Administrators do not SSH in to install packages, edit files, or patch the kernel – every host change goes through a MachineConfig custom resource that the operator rolls out cluster-wide with automated reboots. This is excellent for fleet consistency and worst for ad-hoc debugging. Vanilla Kubernetes ships no opinion about the host OS – Ubuntu 24.04 LTS, Debian 12, Talos Linux, Bottlerocket, Flatcar, and AlmaLinux are all common choices, each with its own update cadence and configuration tooling.
OpenShift mandates CRI-O as the container runtime; the Docker runtime was removed in OpenShift 4 and containerd is not supported. CRI-O is a minimal, Kubernetes-only runtime maintained as a CNCF project, and Red Hat tunes it specifically for OCP workloads. Upstream Kubernetes accepts any Container Runtime Interface implementation: most clusters now use containerd (the default in kubeadm and most managed services), with CRI-O as a popular alternative for SELinux-enforced environments.
Networking is where OpenShift simplifies the most. Every OCP 4.x cluster ships OVN-Kubernetes as the default CNI plugin, configured with multi-tenant network policies, egress IPs, NetworkPolicy enforcement, and integrated load balancers. Vanilla Kubernetes ships no CNI – administrators install Calico, Cilium, Flannel, Weave, or OVN-Kubernetes themselves. The Cilium and Calico communities have moved aggressively into eBPF-based networking, often outperforming OVN-Kubernetes on raw throughput, but the integration burden falls on the cluster operator.
Performance Benchmarks: Pod Density, Scheduling, and Throughput
Comparing raw OpenShift versus Kubernetes performance is a category error – both run the same kube-scheduler, same kubelet, and same etcd. What differs is the default tuning, the supported scale envelope Red Hat tests against, and the components that ship enabled by default. Red Hat publishes a tested scale envelope of up to 2,000 nodes per OpenShift 4.20 cluster and 250 pods per node – a doubling of the upstream kubelet default of 110 pods per node. Upstream Kubernetes documents tested limits of 5,000 nodes, 150,000 total pods, and 300,000 total containers per cluster.
Cilium maintainer Thomas Graf has demonstrated 10,000-node clusters using Cilium-based connectivity in CNCF benchmark talks, well past either Red Hat or upstream’s tested envelopes. Datadog’s annual Container Report consistently shows the median Kubernetes cluster runs fewer than 100 nodes, so the scale ceiling matters only for hyperscaler workloads. For typical enterprise deployments, the more relevant numbers are scheduling latency (single-digit milliseconds on both), pod startup time (dominated by image pull, not orchestrator overhead), and control plane API server throughput (both can sustain thousands of requests per second per kube-apiserver instance).
Where OpenShift adds measurable overhead is in its default observability and security stack. Out of the box, every OCP cluster runs Prometheus, Alertmanager, the EFK logging pipeline, the cluster-monitoring-operator, the OAuth server, and a handful of Operator Lifecycle Manager pods. On a 3-node cluster, those services consume 4 to 6 GB of RAM and one to two cores before any user workload runs. A minimal kubeadm-installed Kubernetes 1.36 cluster runs the kube-apiserver, controller-manager, scheduler, etcd, kube-proxy, and a CNI – under 1 GB of RAM. Both numbers are small relative to a typical 64-core node, but on edge two-node deployments the OpenShift overhead is felt.
Kubernetes 1.36 vs OpenShift 4.20: New Features in 2026
Kubernetes 1.36, released April 22, 2026, follows 1.35 (December 17, 2025) in a release cadence the project has held to three minor versions per year. The headline features in 1.35 – which OpenShift 4.20 inherits – include native Gang Scheduling through a new Workload API, allowing all-or-nothing scheduling for distributed training jobs, Spark, and Ray pipelines; In-Place Pod Resource Updates that let CPU and memory requests change without restarting the pod; PreferSameNode traffic distribution that prioritizes local endpoints to reduce east-west network hops; node topology labels via the Downward API; and Image Volumes that mount OCI images as read-only data volumes. Kubernetes 1.36 builds on these with continued sidecar container maturation and graduations of beta features.
