What are the Main Differences Between OpenShift and Kubernetes?
Although plain Kubernetes and OpenShift provide the same core orchestration features for containers, there are several differences between plain Kubernetes and the Kubernetes implementation that is built into OpenShift. The following is a summary of the main distinctions:
Point of Origin
Kubernetes, as noted above, is an open source project. Although Red Hat is one of several companies that contributes significantly to the project, Red Hat does not own Kubernetes or have any special influence over it.
In contrast, OpenShift is closely tied to Red Hat. The community-developed OKD edition depends heavily on Red Hat development support, and the commercial editions are marketed, licensed, and professionally supported by Red Hat. Other companies have their own Kubernetes distributions that follow a similar model.
Installing plain Kubernetes from scratch is, in a word, hard. It requires compiling the code for each component of Kubernetes from source and installing it manually. Kubernetes itself offers no tools to make this process simpler.
OpenShift, however, offers an interactive installation tool for local OpenShift setup called atomic-openshift-installer. Designed to run on Red Hat Enterprise Linux, atomic-openshift-installer automatically collects much of the information needed to set up OpenShift and automates the installation processes.
Key Cloud Platforms
If you run Kubernetes or OpenShift using a hosted cloud service, you don't have to install it yourself, because it is already built into the cloud service. However, not all clouds offer both Kubernetes and OpenShift services.
Kubernetes is available from all of the major public clouds (including AWS, Azure, and GCP) as a fully managed service. That means that there is no installation required, nor do users have to maintain their own cloud infrastructure to use managed Kubernetes.
For OpenShift, Red Hat offers fully managed OpenShift services only on Azure and on Red Hat’s own OpenShift Origin cloud. OpenShift can be installed by users on other public clouds, but the users must first provision cloud infrastructure themselves to do this.
Security and Authentication
On its own, Kubernetes is not a complete security suite (it’s advisable to use additional security monitoring and vulnerability management tools in conjunction with Kubernetes), but Kubernetes does offer some built-in security features. These include the ability to configure role-based access control to resources, as well as to set up Pod security policies in order to define the actions that Pods can and cannot take.
For the most part, OpenShift’s security features are the same as those that come built into Kubernetes. However, OpenShift also offers integration with SELinux, a Linux access-control kernel module that provides additional role-based access control features not included in Kubernetes itself. SELinux could be implemented manually with any Kubernetes distribution, but OpenShift makes the integration simple, and in this sense provides a security feature not available from plain Kubernetes.
Usage of Templates
One of the key selling points of Kubernetes is the ability to take a so-called declarative approach to application management. A declarative approach means that you write configuration files that describe how your application environment should operate. Then, Kubernetes automatically sets up an environment that conforms to your specifications. This is the opposite of an imperative configuration, in which you would manually specify the behavior necessary to achieve a desired state.
Both Kubernetes and OpenShift implement declarative management using templates. There is no great difference between Kubernetes and OpenShift in this regard; with few exceptions, OpenShift can use any template written for plain Kubernetes, and vice versa.
One notable difference between OpenShift and Kubernetes is that they follow different release schedules. Although OpenShift is built in part on Kubernetes, Red Hat does not always release a new version of OpenShift every time a new Kubernetes version appears. Therefore, the version of Kubernetes on which the most up-to-date OpenShift release is based is not always the most recent Kubernetes version.
That said, OpenShift is always based on a modern Kubernetes release; it’s not as if OpenShift relies on seriously outdated Kubernetes versions.
For similar reasons, OpenShift and Kubernetes follow different update schedules. OpenShift will not prompt administrators to update every time a new Kubernetes release appears.
In addition, although both platforms support the ability to do “in-place” upgrades (meaning upgrading an existing Kubernetes cluster instead of having to rebuild it from scratch), the update process is different. On plain Kubernetes, you would typically use the kubeadm upgrade command to update an existing Kubernetes cluster to a newer version of Kubernetes. With OpenShift, you would instead use the package management system on Red Hat Enterprise Linux to update OpenShift to the newest version. In both cases, however, you would need to take steps to back up your existing installation before upgrading.
Kubernetes and OpenShift can both be used to build CI/CD pipelines. However, neither platform provides a full CI/CD solution unto itself.
With both platforms, you would need to integrate your cluster with additional tools -- namely, a CI server, and possibly automated testing and monitoring tools as well -- in order to construct a full CI/CD pipeline. OpenShift makes this process a bit easier because it offers a certified Jenkins container that can be used for the CI server. Plain Kubernetes offers no official CI/CD integration solutions, although a variety of third-party tools can be used in conjunction with Kubernetes.
Management of Container Images
For managing container images, OpenShift comes with a built-in registry called OpenShift Container Registry, or OCR. Kubernetes does not have its own integrated registry, but it can be used with most third-party registries.
Web User Interface
In addition to command-line tools, Kubernetes and OpenShift can both be managed using Web interfaces. Kubernetes’s official Web interface is called Dashboard. OpenShift’s Web interface tool is called Web Console. Both tools are similar in that they provide Web-based interfaces. They are also both run as applications hosted within the Kubernetes cluster. The main difference is that Web Console is installed by default in most OpenShift editions, while Dashboard is an optional add-on for plain Kubernetes.