OpenShift Deployment Best Practices for Reliable Workload Rollouts

RollingUpdate is the default Deployment strategy on OpenShift, but maxSurge and maxUnavailable must reflect real capacity. A single-replica Deployment with maxUnavailable 1 causes total outage during every push. For zero-downtime services, run at least two replicas, set maxUnavailable to 0 and maxSurge to 1, and ensure preStop hooks drain connections before SIGTERM. StatefulSets require ordered rollout — validate persistent volume reattachment and identity stability across pod restarts.

OpenShift does not ship built-in blue/green or canary controllers in the core platform; implement them with Argo Rollouts, Flagger, or service mesh traffic splitting when progressive delivery is required. For batch and CronJob workloads, use activeDeadlineSeconds and backoff limits so a stuck Job does not hold cluster resources indefinitely. DaemonSets on infra nodes need taints and tolerations documented — observability agents and log forwarders are common examples.

Use oc rollout status and oc rollout history as mandatory CI gates. Pin image digests in manifests rather than floating :latest tags; the internal registry supports imagestreams for native digest tracking when teams adopt OpenShift-native workflows. Record change metadata in annotations (git commit, pipeline ID) for traceability during incident response.

Recreate pods deliberately after ConfigMap changes when applications do not hot-reload config — stale mounts cause split-brain behavior across replicas. Use checksum annotations on pod templates to trigger rolling updates when ConfigMaps change. For StatefulSets, ordered rollout means config updates take longer; schedule during maintenance windows.

OpenShift Routes are first-class ingress objects backed by the HAProxy-based ingress controller. Annotate Routes for TLS termination (edge, passthrough, re-encrypt), timeout values, and wildcard policies. Split public and private ingress controller deployments when DMZ and intranet traffic must not share a controller shard. For gRPC or WebSocket-heavy apps, tune route timeouts and verify backend protocol annotations.

NetworkPolicies should default-deny east-west traffic in sensitive namespaces, then allow explicit label-selected flows. OVN-Kubernetes supports multitenant isolation modes — understand whether your cluster runs in the default single-project network model or stricter SDN policies. Service mesh (Istio via OpenShift Service Mesh operator) adds mTLS and traffic management at the cost of operational complexity; adopt when observability and canary routing justify sidecar overhead.

DNS for services follows <name>.<namespace>.svc.cluster.local. ExternalName services and headless services behave as in upstream Kubernetes — test cross-namespace resolution from a debug pod before declaring connectivity issues closed. Document allowed egress via EgressNetworkPolicy or firewall integrations when workloads call SaaS APIs outside the cluster.

Route shard selection via labels routes traffic to the correct ingress controller — mislabeled Routes land on public shards with corporate certs missing. Use oc describe route to verify admitted status and backend endpoints. For high-connection services, tune HAProxy maxconn annotations and monitor ingress controller pod CPU — it becomes the bottleneck before application pods.

Pipelines should build once, promote immutable artifacts, and deploy with the same manifest SHA across stages. OpenShift Pipelines (Tekton) runs natively on cluster; Jenkins agents on OCP are still common in enterprises migrating from VM-based CI. Whichever engine you use, enforce policy gates: unit tests, image scan, signed-image verification, and oc apply --dry-run=server or helm template validation against the target cluster API.

GitOps — covered in depth in our OpenShift GitOps article — is the end state for most platform teams: merge to main triggers reconciliation, drift is visible, rollbacks are git revert. Until GitOps is universal, protect production namespaces with RBAC so only the automation ServiceAccount can apply changes. Human kubectl apply to prod should be break-glass only, logged and ticketed.

These OpenShift deployment best practices compound: reliable rollouts, enforced resources, segmented networking, and pipeline discipline reduce pager noise and make upgrades survivable. Pair this operational baseline with cluster monitoring and upgrade planning so deployments stay healthy across OCP minor version bumps.

Platform SREs should publish golden Deployment templates — probes, resources, labels, topology spread constraints — as internal Helm charts or Kustomize bases. Copy-paste from Stack Overflow produces inconsistent production behavior. Review deployment manifests in PRs with the same rigor as application code; the manifest is part of the system.

Windows node pools require separate machine sets, distinct OS images, and networking validated for hybrid pod communication. Linux-only NetworkPolicies do not govern Windows pods identically — test east-west paths explicitly.

Legacy .NET Framework workloads may need Windows containers before replatforming to Linux .NET Core. SCC and user mappings differ on Windows nodes — involve security review early.

These OpenShift deployment best practices extend to heterogeneous fleets: one GitOps repo, separate overlays per OS, unified monitoring and routes where supported.

Platform engineering golden paths should include Deployment, Route, NetworkPolicy, and ResourceQuota templates per tier — bronze, silver, gold — so teams pick SLA-appropriate defaults instead of inventing manifests per project.

Review deployment frequency and failure rate metrics quarterly — teams with high rollout failure rates usually lack probe tuning, quota headroom, or SCC-compatible images. Fix platform gates before blaming application code.