OpenShift 4.20, GA on October 21, 2025, focuses on AI and edge workloads. The release adds explicit AI workload support including pre-tuned NVIDIA, AMD, and Intel GPU operators, post-quantum cryptography options for kube-apiserver TLS, zero-trust identity integration, simplified secrets management with external secret stores, BGP networking for advertising service IPs to upstream routers, two-node-with-arbiter edge deployment topology, expanded ARM64 support, and certified Oracle Cloud Infrastructure deployment. OpenShift Virtualization 4.20 adds storage offloading for faster live migrations and bare-metal Oracle Cloud support.
The functional gap between the two has narrowed since the OCP 3.x days, when OpenShift carried significant downstream patches. OCP 4.x is a much thinner downstream – the upstream Kubernetes patches are minor, and most Red Hat value-add is delivered as separate Operators that install on top of the unmodified Kubernetes APIs. The practical implication is that workloads written for one platform run unchanged on the other.
Security: Red Hat Advanced Cluster Security and Pod Security Standards
OpenShift’s security posture is one of the most-cited reasons regulated industries pick the paid distribution over upstream. Every OCP cluster enforces SecurityContextConstraints (SCCs) – Red Hat’s predecessor to Pod Security Standards – that block containers from running as root by default, deny privileged escalation, and require explicit grants for host networking, host path mounts, and Linux capabilities. SELinux is enforced at the host level via RHEL CoreOS, and CRI-O integrates with SELinux for per-container labels. Kubernetes 1.25 graduated Pod Security Standards (PSS) to GA, and modern upstream clusters can match the same controls – but the operator must enable them and write the admission policies themselves.
Red Hat Advanced Cluster Security for Kubernetes (ACS), based on the StackRox open-source project, is a separately licensed add-on that handles vulnerability scanning, runtime threat detection, network policy automation, and compliance reporting against CIS, NIST, PCI DSS, and HIPAA benchmarks. The same StackRox open source code base is freely available, so upstream Kubernetes users can self-host the equivalent feature set; only the supported, integrated ACS distribution requires a paid subscription. Other vendors compete in this space – Aqua Security, Sysdig Secure, Wiz, Palo Alto Prisma Cloud, and Snyk all offer commercial Kubernetes security suites that work equally well on either platform.
The CVE backporting track record is where Red Hat’s paid model earns its keep. When Log4Shell or Spring4Shell-class vulnerabilities hit, Red Hat ships RHSA-tagged patches across all supported OpenShift versions within hours; upstream Kubernetes patches the latest three minors only. RHSA-2026:8449, for example, addressed important security fixes in OCP 4.18.38 in early 2026 – fixes that upstream operators on long-term-support distros had to build themselves.
Real-World Examples: 5 Enterprise Deployments
The clearest way to choose between OpenShift and Kubernetes is to look at how comparable organizations made the call. The five examples below are drawn from public Red Hat case studies, KubeCon talks, and CNCF end-user case studies between 2024 and early 2026.
BMW Group runs its connected-vehicle platform on Red Hat OpenShift across multiple regions. The German automaker cited the integrated GitOps workflow, certified Operators for Kafka and PostgreSQL, and a single Red Hat support contract spanning RHEL, OpenShift, and Ansible Automation Platform as the deciding factors. BMW’s KubeCon Europe 2024 talk reported running thousands of services across the OCP fleet with consistent network policies enforced by OVN-Kubernetes.
Spotify famously runs vanilla Kubernetes on Google Kubernetes Engine, with its open-source Backstage developer portal layered on top. Spotify’s platform engineering team – large enough to fund deep customization – chose GKE plus Backstage over OpenShift specifically to avoid the opinionated developer console and to keep the freedom to adopt CNCF projects directly upstream. Spotify open-sourced Backstage in 2020, and it is now a CNCF incubating project with thousands of adopters.
Lockheed Martin picked OpenShift for its U.S. Department of Defense workloads, citing FedRAMP High authorization, DISA STIG compliance, and the ability to run identical OpenShift 4.x clusters in air-gapped classified environments and in commercial AWS GovCloud via ROSA. The defense contractor’s choice reflects a broader pattern in regulated public sector work where vendor-supported distributions are functionally mandatory.
Shopify runs vanilla Kubernetes on Google Cloud, scaling to tens of thousands of pods during Black Friday peak traffic. Shopify’s platform team has published detailed talks on its Kubernetes-based shop runtime, choosing the upstream platform plus heavy in-house tooling because the company employs hundreds of platform engineers and prefers to write its own opinionated layer rather than adopt Red Hat’s.
