Red Hat OpenShift: Complete Enterprise Kubernetes Platform Guide

Red Hat OpenShift Container Platform is an enterprise Kubernetes distribution that provides a complete application platform for developing and deploying containerized applications. This comprehensive guide covers OpenShift architecture, installation, and production deployment patterns.

What is OpenShift?

OpenShift is Red Hat’s enterprise Kubernetes platform that adds:

Key Features

Integrated Developer Experience: Built-in CI/CD, source-to-image (S2I)
Enterprise Security: SELinux, role-based access control, secrets management
Operator Framework: Automated application lifecycle management
Multi-Tenancy: Project isolation and quotas
Integrated Registry: Built-in container registry
Service Mesh: Istio-based service mesh
Monitoring: Prometheus and Grafana out-of-the-box
Logging: EFK stack integration
Storage: Dynamic provisioning with CSI
Virtualization: Run VMs alongside containers

OpenShift vs. Kubernetes

Feature	OpenShift	Vanilla Kubernetes
Distribution	Enterprise, supported	Community
Installation	Automated installer	Manual/various tools
Registry	Built-in	External
CI/CD	OpenShift Pipelines	External tools
Security	SELinux, SCCs	Pod Security Standards
Routing	OpenShift Router	Ingress controllers
Web Console	Comprehensive	Dashboard (basic)
Updates	Automated	Manual
Support	Red Hat support	Community
Cost	Commercial license	Free

Architecture

┌─────────────────────────────────────────────────────────────┐
│                  OpenShift Control Plane                     │
│                                                               │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐     │
│  │   API        │  │   etcd       │  │  Scheduler   │     │
│  │   Server     │  │              │  │              │     │
│  └──────────────┘  └──────────────┘  └──────────────┘     │
│                                                               │
│  ┌──────────────────────────────────────────────────────┐  │
│  │         OpenShift-Specific Components                 │  │
│  │                                                        │  │
│  │  • OAuth Server                                       │  │
│  │  • Image Registry                                     │  │
│  │  • Router (HAProxy)                                   │  │
│  │  • Web Console                                        │  │
│  │  • Monitoring (Prometheus)                            │  │
│  └──────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────┘
                               │
                ┌──────────────┴──────────────┐
                ▼                             ▼
┌──────────────────────────┐    ┌──────────────────────────┐
│    Worker Nodes          │    │    Infrastructure Nodes  │
│                          │    │                          │
│  • Container Runtime     │    │  • Registry              │
│  • kubelet               │    │  • Router                │
│  • Application Pods      │    │  • Monitoring            │
└──────────────────────────┘    └──────────────────────────┘

Installation Methods

OpenShift Container Platform (OCP)

Prerequisites

RHEL CoreOS (RHCOS) nodes
DNS records configured
Load balancer for API and apps
Persistent storage
Red Hat account for pull secret

Installer-Provisioned Infrastructure (IPI)

# Download OpenShift installer
wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-install-linux.tar.gz
tar xvf openshift-install-linux.tar.gz
sudo mv openshift-install /usr/local/bin/

# Create install-config.yaml
mkdir ~/openshift-install
cd ~/openshift-install

cat > install-config.yaml << 'EOF'
apiVersion: v1
baseDomain: example.com
metadata:
  name: production

compute:
- name: worker
  replicas: 3
  platform:
    aws:
      type: m5.xlarge
      zones:
      - us-east-1a
      - us-east-1b
      - us-east-1c

controlPlane:
  name: master
  replicas: 3
  platform:
    aws:
      type: m5.xlarge
      zones:
      - us-east-1a
      - us-east-1b
      - us-east-1c

platform:
  aws:
    region: us-east-1

pullSecret: '{"auths":{"cloud.openshift.com": {...}}}'
sshKey: 'ssh-rsa AAAA...'

networking:
  networkType: OVNKubernetes
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  serviceNetwork:
  - 172.30.0.0/16
  machineNetwork:
  - cidr: 10.0.0.0/16

fips: false

publish: External
EOF

# Backup config (installer consumes it)
cp install-config.yaml install-config.yaml.backup

# Create cluster
openshift-install create cluster --dir ~/openshift-install --log-level=info

# Wait for installation (30-45 minutes)
# Installer will output kubeconfig and login details

User-Provisioned Infrastructure (UPI)

