OpenShift boosts DevSecOps with VMware Tanzu in its rear view
Red Hat expands OpenShift, with VMware Tanzu poised to capture at least some of its vast vSphere install base as enterprises get serious about container-based DevOps platforms.
BOSTON -- It's been more than 10 years since Red Hat OpenShift was introduced, but the fiercest competition among DevOps platform vendors for enterprise buyers has only just begun.
Red Hat first released OpenShift in 2011 and standardized its OpenShift Container Platform on Kubernetes in 2014, well ahead of the open source container orchestration framework's emergence as an industry standard. OpenShift remains, by most market analysts' measures, the most widely used DevOps platform, a category that took shape amid the upheavals of the COVID-19 pandemic and an industry consolidation that saw VMware acquire Heptio in 2018, forming the basis for its Tanzu Kubernetes products; IBM acquire Red Hat for $34 billion in 2019; and SUSE acquire Rancher in 2020. The latest IBM estimates put the number of OpenShift customers at about 3,500 companies.
"They're still No. 1 in the market, especially with anything being done on premises with containers and Kubernetes," said Rob Strechay, an analyst at Enterprise Strategy Group, a division of TechTarget. "In public cloud, they hold their own, while [Amazon] EKS Anywhere and [Google] Anthos haven't made as much progress on premises."
Multi-faceted platform comparisons complex
Here and there, however, there are chinks in OpenShift's armor, depending on a customer's technical focus.
Some early adopters of edge computing, such as the U.S. Air Force and the Department of Defense, have favored Rancher Kubernetes, for example, given it was first to market in 2019 with a stripped-down version of Kubernetes in k3s and UI support for centrally managing thousands of edge clusters. As of this week, Red Hat OpenShift Advanced Cluster Management supports up to 2,000 single-node OpenShift clusters.
Analysts also point to VMware and its Tanzu platform -- despite Tanzu's status as a relative latecomer to the Kubernetes platform market after years of struggles to integrate it with Cloud Foundry PaaS -- as Red Hat's current chief rival, given the hundreds of thousands of large enterprise customers that use vSphere virtual machines and vRealize IT management tools. VMware's CEO, Raghu Raghuram, has claimed that a majority of OpenShift environments run on vSphere.
VMware has also made some inroads in hybrid cloud with its VMware Tanzu on AWS offering, keeping pressure on Red Hat, according to Strechay.
"In the AWS ecosystem, VMware tends to pop up more often than they used to," he said. "I'd say they're in the No. 2 spot from an on-premises perspective -- it's a ripe market for them to go after."
While Red Hat doesn't publicly specify what percentage of OpenShift environments run on VMware vSphere, the fastest-growing on-premises infrastructure type in OpenShift environments is bare metal, a company spokesperson said. Red Hat also offers OpenShift Virtualization as an alternative to virtual machines.
Still, "VMware is definitely Red Hat's greatest threat," said Charlotte Dunlap, an analyst at GlobalData Technology in Santa Cruz., Calif.
Tanzu, OpenShift prepare to square off in DevSecOps
Software supply chain security has become another box DevOps platform vendors must check -- and another battleground for platform providers -- thanks to high-profile attacks and vulnerabilities such as SolarWinds and Log4j.
Red Hat began to fill in features in this area this week, when it previewed a new software supply chain security integration between OpenShift Pipelines, OpenShift GitOps, Ansible Automation Platform and Red Hat Advanced Cluster Security (formerly StackRox) for OpenShift Platform Plus customers.
This integration -- or pattern, in Red Hat parlance -- will hinge on Red Hat's work on the open source Tekton Chains project, where integration with open source Sigstore for software supply chain attestation remains experimental. Ansible Automation Platform version 2.2, released this week, also added a content signing mechanism via GNU PrivacyGuard, and Red Hat Enterprise Linux version 9 now includes an integrity management architecture function that signs OS images using cryptographic hashes.
VMware's Tanzu Application Platform (TAP) customers that use the VMware Tanzu Build Service for container images could automatically generate a software bill of materials (SBOM) for Java and Node.js-based applications as of version 1.0 in January, while Red Hat does not yet offer a built-in SBOM mechanism for OpenShift. With version 1.1 last month, TAP made software supply chain security features available for container images outside the Tanzu Build Service, and launched its own integration with Sigstore's cosign signature format for software supply chain attestation.
It's still early for all of these projects -- Sigstore included -- said Daniel Kirsch, an analyst and co-founder at Techstrong Research in Cambridge, Mass. Red Hat will have to evangelize them to its customer base, in addition to making the projects production-ready, he added.
Daniel KirschAnalyst and co-founder, Techstrong Research
"I don't know how much traction Sigstore has gotten so far, and whether it has the same buy-in as other projects Red Hat is working on," Kirsch said.
So far, Sigstore has been the focus of market buzz since it became part of the Open Source Security Foundation last year and was adopted by the Kubernetes upstream community for software supply chain security as of this month's Kubernetes version 1.24.
"It's not just about whether the tech is viable," Kirsch added. "It's also about who's using it and whether it's helping other Red Hat customers have success with security audits and other compelling use cases -- to get buy-in, they're going to have to show the business results."
Common customers set up clash of DevOps titans
Ultimately, the DevOps platform strategy for large enterprise customers between increasingly overlapping incumbent vendors will likely also depend more on business factors than technical comparisons.
Health insurer Blue Shield of California (BSC), for example, presented at the Red Hat Summit this week about its work since early 2020 with Red Hat's Open Transformation Consulting Practice to migrate from a vSphere VM-based IT infrastructure and DevOps pipeline to a container-based one.
While Red Hat offers tools for every stage of this process, Blue Shield has kept its Jenkins-based continuous integration and third-party container security tools such as Anchore and SonarQube. Jenkins commercial backer CloudBees could also potentially add its DevOps platform products to the mix, but in the end, BSC's longstanding relationship with IBM pushed it toward OpenShift.
"We were initially looking at IBM Cloud Private, but IBM was buying Red Hat at the time and told us to hold off on it," said Ty Lim, team lead for infrastructure architecture at BSC.
The now-discontinued IBM product "was more of a wrapper around Kubernetes, but without the 'batteries included but optional' [flexibility] we got with OpenShift," Lim said.
He credited Red Hat professional services for helping his team integrate tools from outside the OpenShift platform in his environment. In the future, Lim said he remains open to considering Red Hat OpenShift Advanced Cluster Management to orchestrate multiple Kubernetes clusters and Advanced Cluster Security to secure running containers in production.
In the meantime, two years on, the transformation of hundreds of application services within BSC remains a work in progress at least as complex as the DevOps platform vendor landscape that surrounds it, Lim said. BSC is preparing to go live with Kubernetes in production this month, but the company's containerized pipelines and infrastructure will run parallel to VM-based versions during this transition, which is expected to last well into 2023.
"We had to build the infrastructure, but also create a trusted software supply chain, move to a platform model and get developers situated in the OpenShift ecosystem and building apps for containers," Lim said. "Moving to containers isn't just lift-and-shift."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.