OpenShift is expensive and requires a significant O&M investment. If you want to use standard tools it’d be nice to have a managed standard Kubernetes option without paying for a lot of complexity your teams don’t want.
> OpenShift is expensive and requires a significant O&M investment. If you want to use standard tools it’d be nice to have a managed standard Kubernetes option without paying for a lot of complexity your teams don’t want.
The parent's point though is that this isn't the space IBM wants to be in. They're in the business of selling high margin, enterprise-y stuff that includes all the bells and whistles, so there's no reason for them to gobble up something like Rancher (RHAT's OpenShift solution is what they want to be selling already).
I think there are some things which are either disabled or complicated by policy, not to mention the lag between Kubernetes updates shipping and OpenShift updating, but I was more going at the angle of paying for things you're not using. OpenShift's license costs are enough that you really have to justify it based on those services. The people I know who've avoided it did so because they couldn't justify the price when they mostly wanted Kubernetes but their teams had no interest in going away from their current build tools.
It takes away privileges which arguably is a good thing but some things that require root containers wont't run. They pass the Kubernetes conformance suite only by removing those constraints.
That's not true at all. You can read their CNCF results yourself, nothing is disabled. And the conformance tooling works around these constraints by defining their own PSPs.
Yes, to run tests that root your whole cluster, the test running for conformance grants “root your cluster” permissions.
I occasionally regret the defaults we picked because people get frustrated that random software off the internet doesn’t run.
That said, every severe (or almost every) container runtime vulnerability in the last five years has not applied to a default pod running on OpenShift, so there’s at least some comfort there.
To grant “run as uid 0” is a one line RBAC as assignment. To grant “run as uid 0 and access host” is a similar statement.
And you can do the same for your environment. You can run root containers on OpenShift, it's a settings, not a baked-in compiled choice or something similar.
OpenShift Container Platform removes the need to build your own platform around Kubernetes, which would also require a significant O&M investment. If you don't want that, there's OpenShift Kubernetes Engine: https://www.openshift.com/products/kubernetes-engine
Yes, but then you’re still supporting the additional platform components. If you’re using those services, that’s reasonable but if you have other tools you might reasonably want something smaller which doesn’t require you to learn and support things which you aren’t using and which delay upstream k8s releases shipping.
