# OpenShift vs Kubernetes: What OpenShift Adds and When You Need It

OpenShift *is* Kubernetes, the same way Ubuntu *is* Linux. Kubernetes is the core technology (available on GitHub, like the Linux kernel), but nobody runs a raw kernel on their servers. Teams choose a *distribution* that bundles the kernel with the tooling they need: an installer, networking, authentication, monitoring, and upgrade mechanisms. Some distributions are slim and leave most choices to you; others come fully integrated.

OpenShift is a Kubernetes distribution by Red Hat. Every `kubectl` command and every Kubernetes manifest works unchanged. What OpenShift adds is the platform tooling around Kubernetes: developer console, CI/CD, service mesh, operator lifecycle, and a tested upgrade path, so your team does not have to assemble and maintain these components from scratch. The real question is not "OpenShift or Kubernetes" but how much tooling should come pre-integrated from the vendor vs. what your team builds and maintains itself.

This page compares all options available through VSHN: vanilla Kubernetes, Managed Kubernetes, OpenShift Kubernetes Engine (OKE), OpenShift Container Platform (OCP), and OCP+.

## The platform spectrum

VSHN offers multiple tiers to match different needs and budgets:

| | Vanilla Kubernetes | Managed Kubernetes (coming soon) | OpenShift Kubernetes Engine (OKE) | OpenShift Container Platform (OCP) | OpenShift Container Platform Plus (OCP+) |
|---|---|---|---|---|---|
| **What it is** | Open-source container orchestrator | Standardised, lifecycle-managed K8s | Enterprise Kubernetes with OpenShift operations tooling | Full OpenShift with developer and operations tooling | OCP with advanced security, compliance, and multi-cluster management |
| **Operated by** | Your team | VSHN | VSHN | VSHN | VSHN |
| **Developer console** | No (kubectl only) | No (API-first) | Admin console only | Full developer + admin console | Full developer + admin console |
| **CI/CD built-in** | No | No | No | Yes (Tekton Pipelines, Source-to-Image) | Yes |
| **Networking / Service mesh** | DIY (Istio, Linkerd) | Cilium OSS | Cilium (Isovalent Enterprise) | Cilium + OpenShift Service Mesh | Cilium + OpenShift Service Mesh |
| **Serverless** | DIY (Knative) | DIY (Knative) | DIY (Knative) | Yes (OpenShift Serverless / Knative) | Yes |
| **Logging** | DIY | Basic (logs + metrics) | Cluster monitoring | Platform logging + cluster monitoring | Platform logging + cluster monitoring |
| **Operator ecosystem** | Community operators | No OLM | OLM included | OLM + Red Hat Marketplace | OLM + Red Hat Marketplace |
| **Red Hat support** | None | None (open-source stack) | Red Hat subscription included | Red Hat subscription included | Red Hat subscription included |
| **SLA** | None (your own) | Up to 99.9% (business hours) | Up to 99.99% | Up to 99.99% | Up to 99.99% |
| **Best for** | Platform engineering teams who want full control | Cost-sensitive workloads on Swiss cloud | Enterprise K8s with 99.99% SLA at a lower price (bring your own CI/CD) | Developers build, deploy, and route through one platform without assembling separate tools | Regulated industries needing multi-cluster governance |

## When Kubernetes is enough

Plain Kubernetes is the right choice when:

- Your team has strong Kubernetes expertise (3+ engineers who manage clusters daily)
- You already run your own CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins)
- You don't need Red Hat enterprise support or certified operators
- You want maximum flexibility to choose every component yourself
- Budget is the primary constraint and you can absorb the operational overhead

The trade-off: you build and maintain every layer above the orchestrator yourself, including networking policies, ingress, observability, image builds, security scanning, and upgrades.

