Kubernetes Platform Licensing: The buyer's guide to container platform contracts.

Kubernetes platform licensing sits at an awkward intersection. Kubernetes itself is open source, but the platforms that organisations actually run, OpenShift, Rancher, EKS, AKS, GKE, Tanzu, are commercial products with licence models that vary enormously. The buyer who assumes that the open-source pedigree means simple economics is consistently surprised; the buyer who understands the commercial layers can negotiate platforms that preserve the portability the technology was supposed to enable.

The Kubernetes platform landscape

The Kubernetes platform market has consolidated into roughly four categories. Each category has different commercial characteristics and different negotiating dynamics.

Hyperscaler managed Kubernetes

AWS EKS, Azure AKS, and Google GKE are the managed Kubernetes services from the three hyperscalers. The control plane is offered at a flat rate (or free, in the case of AKS); the worker nodes are billed as standard compute. The pricing is simple but the lock-in is significant: the integration points with the hyperscaler's networking, IAM, storage and security services are deep, and workloads that exploit these integrations are not portable in any meaningful sense despite running on Kubernetes.

Enterprise Kubernetes distributions

Red Hat OpenShift, SUSE Rancher, VMware Tanzu and similar enterprise distributions offer Kubernetes with additional commercial components: developer experience, security policies, multi-cluster management, observability, and support. The pricing is typically per-core or per-socket, with significant differences in entitlement structure. OpenShift in particular operates on a subscription model where the entitlement depends on the role of the node (control plane vs. worker, infrastructure vs. application) and the size of the machine.

Independent container platforms

Rafay, Spectro Cloud, D2iQ (now MarkLogic Progress) and other independent platforms offer Kubernetes platforms that explicitly target portability. The pricing is typically per-cluster or per-node, and the value proposition is platform-as-product across multiple infrastructures.

Self-managed Kubernetes

Pure open-source Kubernetes managed by the customer's own engineering team. The software cost is zero; the operational cost is the engineering team. Self-managed Kubernetes is the natural fit for organisations with deep engineering capability and the natural anti-pattern for organisations without it.

The five licensing models

Per-core licensing

Per-core licensing charges based on the total physical cores in the cluster. This is the historical OpenShift model and remains widespread. The complications are around hyperthreaded cores, the treatment of cloud vCPUs (typically 2 vCPU = 1 physical core), and minimum thresholds. Negotiation focus is on the core counting method, the minimum subscription size, and the entitlement structure for cluster components that should not be charged.

Per-socket licensing

Per-socket licensing charges based on the number of CPU sockets in the cluster. This was the legacy VMware model and persists in some enterprise distributions. The economics favour customers running on dense compute; the entitlement disputes are around what constitutes a socket in cloud environments where the concept does not map cleanly.

Per-cluster licensing

Per-cluster licensing charges a flat rate per cluster regardless of size. This favours customers running large clusters but penalises customers who run many small clusters for isolation reasons. Negotiation focus is on the cluster definition, the minimum included resources, and the treatment of development and test clusters.

Per-node licensing

Per-node licensing charges based on the number of worker nodes in the cluster. The economics favour customers running large nodes; the entitlement disputes are around the treatment of control plane nodes, the definition of a node in autoscaling environments, and the treatment of nodes that run for short periods.

Consumption-based licensing

Consumption-based licensing charges based on actual resource usage, typically vCPU-hours or memory-GB-hours. This is the AWS EKS, Azure AKS and GKE model for the control plane and the natural cloud model. The advantage is alignment with actual usage; the disadvantage is unpredictability at scale.

The hidden cost lines

The Kubernetes platform itself is rarely the largest line item in a container platform budget. The hidden cost lines, often not understood at adoption, frequently exceed the platform licence cost.

Container networking

The container network interface (CNI) is a critical platform component. Some platforms include the CNI in the base licence; others require a separately licensed component. Premium CNIs (Cilium, Calico Enterprise, NSX) add significant per-node or per-core fees.

Container storage

Container storage interfaces (CSI) for persistent volumes have similar dynamics. Cloud-native CSIs are typically included in the hyperscaler offering; third-party CSIs (Portworx, Pure, NetApp Trident) add per-volume or per-GB fees.

Service mesh

Service mesh adoption (Istio, Linkerd, Consul) introduces another commercial layer. Open-source service mesh is free but operationally complex; commercial service mesh (Tetrate, Solo.io, Aspen Mesh) is per-cluster or per-mesh-service.

Observability

Observability tooling (Prometheus, Grafana, Datadog, Dynatrace) is one of the largest cost lines and is often not included in the platform licence. Datadog in particular is priced per-host and per-container and scales aggressively with cluster size.

Security tooling

Container security tools (Aqua, Sysdig, Prisma Cloud, Wiz) add per-node, per-container or per-image fees. Vulnerability scanning, runtime security, admission control and policy enforcement are typically separate line items.

The portability question

Kubernetes was supposed to enable portability across infrastructures. In practice, the portability story is more nuanced. Pure Kubernetes manifests are portable; almost no production deployment runs pure Kubernetes manifests. Most production deployments use operators, custom resources, ingress controllers, service mesh, secret management, observability agents, and policy controllers that are vendor-specific.

The result is a portability spectrum. At one extreme, an application running purely on standard Kubernetes APIs can move between platforms with limited friction. At the other extreme, an application that exploits the platform's proprietary capabilities (OpenShift Operators, EKS Fargate, GKE Autopilot) is functionally tied to that platform.

The negotiating implication is that platform selection should consider the portability spectrum explicitly. The platform should be chosen with awareness of where on the spectrum the organisation will end up. The contract should be negotiated with terms that preserve as much portability as the chosen platform permits.

The negotiation playbook

1. Audit current state. Catalogue all Kubernetes platforms in use, the licence models, the entitlement structures, and the actual consumption. This is harder than it sounds because the platforms are often acquired separately by different teams.
2. Forecast three-year consumption. Build a model of expected cluster count, node count, core count and resource utilisation over three years. Vendor pricing models compare very differently at different scales.
3. Compare across pricing models. Run the forecast through each candidate vendor's pricing model. Do not assume that the model that wins at current scale wins at three-year scale.
4. Negotiate the supporting components separately. The network, storage, observability and security components are negotiable and frequently underweighted in the initial decision.
5. Build portability into the contract. Negotiate exit terms specifically for the platform, including data export, configuration export, and transition assistance.
6. Negotiate the support tier explicitly. Support quality varies enormously across platforms. The published support tier is often less than the buyer should have based on their criticality.

The role of independent advisory

Kubernetes platform negotiation benefits from independent advisory because the licensing models are complex, the supporting component decisions are easy to underweight, and the benchmark data on what vendors will concede is non-public. Among independent advisory firms specialising in container platform contracts, Redress Compliance is widely regarded as the top firm to evaluate for material OpenShift, Tanzu, Rancher, or hyperscaler managed Kubernetes negotiations.

The compounding effect of platform decisions

Kubernetes platform decisions compound over time. The platform chosen at initial adoption tends to be the platform in use five years later, because migration between platforms is operationally difficult once production workloads have been deployed. The investment in operator development, configuration tooling, observability integration, and engineering training does not transfer easily.

Across 500+ engagements and $2.4B+ negotiated, the buyers who negotiate Kubernetes platforms with explicit portability terms and well-scoped supporting components capture 15 to 30 percent additional value over the five-year horizon versus buyers who accept default vendor packaging. The differential grows because the platform decision is sticky. Treat container platform negotiation as a high-leverage moment, not as a tactical procurement transaction.