HCA Healthcare standardized on Red Hat OpenShift for its clinical applications, citing HIPAA compliance, the integrated Quay container registry with vulnerability scanning, and the consistency of running the same OCP 4.x platform on bare metal in hospital data centers and on Azure Red Hat OpenShift in the cloud. Healthcare workloads tend to favor OpenShift because the regulated audit trail of vendor-supported software simplifies compliance reviews.
Developer Experience: Console, Pipelines, and GitOps
Where OpenShift differentiates most strongly is the developer console. Out of the box, every OCP cluster ships a web UI with two perspectives: an Admin perspective for cluster operators that exposes nodes, machine sets, operators, and cluster settings; and a Developer perspective for application teams that exposes Topology graphs, Source-to-Image (S2I) build flows, Helm charts, the OpenShift Pipelines (Tekton) editor, and Argo CD GitOps applications. The Topology view alone – which renders application services as connected nodes with deployment status, ingress routes, and resource usage – is the feature most-frequently named in OCP versus Kubernetes evaluations.
Vanilla Kubernetes ships only kubectl and the optional Kubernetes Dashboard, a community project with a tiny fraction of OCP console features. Most upstream teams adopt one of three tooling stacks: Lens or Headlamp as a desktop client, Backstage as a developer portal, or Rancher Manager from SUSE for multi-cluster fleet management. Each is excellent in isolation; the integration work to combine them with CI/CD, service mesh, and policy engines is non-trivial.
OpenShift Pipelines is Red Hat’s productized Tekton, with curated ClusterTasks for build, test, and deploy stages and tight integration with the OCP web console. OpenShift GitOps is the productized Argo CD with multi-cluster bootstrapping. Both are vendored, supported versions of the same upstream CNCF projects that Kubernetes users can install themselves – the difference is who fixes the bug at 2 a.m.
AI and ML Workloads: OpenShift AI vs Kubeflow
AI workloads are the fastest-growing category on both platforms. OpenShift AI (formerly Red Hat OpenShift Data Science, RHODS) is a paid add-on that bundles Jupyter notebooks, Open Data Hub, KServe model serving, vLLM-based inference, Kueue gang scheduling, and integrations with NVIDIA, AMD Instinct, and Intel Gaudi GPU operators. The OpenShift 4.20 release explicitly added pre-tuned AI workload defaults – node feature discovery for accelerator detection, GPU sharing via NVIDIA’s Multi-Instance GPU (MIG), and validated patterns for fine-tuning Llama, DeepSeek, Mistral, and other open-weights models.
Vanilla Kubernetes 1.36 supports the same workloads through the open-source Kubeflow project, the NVIDIA GPU Operator, the AMD GPU Operator, and KServe – the same projects, minus Red Hat’s productization. Kubeflow has a long, sometimes painful installation experience and a fragmented community after Google donated parts to the Linux Foundation in 2022, but production deployments at companies like Uber and Bloomberg show it can scale. The 2026 trend has been Ray on Kubernetes (via the KubeRay operator) for distributed training and inference, deployed equally on OpenShift and vanilla Kubernetes.
For ChatGPT-class inference workloads, both platforms can run vLLM, Triton, and SGLang as model servers, scheduling them onto GPU node pools through the same Kubernetes Device Plugin API. The choice between OpenShift AI and Kubeflow boils down to support: regulated industries with paid budgets pick OpenShift AI; AI-native startups optimize cost by running Kubeflow or KServe directly on EKS, GKE, or self-managed Kubernetes.
Storage and Data: ODF vs Rook Ceph and CSI Drivers
Persistent storage on Kubernetes lives behind the Container Storage Interface (CSI), and dozens of drivers exist for cloud block storage, NFS, iSCSI, S3, and software-defined storage. OpenShift Data Foundation (ODF), formerly OpenShift Container Storage, is Red Hat’s productized Rook Ceph distribution, providing block, file, and object storage via the same Ceph cluster running as containers inside OpenShift. ODF is a separate paid subscription on top of OCP and is the recommended storage layer for stateful OpenShift workloads where you want the storage layer supported by the same vendor.