## When you need OpenShift

OpenShift adds value when:

- **Buying is cheaper than building.** For smaller deployments (hundreds, not thousands of subscribed CPU cores), it costs less to buy the integrated services in OpenShift than to employ a platform team to assemble and maintain them from separate open-source components. This is a classic make-or-buy decision. Since OpenShift runs standard Kubernetes underneath, migrating to a self-built platform later remains straightforward once the deployment grows large enough to justify a dedicated team.
- **Red Hat enterprise support matters.** Certified operators, tested upgrade paths, and a single vendor for the entire platform stack.
- **You want a shared platform for multiple teams.** All OpenShift editions let you run multiple teams' applications on the same cluster, sharing infrastructure, security policies, and operational cost. OpenShift builds on open standards (OCI containers, Kubernetes API, Operator Framework), so teams choose their own languages, frameworks, and CI/CD tools while the platform provides the shared foundation. OCP adds more integrated developer tooling; OKE leaves that choice entirely to the teams.
- **Compliance requires a hardened platform.** OpenShift ships with Security Context Constraints (SCCs), RBAC defaults, and sandboxed containers, out of the box, not bolted on.
- **Developers need self-service.** The OCP developer console and application catalog let developers deploy without writing YAML or filing tickets.

## OpenShift editions explained

### OpenShift Kubernetes Engine (OKE)

OKE is OpenShift without the developer tooling. You get enterprise-grade Kubernetes with automated installs, over-the-air upgrades, the admin console, Operator Lifecycle Manager, cluster monitoring, and Cilium networking (Isovalent Enterprise). It does not include the developer console, built-in CI/CD, OpenShift Service Mesh, or serverless.

OKE is a good fit when you need enterprise Kubernetes but not the full developer platform. You get Red Hat's certified upgrade paths and compatibility matrix, VSHN's operational economies of scale from running hundreds of OpenShift clusters, and pre-integrated components (Cilium, Argo CD, k8up backups, AppCat services), at a lower per-vCPU price than OCP. Your developers keep their existing CI/CD tooling; VSHN handles the cluster operations. OKE still qualifies for the full 99.99% SLA: the same availability guarantee as OCP, without the cost and complexity of the full platform.

**Pricing example (VSHN Managed, Certified CSP: includes Red Hat subscriptions, VSHN operations, and all platform components):**
- Best Effort: CHF 44/vCPU per 30 days
- Guaranteed Availability 99.99%: CHF 76/vCPU per 30 days

### OpenShift Container Platform (OCP)

OCP is the standard OpenShift edition. It includes everything in OKE plus the developer console, application catalog, Tekton Pipelines, Source-to-Image builds, OpenShift Service Mesh, distributed tracing, Serverless (Knative), and platform logging.

OCP is the right choice when your developers should be able to build, deploy, and route applications through a single platform, without assembling separate tools for CI/CD, container builds, service mesh, and observability. The developer console and application catalog let teams ship without writing deployment manifests or filing ops tickets.

**Pricing example (VSHN Managed, Certified CSP: includes Red Hat subscriptions, VSHN operations, and all platform components):**
- Best Effort: CHF 60/vCPU per 30 days
- Guaranteed Availability 99.99%: CHF 100/vCPU per 30 days

### OpenShift Container Platform Plus (OCP+)

OCP+ includes everything in OCP plus five additional components designed for organizations that operate multiple clusters or face strict security and compliance requirements:

- **Advanced Cluster Management (ACM)**: manage the lifecycle, policies, and application deployment of multiple OpenShift clusters from a single console. Includes 60+ pre-built governance policies.
- **Advanced Cluster Security (ACS)**: Kubernetes-native security platform that covers vulnerability management, network segmentation, risk profiling, and compliance checks across the entire application lifecycle.
- **OpenShift Data Foundation Essentials**: software-defined persistent storage integrated with OpenShift. Provides block, file, and object storage without relying on cloud-provider-specific storage classes.
- **Red Hat Quay**: enterprise container registry with image scanning, geo-replication, and access controls. Acts as a single source of truth for all container images across clusters.
- **Zero Trust Workload Identity**: assigns verifiable identities to workloads across hybrid and multi-cloud environments without managing certificates manually.

Each component is also available as a standalone subscription, but the OCP+ bundle is usually more cost-effective as soon as you need two or more of them. OCP+ is common in regulated industries (finance, healthcare, government) that run multiple clusters and need centralized security policy enforcement and audit trails.

**Pricing example (VSHN Managed, Certified CSP: includes Red Hat subscriptions, VSHN operations, and all platform components):**
- Best Effort: CHF 148/vCPU per 30 days
- Guaranteed Availability 99.99%: CHF 226/vCPU per 30 days

All pricing is per worker vCPU for a 30-day period. Infrastructure costs (compute, storage, network) from the cloud provider are additional. Full pricing details: [VSHN OpenShift pricing](https://products.vshn.ch/openshift/pricing.html).

