Skip to main content

Container Platform

The Office of Information Technology now offers a Container Platform, based on Red Hat OpenShift, an enterprise distribution of Kubernetes with many useful extensions. It provides a full-featured web interface, similar to cloud-hosted Kubernetes, but with the ability to run applications on-premises.

See the dedicated Container Platform Documentation for in-depth information. Note that this requires logging in to CU Boulder’s GitHub Enterprise instance.

How to get it

This platform is provided with a strong focus on self-service, meaning that OIT provides customers with an empty Kubernetes namespace. Within this namespace application owners are responsible for management of their workloads. Compared to other methods of hosting, this empowers application owners to iterate quickly, but comes with greater responsibilities.

In order to get started with OIT’s Container Platform, 

  1. Join the UCBoulder GitHub Organization
  2. Review the Container Platform Documentation
  3. Request one or more Namespaces
  4. Participate in the ITCP/Container Platform Users channel in Teams (we’ll make sure you have access when you request a namespace)

Who can get it

CU Boulder faculty, staff, or affiliates that develop or administer applications in service to the business, education, or research interests of the University.


There is currently no charge to use this service, however, in the future there is likely to be a monthly fee based on CPU, memory, and storage consumption.

Service Maturity

This is the current status of the platform, including features we have enabled and those that are in progress. If you wish to provide feedback on our roadmap, desired features, barriers to using the platform, or anything else, please fill out this questionnaire. If you have any questions, please open a support case with Platform Engineering by emailing

Feature Implemented Evolving Short-Term Plan Long-Term Plan Notes

Production cluster with 24x7 support from Platform Engineering


Backed by OIT's private cloud infrastructure (VMware). Currently supporting production applications for Platform Engineering, several OIT teams, and campus departments.

In-depth Container Platform Documentation (


Sections for getting started, how-to guides, understanding the service, and referencing API specs. Includes guides for leveraging GitHub Enterprise for managing deployments, customizing HTTP(s) routing, and managing resources.

Container Platform Users channel in Teams


Place for questions, knowledge sharing, and notifications about the service (like weekly upgrades). Sits within the ITCP team. Link to channel.

Customer Alerting Rules and Notifications


Create alerting rules based on down Pods or other criteria. Self-manage alert destination. Docs:

User workload monitoring for applications running on OpenShift that expose Prometheus metrics


Instrumented applications that expose Prometheus compatible metrics can leverage next generation observability tools provided with OpenShift. Docs:

Continuous improvement of the platform with Infrastructure as Code


Built-in Image Registry


Allows customer image builds to be performed locally in the cluster.

Default StorageClass for Persistent Volume Claims


Ability for customers to easily add disk volumes to workloads. Docs:

Backups of etcd (the cluster's key-value store)


Encrypted and stored outside the cluster

Weekly Cluster Upgrades


Provides stability, bug fixes, and security.

Backend Observability with Grafana


Dashboards and alerting to support day to day cluster administration and detect problems proactively.

Customer-facing Backups


Ability to enable backups of customer pod volumes (filesystems). Ability to restore entire volumes or individual files/directories. Backups are stored externally from the cluster.

HTTP(s) Ingress Controller


Customers can expose applications to the campus network or public internet, easily create custom service names (URLs), and support HTTPS traffic. Docs:

Egress IP Addresses


Ability to assign dedicated egress (outbound) IP addresses to namespaces. This helps customers manage firewall rules for external connections initiated by workloads. Docs:

Delegated access management


Customers can manage their own access with Grouper groups. Changes are synced automatically.

Local GitHub Actions runners


Support for self-hosting GitHub Actions runners within the platform. Docs:

Advanced Cluster Security


Full featured Kubernetes security monitoring including ability to automatically notify customers of vulnerabilities in container images. Docs:

Custom Prometheus for metrics collection


This is an evolving feature and available to current OIT Nagios users who would like to begin evaluation of next generation observability. Contact Platform Engineering to learn more or ask questions.

NIST 800-171 Security Compliance


Necessary to host workloads with a Highly Confidential data classification. We expect approval sometime in spring 2023.

Custom GitHub VPN


Ability to connect directly to the cluster with GitHub-hosted Actions runners using a custom VPN.

Custom Grafana deployments with IdentiKey authentication


This is an evolving feature and will be available to projects using OpenShift User Workload Monitoring to create custom dashboards.

Second Site


Support redundancy across multiple datacenters.

OpenShift on Bare Metal


Support larger individual Pods, low-cost scaling of the overall cluster, and potentially more flexibility with storage.

Ingress IP Addresses


Support for applications that need to support non-HTTP(s) traffic from outside the cluster (e.g. databases, chat servers, etc.)

Automated TLS certificates


Leverage Kubernetes certificate management capabilities and the Sectigo API for automatic certificate provisioning and renewal.

Public Cloud


Expand service with a footprint in the public cloud.