Vanilla Kubernetes operators have far more storage choices: Rook Ceph (the upstream of ODF), Longhorn from SUSE, OpenEBS from MayaData, Portworx (now Pure Storage), Robin.io, and the major cloud providers’ first-party CSI drivers (EBS, Persistent Disk, Azure Disk, OCI Block Volumes). MinIO and SeaweedFS dominate the S3-compatible object storage space, both running as Kubernetes-native deployments. The flexibility comes at the cost of evaluation time: choosing among a dozen CSI drivers is a multi-week project that ODF removes from the menu.
Ecosystem and Community: CNCF, Operators, and OperatorHub
Kubernetes is one of the largest open source projects in history. The kubernetes/kubernetes GitHub repository is consistently among the most-starred repositories on the platform, with hundreds of thousands of commits from thousands of contributors across hundreds of companies. The CNCF (Cloud Native Computing Foundation), which stewards Kubernetes, also hosts more than 100 graduated, incubating, and sandbox projects – Prometheus, Envoy, etcd, containerd, Helm, Argo, Cilium, and many more – that form the canonical cloud-native stack.
OpenShift consumes that same ecosystem and adds Red Hat’s curated OperatorHub, a catalog of certified Operators for databases, message queues, observability tools, and ISV products. As of 2026, OperatorHub lists hundreds of certified Operators, most of which also publish their charts on the upstream operatorhub.io for use on any Kubernetes distribution. The certification process – Red Hat-tested, signed images, and supported under Red Hat’s case management – is the differentiator.
The Kubernetes community itself is bigger than any vendor. Kelsey Hightower, formerly of Google, popularized “Kubernetes The Hard Way” as the canonical learning path; Tim Hockin, also at Google, is a long-time Kubernetes API maintainer; Liz Rice, Chief Open Source Officer at Isovalent (acquired by Cisco in 2024), is a former CNCF Technical Oversight Committee chair and a leading voice on eBPF-based networking with Cilium. Joe Beda, Brendan Burns, and Craig McLuckie are credited as the original Kubernetes co-creators at Google. None of these voices speaks for Red Hat – that independence is exactly the value proposition of the upstream community.
Use-Case Recommendations: 5 Scenarios
Below are five workload patterns and the platform recommendation that matches each. The recommendations assume budget is finite and the team must justify subscription costs against engineering hours saved.
1. Regulated Industries (Banking, Healthcare, Government)
Pick OpenShift, specifically ROSA Gov for U.S. federal workloads or self-managed OCP for air-gapped environments. The combination of FedRAMP High authorization, DISA STIG compliance, HIPAA-ready audit trails, vendor-signed supply chain, and 24/7 Red Hat support typically saves more in compliance review hours than the subscription costs in dollars. Lockheed Martin, the U.S. Air Force, and HCA Healthcare are public examples.
2. AI Inference Startups Burning Compute, Not Hours
Pick managed Kubernetes (EKS, GKE, AKS, or a neocloud like CoreWeave) over OpenShift. Inference workloads spend 90 percent of their cost on GPU time, not orchestration; saving even 10 percent on the platform layer compounds quickly. Use KServe, vLLM, and the NVIDIA GPU Operator directly. Anthropic, OpenAI, and most AI-native startups follow this pattern.
3. Mid-Market Enterprises Moving Off VMware
Pick OpenShift with OpenShift Virtualization. Since Broadcom’s acquisition of VMware tripled per-core licensing for many ESXi customers, OpenShift Virtualization (KubeVirt) has become the most-adopted exit path that keeps VM workloads on a vendor-supported platform. Migrating VMs onto KubeVirt while gradually containerizing is a multi-year journey that justifies the OCP subscription.
4. Cloud-Native SaaS Companies on Hyperscalers
Pick managed Kubernetes (EKS, GKE, AKS) plus open source add-ons. Build a paved-road internal developer platform with Backstage, Argo CD, and Cilium. The total cost of ownership beats OpenShift by an order of magnitude when you have the engineering headcount to maintain the stack. Shopify, Spotify, Pinterest, and most CNCF end users follow this pattern.
5. Edge and Two-Node Deployments
Pick OpenShift 4.20’s two-node-with-arbiter topology for industrial, retail, and telco edge sites. Red Hat’s investment in single-node OpenShift (SNO) and two-node deployments – combined with MicroShift, the OCP-derived edge runtime – handles disconnected and intermittent connectivity scenarios that vanilla Kubernetes leaves to the operator. Verizon and large telco operators have publicly adopted MicroShift and SNO for radio access network workloads.