## Cost comparison: 48 worker vCPUs (3 × 16 vCPU nodes)

Prices are for worker node capacity only. Control plane and infrastructure nodes (logging, monitoring) are not included in the vCPU count.

| Option | VSHN service fee (monthly) | What's included | What you add |
|---|---|---|---|
| **Self-managed Kubernetes** | CHF 0 (DIY) | Nothing (you run everything) | 3-6 FTEs for 24/7 ops (CHF 450K-1.2M/year) + tooling |
| **VSHN Managed Kubernetes** (coming soon) | TBD | Lifecycle management, basic monitoring, reactive support | Your CI/CD, networking policies, security tooling |
| **OKE** (Certified CSP, GA) | ~CHF 3,650/month | Enterprise K8s, admin console, OLM, Red Hat support, 24/7 ops | Your developer tooling, CI/CD |
| **OCP** (Certified CSP, GA) | ~CHF 4,800/month | Full platform: CI/CD, service mesh, logging, developer console, 24/7 ops | Your application code |
| **OCP+** (Certified CSP, GA) | ~CHF 10,850/month | Everything in OCP + multi-cluster management, advanced security | Your application code |

Infrastructure costs from the cloud provider are additional. Self-managed OpenShift requires Red Hat subscriptions on top of FTE costs. Self-managed vanilla Kubernetes has no license fees, but most organizations still budget for a support subscription with a vendor so there is someone to call when etcd or the control plane breaks.

## VSHN Managed Kubernetes (coming soon)

VSHN is developing a standardised Managed Kubernetes offering for organisations that need Kubernetes without the cost of an enterprise platform. Built on open-source components (Cluster API, Cilium, Rook/Ceph), it will provide:

- Lifecycle-managed Kubernetes on Swiss cloud providers
- Networking via Cilium, storage via Rook/Ceph, ingress via Gateway API
- Basic observability (logs and metrics)
- Standardised configurations for predictable pricing
- No enterprise licensing fees

This fills the gap between self-managed Kubernetes and Managed OpenShift. If you are interested, [contact us](#contact) to join the early access list.

## Feature comparison: OKE vs OCP vs OCP+

| Feature | OKE | OCP | OCP+ |
|---|---|---|---|
| Cilium networking (Isovalent Enterprise) | Yes | Yes | Yes |
| Automated installers and upgrades | Yes | Yes | Yes |
| Enterprise-secured Kubernetes | Yes | Yes | Yes |
| kubectl and oc CLI | Yes | Yes | Yes |
| Operator Lifecycle Manager | Yes | Yes | Yes |
| Admin web console | Yes | Yes | Yes |
| OpenShift Virtualization | Yes | Yes | Yes |
| Cluster monitoring | Yes | Yes | Yes |
| User workload monitoring | Yes | Yes | Yes |
| Platform logging | No | Yes | Yes |
| Developer web console | No | Yes | Yes |
| Developer application catalog | No | Yes | Yes |
| Source-to-Image / Tekton builds | No | Yes | Yes |
| OpenShift Pipelines (Tekton) | No | Yes | Yes |
| OpenShift Service Mesh | No | Yes | Yes |
| Distributed tracing (Jaeger) | No | Yes | Yes |
| OpenShift Serverless (Knative) | No | Yes | Yes |
| Sandboxed containers | No | Yes | Yes |
| Advanced Cluster Management (ACM) | No | No | Yes |
| Advanced Cluster Security (ACS) | No | No | Yes |
| OpenShift Data Foundation Essentials | No | No | Yes |
| Red Hat Quay (enterprise registry) | No | No | Yes |
| Zero Trust Workload Identity | No | No | Yes |

Source: [VSHN OpenShift editions](https://products.vshn.ch/openshift/index.html#_openshift_editions), [Red Hat OCP+](https://www.redhat.com/en/technologies/cloud-computing/openshift/platform-plus), [VSHN Cilium on OpenShift](https://products.vshn.ch/openshift/cilium.html)

## Next steps

Not sure which tier fits your workloads? [Book an architecture review](#contact) with our OpenShift and Kubernetes team. We assess your current setup, workload requirements, and budget, and recommend the right platform tier.