OKE vs Self Managed Kubernetes
Every team adopting Kubernetes on OCI eventually asks the same question: should we use the managed service, OKE, or stand up our own Kubernetes on plain compute instances? It feels like a real choice, and occasionally it is, but for the large majority of teams the honest answer is OKE, because the work of operating a production grade Kubernetes control plane yourself is significant, ongoing and almost entirely undifferentiated. This article walks through the trade off properly so the decision is informed rather than reflexive.
It is part of our OKE and containers series and complements the architecture in OKE cluster architecture.
What self managing actually means
Running your own Kubernetes means you are responsible for the control plane: the API server, the scheduler, the controller manager and etcd, the datastore that holds all cluster state. You have to make all of that highly available across failure boundaries, upgrade it on Kubernetes's regular release cadence, rotate its certificates, back up and protect etcd, and respond when any of it breaks. None of this work makes your application better. It is pure operational overhead that exists only because you chose to run the control plane yourself.
What OKE takes off your plate
OKE runs the control plane for you, managed and monitored by Oracle, with a financially backed SLA on enhanced clusters. The API server, scheduler, controllers and etcd are Oracle's responsibility. Control plane upgrades become a managed operation. Certificate rotation and etcd protection are handled. You manage the worker nodes and the workloads, which is where your actual value lives. The split is the entire point of a managed service, and it is covered in the pillar at OKE and containers.
| Responsibility | OKE | Self managed |
|---|---|---|
| Control plane availability | Oracle, SLA backed on enhanced | You |
| Control plane upgrades | Managed operation | You, manually |
| etcd backup and protection | Oracle | You |
| Certificate rotation | Oracle | You |
| Worker nodes | You or virtual nodes | You |
| Workloads | You | You |
| OCI integration | Built in | You build it |
The hidden cost of self managing
The cost of self managed Kubernetes is rarely the compute, it is the people and the risk. Operating a control plane well requires real Kubernetes expertise, on call coverage and continuous attention to upgrades and security patches. The risk is that a control plane problem at the wrong moment becomes an outage you own entirely, with no SLA behind you. For most organisations, that expertise is scarce and better spent on the application than on reinventing a managed service. OKE also integrates with OCI load balancers, storage, identity and networking out of the box, integration you would have to build and maintain yourself if you self managed.
When self managed actually makes sense
Self managed Kubernetes is not never the right answer, it is rarely the right answer. The legitimate cases are narrow. You might self manage if you need a Kubernetes version or configuration that the managed service does not offer, if you have strict requirements that demand control over the control plane itself, or if you have deep in house Kubernetes platform expertise that you are already paying for and want to use. Even then, the burden is real and ongoing. If you cannot point to a specific capability that OKE lacks and that you genuinely need, that absence is itself the answer: use OKE.
A decision framework
- Start from OKE as the default. The burden of proof is on self managing, not the other way round.
- Name the specific capability that OKE lacks and that you genuinely require. If you cannot, use OKE.
- Cost the operational burden honestly, including expertise, on call and upgrade work, not just compute.
- Weigh the risk of owning a control plane outage with no SLA against the convenience of control.
- Consider the integration you would have to rebuild for load balancing, storage, identity and networking.
- Choose self managed only if a real, named requirement survives all of the above.
The middle ground people miss
Teams sometimes frame this as control versus convenience and conclude they need control, but OKE gives more control than they assume. You still manage the worker nodes, choose shapes and images, configure networking, set security policy and run your workloads exactly as you wish. What you give up is responsibility for the control plane internals, which is the part you almost certainly do not want anyway. And virtual nodes go further the other way, removing even node management for suitable workloads, as covered in OKE virtual nodes explained. The real spectrum runs from self managed, through OKE with managed nodes, to OKE with virtual nodes, with increasing convenience at each step.
Migration considerations
If you already run self managed Kubernetes on OCI and are reconsidering, moving to OKE is usually straightforward because OKE runs conformant upstream Kubernetes, so your manifests and charts carry over. The work is in recreating the cluster on OKE, repointing your delivery pipeline and migrating workloads, covered in migrating containers to OKE. The payoff is shedding the control plane burden you have been carrying.
Bringing it together
For almost every team, OKE is the right choice, because operating a production Kubernetes control plane yourself is significant ongoing work that delivers no differentiation and carries real risk. Self managed Kubernetes makes sense only when a specific, named capability that you genuinely need is missing from the managed service, which is rare. Start from OKE, make self managing prove its case, and you will almost always land on the managed service with the burden of proof correctly placed. Continue with OKE cluster architecture and migrating containers to OKE.
The OKE solution practice builds managed Kubernetes platforms on OCI, and can migrate self managed clusters onto OKE on a fixed project fee.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.