Migration Guide: Moving Between OpenShift and Kubernetes
Migrating between OpenShift and vanilla Kubernetes is one of the most-discussed topics in 2026 platform engineering, often driven by cost optimization in one direction and compliance pressure in the other. Both platforms run identical Kubernetes APIs, so most workloads port without code changes. The friction points are in the Red Hat-specific resources OpenShift adds.
Migrating From OpenShift to Vanilla Kubernetes
Audit your manifests for OpenShift-specific objects: Routes (replace with Ingress or Gateway API resources), DeploymentConfigs (replace with Deployments – DC is being deprecated even within OpenShift), BuildConfigs (replace with Tekton or external CI), ImageStreams (replace with direct image references), and SecurityContextConstraints (replace with Pod Security Standards labels and admission policies). Tools such as Konveyor, Velero, and crane-tool help automate the export and replay. Plan for two to four weeks per major application to migrate, plus rebuild time for any container images that depend on Red Hat UBI base images you no longer have entitlements to pull.
# Example: convert OpenShift Route to upstream Ingress
# OpenShift Route (oc get route myapp -o yaml)
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: myapp
spec:
host: myapp.example.com
to:
kind: Service
name: myapp
port:
targetPort: http
tls:
termination: edge
---
# Vanilla Kubernetes Ingress equivalent
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts: [myapp.example.com]
secretName: myapp-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80Migrating From Vanilla Kubernetes to OpenShift
The reverse migration is generally easier. OpenShift accepts standard Kubernetes manifests (Deployments, Services, Ingresses, ConfigMaps, Secrets, NetworkPolicies, HPAs, PVCs) without modification. The friction points are SecurityContextConstraints – most upstream containers run as UID 1000 or root, and OpenShift’s restricted SCC denies both. Either set spec.securityContext.runAsNonRoot: true with a high UID, or grant the deployment the anyuid SCC. Rebuild any images that bundle a fixed UID using OpenShift’s Source-to-Image flow against a Red Hat UBI base image to gain entitlement to Red Hat-maintained patches.
# Grant the anyuid SecurityContextConstraint to a service account
oc adm policy add-scc-to-user anyuid
-z myapp-sa -n myapp-namespace
# Or rewrite the Deployment to comply with restricted-v2 SCC
spec:
template:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1001
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
readOnlyRootFilesystem: truePros and Cons: Honest Trade-Offs
OpenShift Pros
Integrated CI/CD, GitOps, service mesh, monitoring, and logging out of the box reduce platform-team headcount by months of engineering. The web console – Topology, Developer perspective, Pipelines editor – is genuinely best-in-class and is consistently the feature developers cite as the reason they prefer OCP. Red Hat’s CVE backporting and 24/7 enterprise support reduce risk for regulated industries. FedRAMP High, PCI DSS, and HIPAA certifications are pre-cleared. KubeVirt-based OpenShift Virtualization is the most-credible VMware ESXi alternative for organizations exiting Broadcom licensing.
OpenShift Cons
Per-core list pricing of $1,000 to $2,500 per 2-core pack annually adds up to seven figures at scale. Red Hat ecosystem lock-in: switching off OCP requires reworking Routes, BuildConfigs, ImageStreams, and SCCs. CRI-O is mandatory; if you have tooling tied to containerd you must adapt. RHEL CoreOS is mandatory; if you prefer Talos, Bottlerocket, or Ubuntu you must use a different platform. The opinionated developer console can feel restrictive to engineering teams who want to pick their own tooling stack.
Kubernetes Pros
Free Apache 2.0 licensing, vendor-neutral CNCF governance, and a thriving ecosystem of hundreds of compatible projects. Total flexibility to pick CNI, ingress, storage, monitoring, CI/CD, and policy stacks that match your exact requirements. Massive community and unlimited talent pool: Kubernetes is the most-cited container orchestration skill on hiring sites globally. Managed services (EKS, GKE, AKS) handle the control plane for under $100 a month per cluster, leaving you to focus on workloads.
