OpenShift (OCP) Architecture — Clear, Practical Breakdown
Red Hat OpenShift (OCP) is a Kubernetes-based platform with extra layers for:
- security
- developer workflows
- enterprise operations
Think of it as:
Kubernetes + opinionated enterprise tooling + automation
High-Level Architecture
At the highest level, OpenShift has 3 main layers:
1. Control Plane (Master Nodes)
Manages the cluster
2. Worker Nodes
Run your applications
3. Infrastructure Layer
Networking, storage, registry, ingress
1. Control Plane (Master Nodes)
Core brain of the cluster:
Key components:
- kube-apiserver
- entry point for all API calls
- etcd
- stores cluster state
- kube-scheduler
- assigns pods to nodes
- kube-controller-manager
- maintains desired state
OpenShift-specific additions:
- OpenShift API Server
- adds OCP-specific APIs (routes, builds, etc.)
- Controller Manager (OpenShift)
- handles builds, deployments, image streams
2. Worker Nodes
Where workloads run.
Components:
- kubelet
- manages pods on node
- Container runtime
- usually CRI-O (default in OpenShift)
- Pods
- your apps + sidecars
3. Networking Layer
Key pieces:
- Cluster Network
- pod-to-pod communication
- Service Network
- stable virtual IPs
- Ingress / Routes (OpenShift-specific)
OpenShift uses Routes instead of standard Ingress:
- external traffic → router → service → pod
OpenShift Router (Ingress Controller)
- based on HAProxy
- handles:
- TLS termination
- load balancing
- external exposure
4. Image & Build System (OCP unique)
This is where OpenShift stands out.
Image Registry
- internal container registry
Image Streams
- track image versions
- trigger deployments automatically
BuildConfig
- builds images from:
- Git
- Dockerfile
- Source-to-Image (S2I)
5. Security Layer (very important)
OpenShift is stricter than Kubernetes.
Features:
- Security Context Constraints (SCC)
- control what pods can do
- similar to Pod Security Policies
- No root containers by default
- SELinux enforced
- integrated RBAC
6. Operators (Automation Engine)
OpenShift heavily uses Operators.
- manage apps like:
- databases
- monitoring
- logging
Built-in operators:
- cluster version operator
- ingress operator
- etc.
7. Observability & Logging
Built-in:
- Prometheus (monitoring)
- Grafana (dashboards)
- EFK / Loki stack (logging)
Full Flow Example
Deploying an app:
- Push code to Git
- BuildConfig builds image
- Image stored in registry
- Deployment created
- Pod runs on worker node
- Service exposes pod internally
- Route exposes app externally
OpenShift vs Kubernetes (quick view)
| Feature | Kubernetes | OpenShift |
|---|---|---|
| Ingress | Ingress resource | Routes |
| Security | flexible | strict by default |
| Builds | external tools | built-in |
| Registry | optional | built-in |
| UI | optional | strong web console |
Simple mental model
- Kubernetes = engine
- OpenShift = full platform
Interview-ready summary
“OpenShift architecture is built on Kubernetes with control plane and worker nodes, but adds enterprise features like integrated registry, build pipelines, enhanced security via SCC, and a routing layer for external traffic. It also uses operators extensively to automate cluster management.”
Infra Cloud Solutions 