# Generate manifests
openshift-install create manifests --dir ~/openshift-install

# Customize manifests if needed
# Remove master machines
rm -f ~/openshift-install/openshift/99_openshift-cluster-api_master-machines-*.yaml

# Remove worker MachineSet
rm -f ~/openshift-install/openshift/99_openshift-cluster-api_worker-machineset-*.yaml

# Generate ignition configs
openshift-install create ignition-configs --dir ~/openshift-install

# Copy ignition files to web server
sudo cp ~/openshift-install/*.ign /var/www/html/
sudo chmod 644 /var/www/html/*.ign

# Boot nodes with ignition configs
# Bootstrap: bootstrap.ign
# Masters: master.ign
# Workers: worker.ign

OpenShift Local (formerly CodeReady Containers)

# Download CRC
wget https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/latest/crc-linux-amd64.tar.xz
tar xvf crc-linux-amd64.tar.xz
sudo mv crc-linux-*/crc /usr/local/bin/

# Setup
crc setup

# Start cluster (requires 9 GB RAM, 4 CPUs)
crc start

# Get credentials
crc console --credentials

# Access console
crc console

OKD (Community Distribution)

# Download OKD installer
wget https://github.com/okd-project/okd/releases/download/4.14.0-0.okd-2024-01-27-070424/openshift-install-linux-4.14.0-0.okd-2024-01-27-070424.tar.gz

# Follow same IPI/UPI process as OCP
# Uses Fedora CoreOS instead of RHCOS

CLI Tools

oc CLI

# Download oc
wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz
tar xvf openshift-client-linux.tar.gz
sudo mv oc kubectl /usr/local/bin/

# Login
oc login https://api.cluster.example.com:6443 \
  --username=admin \
  --password=password

# Or with token
oc login --token=sha256~xxxxx --server=https://api.cluster.example.com:6443

# Basic commands
oc get nodes
oc get pods -A
oc projects
oc project myproject

oc vs kubectl

# oc includes kubectl functionality plus:

# Projects (namespaces with additional features)
oc new-project myapp
oc project myapp

# New application from source
oc new-app https://github.com/openshift/ruby-hello-world

# Builds
oc start-build myapp
oc logs -f bc/myapp

# Deployments (DeploymentConfig)
oc rollout latest dc/myapp
oc rollout status dc/myapp
oc rollout undo dc/myapp

# Routes (Ingress alternative)
oc expose svc/myapp
oc get routes

# Login and users
oc login
oc whoami
oc get users

# All standard kubectl commands work
oc get pods
oc describe pod mypod
oc logs mypod
oc exec -it mypod -- /bin/bash

Projects and Multi-Tenancy

Create Project

# Create project
oc new-project production \
  --display-name="Production Applications" \
  --description="Production environment"

# Set resource quotas
cat <<EOF | oc apply -f -
apiVersion: v1
kind: ResourceQuota
metadata:
  name: production-quota
  namespace: production
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
    persistentvolumeclaims: "10"
    services: "10"
    services.loadbalancers: "2"
EOF

# Set limit ranges
cat <<EOF | oc apply -f -
apiVersion: v1
kind: LimitRange
metadata:
  name: production-limits
  namespace: production
spec:
  limits:
  - max:
      cpu: "2"
      memory: 4Gi
    min:
      cpu: 100m
      memory: 128Mi
    default:
      cpu: 500m
      memory: 512Mi
    defaultRequest:
      cpu: 250m
      memory: 256Mi
    type: Container
EOF

Project Templates

# Custom project template
apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: project-request
  namespace: openshift-config
objects:
- apiVersion: project.openshift.io/v1
  kind: Project
  metadata:
    name: ${PROJECT_NAME}
    annotations:
      openshift.io/description: ${PROJECT_DESCRIPTION}
      openshift.io/display-name: ${PROJECT_DISPLAYNAME}
      openshift.io/requester: ${PROJECT_REQUESTING_USER}

- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: default-quota
    namespace: ${PROJECT_NAME}
  spec:
    hard:
      requests.cpu: "4"
      requests.memory: 8Gi
      persistentvolumeclaims: "5"

- apiVersion: v1
  kind: LimitRange
  metadata:
    name: default-limits
    namespace: ${PROJECT_NAME}
  spec:
    limits:
    - type: Container
      default:
        cpu: 500m
        memory: 512Mi
      defaultRequest:
        cpu: 100m
        memory: 128Mi

- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: admin
    namespace: ${PROJECT_NAME}
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: admin
  subjects:
  - kind: User
    name: ${PROJECT_ADMIN_USER}

parameters:
- name: PROJECT_NAME
- name: PROJECT_DISPLAYNAME
- name: PROJECT_DESCRIPTION
- name: PROJECT_ADMIN_USER
- name: PROJECT_REQUESTING_USER

Building Applications

Source-to-Image (S2I)

# Create app from Git repository
oc new-app https://github.com/sclorg/nodejs-ex \
  --name=nodejs-app

# From specific branch/tag
oc new-app https://github.com/example/app#v1.0 \
  --name=myapp

# Specify builder image
oc new-app nodejs:16-ubi8~https://github.com/example/nodejs-app

# From local directory
oc new-app . --name=myapp

# With environment variables
oc new-app https://github.com/example/app \
  --env=NODE_ENV=production \
  --env=API_KEY=secret

# Monitor build
oc logs -f bc/nodejs-app
oc get builds
oc describe build nodejs-app-1

BuildConfig

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: myapp
  namespace: production
spec:
  source:
    type: Git
    git:
      uri: https://github.com/example/myapp
      ref: main
    contextDir: /app

  strategy:
    type: Source
    sourceStrategy:
      from:
        kind: ImageStreamTag
        name: nodejs:16-ubi8
        namespace: openshift
      env:
      - name: NPM_MIRROR
        value: https://registry.npmjs.org

  output:
    to:
      kind: ImageStreamTag
      name: myapp:latest

  triggers:
  - type: GitHub
    github:
      secret: ${WEBHOOK_SECRET}
  - type: Generic
    generic:
      secret: ${WEBHOOK_SECRET}
  - type: ConfigChange
  - type: ImageChange
    imageChange: {}

  runPolicy: Serial

  resources:
    limits:
      cpu: "1"
      memory: 2Gi
    requests:
      cpu: 500m
      memory: 1Gi

Docker Build

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: docker-build
spec:
  source:
    type: Git
    git:
      uri: https://github.com/example/app
    contextDir: /

  strategy:
    type: Docker
    dockerStrategy:
      dockerfilePath: Dockerfile
      env:
      - name: BUILD_ENV
        value: production

  output:
    to:
      kind: ImageStreamTag
      name: myapp:latest

Deployment Strategies

DeploymentConfig

apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
  name: myapp
  namespace: production
spec:
  replicas: 3
  selector:
    app: myapp
    deploymentconfig: myapp

  strategy:
    type: Rolling
    rollingParams:
      updatePeriodSeconds: 1
      intervalSeconds: 1
      timeoutSeconds: 600
      maxUnavailable: 25%
      maxSurge: 25%

  template:
    metadata:
      labels:
        app: myapp
        deploymentconfig: myapp
    spec:
      containers:
      - name: myapp
        image: image-registry.openshift-image-registry.svc:5000/production/myapp:latest
        ports:
        - containerPort: 8080
          protocol: TCP
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: database-credentials
              key: url
        resources:
          limits:
            cpu: 500m
            memory: 512Mi
          requests:
            cpu: 250m
            memory: 256Mi
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5

  triggers:
  - type: ConfigChange
  - type: ImageChange
    imageChangeParams:
      automatic: true
      containerNames:
      - myapp
      from:
        kind: ImageStreamTag
        name: myapp:latest
        namespace: production