Kubernetes Cons
Assembly required: every cluster needs a CNI, ingress, monitoring, logging, secrets management, policy engine, and CI/CD selection – each a multi-week evaluation. No single-vendor support; when something breaks at 2 a.m. you may bounce among Calico, NGINX, Prometheus, and Velero communities. Compliance certifications are the operator’s responsibility. Upgrade hygiene: Kubernetes deprecates APIs aggressively, and operators who skip releases face painful upgrade marathons. Talent intensity: building and operating a vanilla Kubernetes platform at scale typically requires a dedicated platform team of five to fifteen engineers, salary cost that can exceed an OpenShift subscription.
Total Cost of Ownership: 100-Node Cluster Math
The most-asked TCO question is what a 100-node cluster costs over three years on each platform. The numbers below assume 16-core m6a.xlarge-equivalent worker nodes running 24/7 in AWS us-east-1, with mid-range Standard support tier on OCP and EKS for the Kubernetes side. Numbers are approximate and ignore data transfer, storage, and reserved instance discounts.
| Cost Line | OpenShift OCP self-managed | EKS + open source add-ons |
|---|---|---|
| Platform license (3 years) | $4.8M–$12M | $0 |
| EKS control plane (3 years) | n/a | $2,628 |
| EC2 compute (3-year reserved) | ~$2.4M | ~$2.4M |
| Storage and networking | ~$300K | ~$300K |
| Add-ons (Datadog, ACS/Wiz, etc.) | $300K (ACS) | $500K–$1M |
| Platform engineering (3 FTE) | ~$1.5M | ~$3M (5 FTE) |
| 3-year total | $9.3M–$16.5M | $6.2M–$6.7M |
The break-even calculation typically falls on engineering headcount. If your platform team can run vanilla Kubernetes with three engineers because it standardized aggressively on managed services and open source tools, EKS plus open source wins on TCO by several million dollars over three years. If your platform team would need eight or more engineers to assemble the equivalent stack – and many enterprise teams do – OpenShift’s $4.8M to $12M license cost is offset by saved salaries. Run the numbers honestly with your specific support contract pricing before deciding.
Verdict: Which to Pick in 2026
OpenShift Container Platform 4.20 and Kubernetes 1.36 are not really competitors – they are the same orchestrator wearing different jackets. The decision in 2026 boils down to three questions. First, does your organization have the engineering headcount and seniority to assemble a Kubernetes platform stack from open source pieces? If yes, vanilla Kubernetes on a managed service such as EKS, GKE, or AKS is the lower-cost, more-flexible answer. Second, do you operate in a regulated industry where vendor-supported software is functionally mandatory? If yes, OpenShift’s certifications and 24/7 Red Hat support are worth the per-core cost. Third, are you exiting VMware? If yes, OpenShift Virtualization is the most credible KubeVirt-based platform on the market.
For a hyperscale AI startup burning compute on inference, pick managed Kubernetes – every dollar saved on platform fees compounds into more model training. For a regional bank, large hospital network, or U.S. federal agency, pick OpenShift – the compliance value alone justifies the subscription. For a mid-market enterprise without a strong opinion, the right call increasingly is to negotiate ROSA or ARO managed OpenShift pricing against EKS plus a paved-road internal developer platform. Both vendors will discount aggressively against the alternative; let them.
Frequently Asked Questions
Is OpenShift just Kubernetes with extra steps?
OpenShift is a productized, opinionated Kubernetes distribution. The control plane is unmodified upstream Kubernetes; the value sits in the bundled components (Tekton, Argo CD, Istio, KubeVirt, OVN-Kubernetes, RHEL CoreOS), the curated OperatorHub, and Red Hat’s 24/7 support. So yes, the core orchestrator is the same – but a vanilla Kubernetes cluster ships only the orchestrator. The “extra steps” of OpenShift are exactly the steps an upstream operator must take themselves.
Does OpenShift cost more than Kubernetes?
Yes, in software license cost: Kubernetes is free Apache 2.0 software while OpenShift Container Platform list pricing runs $1,000 to $2,500 per 2-core pack per year, plus optional Premium support uplift and add-ons such as Red Hat Advanced Cluster Security and OpenShift Data Foundation. The TCO comparison is more nuanced – engineering hours saved by OCP’s bundled tooling can offset the license cost for teams that lack senior platform engineers.
Can I run OpenShift workloads on vanilla Kubernetes?
