Managed Kubernetes platforms carry per-core or per-node subscriptions on top of the infrastructure. Upstream Kubernetes, Rancher/RKE2, and K3s remove or reduce that licensing, in exchange for owning more of the platform yourself. Because workloads are already containerized, the move is mostly about the platform layer, not the apps.
Choosing a target
- Upstream Kubernetes (kubeadm / Cluster API) — maximum control, no vendor layer.
- Rancher / RKE2 (SUSE) — managed multi-cluster with an easier operational on-ramp.
- K3s — lightweight, great for edge and smaller footprints.
Provision the target
Build clusters with matching storage classes, ingress controllers, and CNI/network policies, then set up registries, GitOps (Argo CD/Flux), and observability. Inventory namespaces, workloads, CRDs, RBAC, and operators on the source first.
Migrate with Velero
Velero backs up namespaces plus persistent volumes to object storage and restores them onto the target cluster. The OpenShift-specific work is converting Routes → Ingress, BuildConfigs/ImageStreams → external CI + a registry, and SCCs → PodSecurity admission. Sync registries and re-point ingress DNS per namespace.
Cutover & validation
Cut over namespace-by-namespace: restore, fix ingress/RBAC/storage, smoke-test workloads and autoscaling, then move ingress traffic. Validate RBAC, network policies, persistent storage, and a rolling-update + node-drain/HA test. Keep the source namespace running and re-point ingress back if a wave fails.
De-risking
Test a Velero backup/restore of a non-critical namespace first, and reconcile via GitOps so the target is declarative and repeatable.
Open a source→target page for the Velero/Helm commands and a per-core TCO model.