OpenShift GitOps with Argo CD (eBook)

Chapter 2
Overview of OpenShift and Platform Architecture

OpenShift is far more than Kubernetes with a fresh coat of paint—it is a tightly integrated platform that reshapes how enterprises approach application delivery, security, and multi-tenancy in the cloud-native era. In this chapter, you’ll step inside the architectural DNA of OpenShift, exploring the complex interplay of platform components, automation engines, and extensibility frameworks that put it at the forefront of enterprise Kubernetes. Journey from the foundational building blocks to advanced constructs that enable scalability, compliance, and operational precision.

2.1 OpenShift Kubernetes Platform Core

Red Hat OpenShift extends the fundamental Kubernetes architecture to deliver a comprehensive enterprise-grade container orchestration platform. At its core, OpenShift comprises a set of tightly integrated components that enhance cluster management, security, networking, and operational robustness while preserving Kubernetes-native constructs. This section dissects the architectural layers of the OpenShift core platform, detailing its control plane, compute nodes, software-defined networking (SDN), and key platform services that distinguish it from upstream Kubernetes distributions.

The OpenShift control plane orchestrates cluster-wide operations and maintains the desired state of the system. It is built upon Kubernetes’ native control plane components: the API server, controller manager, scheduler, etcd, and webhooks. However, OpenShift introduces extensions and operational refinements that improve scalability, security, and manageability. The API server acts as the single entry point for all cluster requests, enforcing RBAC policies embedded deeply within OpenShift’s enhanced authentication and authorization layers. The controller manager runs not only Kubernetes’ default controllers but also OpenShift-specific operators that automate cluster lifecycle events such as image registry management, cluster monitoring, and machine management. The scheduler incorporates sophisticated workload placement strategies that consider multi-tenancy isolation, node resource heterogeneity, and custom placement constraints, ensuring optimal resource utilization and compliance with enterprise policies.

The etcd data store underpinning the control plane is configured for high availability and resilience, often deployed in a dedicated multi-node cluster. OpenShift insists on strict etcd backup and disaster recovery methods, reflecting its commitment to platform reliability. Platform operators continuously monitor etcd health, automatically triggering recovery processes when anomalies occur, thus minimizing downtime risks in mission-critical enterprise environments.

OpenShift nodes execute containerized workloads using the kubelet agent and are augmented by additional components for operational consistency and security. Container runtimes have transitioned predominantly to CRI-O, a lightweight implementation designed specifically for Kubernetes, replacing the more generic Docker runtime. This choice reduces runtime overhead and tightly couples container lifecycle management with Kubernetes constructs. Each node includes an OpenShift Machine Config Daemon (MCD) that manages node configuration updates in a controlled and declarative manner, enabling seamless OS-level patching and configuration drift correction without disrupting applications.

A salient distinction from vanilla Kubernetes lies in OpenShift’s Software-Defined Networking (SDN) layer. OpenShift deploys its own SDN implementation based on the Open vSwitch (OVS) and leveraging the OpenShift SDN plugin or alternatives such as OVN-Kubernetes in more recent versions. This SDN architecture abstracts network connectivity, implements flexible policy enforcement, and provides multicast support by encapsulating pod network traffic using VXLAN or Geneve tunneling protocols. Network policies are deeply integrated to enforce multi-tenant isolation by default, leveraging Kubernetes NetworkPolicy resources extended by OpenShift’s enriched security model. The SDN also supports automatic service load balancing, dynamic IP assignment, and inter-pod communication across nodes with minimal latency and high throughput due to efficient data plane forwarding.

Another fundamental layer enriching the OpenShift platform is the Operator Framework, which orchestrates lifecycle management of complex applications and OpenShift components through Kubernetes Custom Resource Definitions (CRDs). Operators encode operational knowledge to automate tasks such as upgrades, scaling, backups, and configuration management. This approach elevates cluster administrators from manual intervention into declarative, event-driven automation, contributing extensively to platform reliability and consistency.

OpenShift’s architectural approach to container orchestration favors declarative infrastructure, immutable system components, and GitOps-friendly workflows. These design principles ensure declarative cluster state management with minimized manual configuration, enabling reproducible environments and rapid recovery. Platform observability is natively embedded, with integrated monitoring via Prometheus and alerting configured out-of-the-box, assisting proactive operational excellence.

Enterprise readiness is also reflected in the platform’s security architecture. OpenShift incorporates Security-Enhanced Linux (SELinux) policies by default, combined with kernel hardening, control groups (cgroups) isolation, and fine-grained cryptographic key management. The built-in integrated OAuth server and identity providers offer seamless user and service account management that adhere strictly to organizational compliance requirements. Furthermore, OpenShift enforces image signature verification using container image policies, preventing untrusted images from executing.

OpenShift’s core platform architecture refines and extends Kubernetes with added layers of control plane resilience, node configuration automation, advanced SDN capability, and powerful operator-driven management. These enhancements collectively elevate container orchestration to meet stringent enterprise operational, security, and compliance standards. The architectural choices-whether in adopting CRI-O, embedding SELinux, or implementing sophisticated network overlays-reflect a strategic focus on robust, scalable, and secure multi-tenant platforms suitable for heterogeneous and evolving cloud-native workloads.

2.2 Multi-Tenancy and Project Isolation

OpenShift’s architecture is explicitly designed to support secure multi-tenancy, enabling multiple teams or organizations to share a common cluster infrastructure without compromising workload isolation or security. Achieving this requires a combination of Kubernetes primitives and OpenShift-specific extensions that work cohesively to enforce organizational boundaries and resource governance at scale.

At the core of tenant isolation in OpenShift lies the concept of namespaces, which partition cluster resources into logically discrete units. Each namespace in Kubernetes provides a scope for resource names and a boundary for access control policies. OpenShift builds upon this by introducing the concept of projects, which are enhanced namespaces with integrated user and policy management capabilities. Projects not only isolate resources such as pods, services, and secrets but also facilitate administrative delegation and quota enforcement.

A user or team is granted permissions to operate within a project, thus preventing unauthorized access to resources outside that domain. This model enables concurrent tenancy by isolating workloads and ensures that resource naming conflicts do not occur across different projects. Projects also integrate seamlessly with OpenShift’s role-based access control (RBAC) subsystem, allowing fine-grained permission assignments that align with organizational policies.

OpenShift enforces further isolation via Security Context Constraints (SCC), a cluster-scoped resource that governs the security attributes pods and containers may request. These constraints define permissible settings for aspects such as Linux capabilities, user and group IDs, volume types, privilege escalation, and SELinux contexts.

SCCs are critical for multi-tenancy as they mitigate the risk that a compromised pod within one project might escalate privileges or gain access to critical host resources. By restricting privileges according to a pod’s project membership and the role of the user who created it, SCCs enforce mandatory security controls consistently across the cluster. For example, the “restricted” SCC disables privileged mode and forbids host path volumes, providing a safe default for most workloads, while more permissive SCCs can be selectively assigned based on user roles and trust level.

To prevent resource contention among tenants sharing the OpenShift cluster, administrators define resource quotas and limit ranges at the project level. Resource quotas constrain the cumulative consumption of CPU, memory, storage, and object counts (such as pods or services) within a namespace. Limit ranges enforce minimum and maximum...