Mostly yes, with caveats. Standard Deployments, Services, and Ingresses port directly. OpenShift-specific resources – Routes, BuildConfigs, ImageStreams, DeploymentConfigs, SecurityContextConstraints – need to be converted to their upstream equivalents (Ingress or Gateway API, Tekton or external CI, plain image references, Deployments, Pod Security Standards). Tools like Konveyor automate much of the migration. Plan for two to four weeks per major application.
What is the difference between OpenShift and OKD?
OKD is the upstream community distribution of OpenShift, freely available at okd.io. It runs the same OpenShift code base and bundled tooling, but on Fedora CoreOS instead of RHEL CoreOS, and without Red Hat’s commercial support. OKD is to OpenShift roughly what Fedora is to RHEL: faster-moving, community-supported, suitable for development or non-production workloads, and the source from which the supported OpenShift Container Platform is built.
Is ROSA cheaper than self-managed OpenShift?
ROSA (Red Hat OpenShift Service on AWS) bundles the OpenShift subscription into the per-hour AWS rate, which often beats self-managed OCP on TCO once you account for AWS Marketplace volume discounts and the avoidance of Red Hat sales negotiations. Reserved instance pricing as low as $0.076 per hour for 4 vCPU 3-year contracts is common. Run a side-by-side quote with both Red Hat sales and AWS Marketplace before signing.
Which is better for AI workloads, OpenShift AI or Kubeflow?
Both run on the same Kubernetes APIs and the same NVIDIA, AMD, and Intel GPU operators. OpenShift AI is the productized, supported version of Open Data Hub plus KServe, vLLM, and Kueue. Kubeflow is the upstream open source equivalent. For regulated industries with budgets, OpenShift AI removes a Kubeflow installation that has historically been painful. For AI-native startups optimizing cost, Kubeflow on managed Kubernetes is dramatically cheaper.
How does OpenShift Virtualization compare to VMware ESXi?
OpenShift Virtualization is Red Hat’s productized KubeVirt distribution, running KVM virtual machines as pods on an OpenShift cluster. Since Broadcom’s 2023 acquisition of VMware tripled per-core licensing for many ESXi customers, OpenShift Virtualization has emerged as the most-adopted vendor-supported migration path. Performance is generally within 5 to 10 percent of bare ESXi for typical workloads, with the trade-off that you gain unified Kubernetes-native VM and container management at the cost of the deepest VMware feature set.
What is the latest Kubernetes version?
As of April 2026, Kubernetes 1.36, released April 22, 2026, is the most recent release. Kubernetes 1.35 (December 17, 2025) and 1.34 are still under upstream maintenance. The project ships three minor releases per year on a roughly four-month cadence, with each release supported for approximately 14 months of upstream patches.
Related Coverage
More Cloud and Platform Comparisons
- Docker vs Kubernetes 2026: 300K vs 95K Containers and a 3x Node Scaling Gap [Tested]
- Proxmox vs VMware 2026: 14x Cost Gap and Free ESXi Importer [Tested]
- AWS vs Azure 2026: 31% vs 24% Market Share and a 75% Archive Cost Gap [Tested]
- Terraform vs CloudFormation 2026: 3,000 Providers vs Zero-Cost and a 3x Job Demand Gap [Tested]
- Podman vs Docker 2026: The Leading Container Engine Comparison
- Pulumi vs Terraform 2026: 4,800 vs 1,800 Providers and a 76% Market Share Gap [Tested]
- Cloud Computing in 2026: The Tech Insider Pillar Guide
For deeper coverage of the cloud-native ecosystem, see Tech Insider’s tracked coverage of the CNCF Annual Survey, Kubernetes 1.35 release notes, the upstream Kubernetes repository, and Red Hat’s official OpenShift documentation. ROSA pricing is available from AWS Marketplace, and the OKD community distribution lives at okd.io.
Elias Virtanen
Elias Virtanen is the Cybersecurity Analyst at Tech Insider, bringing hands-on expertise from his background in penetration testing and security consulting. He previously worked as a security researcher at F-Secure in Helsinki, where he focused on threat intelligence and vulnerability disclosure. Elias covers ransomware trends, zero-trust architecture, and the evolving regulatory landscape including NIS2 and the EU Cyber Resilience Act. He holds a CISSP certification and an MSc in Information Security from Aalto University.
View all articles