Security is the most valuable feature. If you get Vanilla Kubernetes, they lack security. Red Hat OpenShift comes in two flavors. One is OCP, OpenShift Container Platform, for which you need licenses. We're using that for production environments. For developing environments, there is the OKD Community edition of OpenShift. They're very similar because OCP uses Red Hat CoreOS certified from Red Hat, but the community edition uses Fedora CoreOS. We're trying to deploy applications to be “Kubernetes agnostic” about the underlying infrastructure. Whatever we deploy should work on both OCP and OKD. In that pattern, we're also practically saving on licenses because we use them for the production version of OpenShift only. For development and testing, we use OKD. Three years ago, deployment of the OpenShift cluster wasn't easy. It required a lot of knowledge of load balancers, networking, DNS and DHCP services, and virtualization. For version 3.11, OpenShift came with Docker as a container's run-time engine. From version 4, Docker was replaced with Podman, which is quite a good approach because Docker needs to run as a daemon with elevated privileges. Podman doesn't require such elevated privileges. In the beginning, it was very difficult to install OpenShift even by following the documentation. There were some YouTube videos, but we struggled. That installation was named UPI, which stands for user provision infrastructure. That means that you need to deploy your own load balancers to configure them correctly and enter your DNS and domains. Only if everything is configured correctly, the OpenShift cluster will work. Then, Red Hat came up with a solution. We use virtualization technologies on-premises. We do not use bare metal, so this was a very hard task on VMware, but then Red Hat from version 4.5. updated their installer to use IPI (installation provisioned infrastructure). For day-to-day jobs, we prepared one helper machine from which we can manage, deploy, destroy, and operate multiple clusters from one place. The bare installation of deploying an OpenShift cluster is now an easy task for us. The stack in the software supply chain is one of the main reasons that we use OpenShift. When I came to this company, we bought hardware from IBM named Bluemix, and they used ICP, which stands for IBM Cloud Private. Today, you can have Kubernetes on IBM, Amazon, Microsoft, Google, name it. You can also have different installations on various platforms like VMware and Tanzu, which are commercial products. Also, there are some open-source variations of Kubernetes like Rancher and Platform9. At that point in time, IBM bought Red Hat. They very cleverly recognized that their product, IBM Cloud Private, was an inferior platform to Red Hat and OpenShift, and they invested a lot in Red Hat and in OpenShift. OpenShift is an enterprise-grade standard Kubernetes orchestration system for huge enterprises. There are more flavors of Kubernetes, but I believe OpenShift is practically a standard one, so whether or not you use it on the cloud or on-premises, OpenShift has a huge market share. Vanilla Kubernetes lacks security. We have role-based access controls to tune and perform grant-level access to specific service accounts, roles and permissions. There is very good isolation between the namespaces. Practically, we have four clusters on-premises for each huge specific production grade system. Two of those clusters run several independent environments that are different from each other on the same clusters (dev, performance, smoke, test). Only production clusters are separate from those. No deployment sees another deployment, so they cannot interfere. We connected our OpenShift platform with our LDAP, so we also have security that shows who accesses it and what permissions they can perform over the operative clusters and applications that run on them. We have a DevOps team, developers, and infrastructure guys, and there haven't been any complaints so far about the day-to-day usage of OpenShift. I believe all the aspects of security that we need are practically covered from both the user perspective and the application perspective.