Blue-Green Deployment

# Deploy blue version
oc new-app --name=blue --docker-image=myapp:blue

# Deploy green version
oc new-app --name=green --docker-image=myapp:green

# Create route pointing to blue
oc expose svc/blue --name=myapp

# Switch to green
oc patch route/myapp -p '{"spec":{"to":{"name":"green"}}}'

# Rollback to blue if needed
oc patch route/myapp -p '{"spec":{"to":{"name":"blue"}}}'

Canary Deployment

# Route with traffic split
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: myapp-canary
spec:
  host: myapp.apps.cluster.example.com
  to:
    kind: Service
    name: myapp-stable
    weight: 90
  alternateBackends:
  - kind: Service
    name: myapp-canary
    weight: 10
  port:
    targetPort: 8080
  tls:
    termination: edge

Networking

Routes

# Expose service
oc expose svc/myapp

# Custom hostname
oc expose svc/myapp --hostname=myapp.example.com

# With TLS
oc create route edge myapp \
  --service=myapp \
  --hostname=myapp.example.com \
  --cert=tls.crt \
  --key=tls.key

# Passthrough TLS
oc create route passthrough myapp \
  --service=myapp \
  --hostname=myapp.example.com

# Route with all options
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: myapp
  namespace: production
spec:
  host: myapp.apps.cluster.example.com
  to:
    kind: Service
    name: myapp
    weight: 100
  port:
    targetPort: 8080
  tls:
    termination: edge
    certificate: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      ...
      -----END PRIVATE KEY-----
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-router
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
    ports:
    - protocol: TCP
      port: 8080

Security

Security Context Constraints (SCCs)

# Custom SCC
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: custom-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
defaultAddCapabilities: []
fsGroup:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 65535
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 1000
  uidRangeMax: 65535
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:production:myapp

Service Account

# Create service account
oc create sa myapp -n production

# Grant SCC
oc adm policy add-scc-to-user custom-scc \
  system:serviceaccount:production:myapp

# Use in deployment
oc set serviceaccount deployment/myapp myapp

Storage

PersistentVolumeClaim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: database-storage
  namespace: production
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 100Gi
  storageClassName: gp3-csi

Dynamic Provisioning

# StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast-ssd
provisioner: ebs.csi.aws.com
parameters:
  type: gp3
  iops: "3000"
  throughput: "125"
  encrypted: "true"
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true

Operators

Install Operator

# Operator Subscription
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: mongodb-enterprise
  namespace: openshift-operators
spec:
  channel: stable
  name: mongodb-enterprise
  source: certified-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic

Use Operator

# MongoDB instance
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: production-db
  namespace: production
spec:
  members: 3
  type: ReplicaSet
  version: "6.0.5"

  persistent: true
  storage:
    storageClass: gp3-csi
    size: 100Gi

  credentials: mongodb-credentials

  resources:
    limits:
      cpu: "2"
      memory: 4Gi
    requests:
      cpu: "1"
      memory: 2Gi

Monitoring

Prometheus Queries

# Access Prometheus
oc get routes -n openshift-monitoring

# Custom ServiceMonitor
cat <<EOF | oc apply -f -
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: myapp-metrics
  namespace: production
spec:
  selector:
    matchLabels:
      app: myapp
  endpoints:
  - port: metrics
    interval: 30s
    path: /metrics
EOF

Custom Alerts

apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: myapp-alerts
  namespace: production
spec:
  groups:
  - name: myapp
    rules:
    - alert: HighErrorRate
      expr: |
        rate(http_requests_total{status=~"5.."}[5m]) > 0.05
      for: 5m
      labels:
        severity: critical
      annotations:
        summary: "High error rate on {{ $labels.pod }}"

Best Practices

Resource Management

Set resource requests and limits
Use HorizontalPodAutoscaler
Implement PodDisruptionBudgets
Configure appropriate health checks

Security

Use dedicated service accounts
Apply principle of least privilege
Enable pod security policies (SCCs)
Rotate secrets regularly
Use network policies

High Availability

Run 3+ control plane nodes
Spread worker nodes across zones
Use ReadWriteMany for shared storage
Configure pod anti-affinity
Implement proper backup strategy

Conclusion

Red Hat OpenShift provides a comprehensive, enterprise-ready Kubernetes platform with enhanced security, integrated development tools, and automated operations. Its opinionated approach and extensive feature set make it ideal for organizations requiring enterprise support and a complete application platform.

Master OpenShift with our comprehensive training programs. Contact us for customized enterprise training.