Overview of responsibilities for ROSA
This documentation outlines the responsibilities of Amazon Web Services (AWS), Red Hat, and customers for the Red Hat OpenShift Service on AWS (ROSA) managed service.
For more information about ROSA and its components, see Policies and service definition
The AWS shared responsibility model
Red Hat is responsible for the ongoing management and security of the ROSA cluster infrastructure, the underlying application platform, and the operating system. While ROSA clusters are hosted on AWS resources in the customer AWS accounts, they are accessed remotely by ROSA service components and Red Hat site reliability engineers (SREs) through IAM roles that the customer creates. Red Hat uses this access to manage the deployment and capacity of all control plane and infrastructure nodes on the cluster, and maintain versions for the control plane nodes, infrastructure nodes, and worker nodes.
Red Hat and the customer share responsibility for ROSA network management, cluster logging, cluster versioning, and capacity management. While Red Hat manages the ROSA service, the customer is fully responsible for managing and securing any applications, workloads, and data deployed to ROSA.
Overview
The following table provides an overview of AWS, Red Hat, and customer responsibilities for Red Hat OpenShift Service on AWS.
Note
If the cluster-admin
role is added to a user, see the responsibilities and exclusion notes in the Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services)
Resource | Incident and operations management | Change management | Access and identity authorization | Security and regulation compliance | Disaster recovery |
---|---|---|---|---|---|
Customer data |
Customer |
Customer |
Customer |
Customer |
Customer |
Customer applications |
Customer |
Customer |
Customer |
Customer |
Customer |
Developer services |
Customer |
Customer |
Customer |
Customer |
Customer |
Platform monitoring |
Red Hat |
Red Hat |
Red Hat |
Red Hat |
Red Hat |
Logging |
Red Hat |
Red Hat and customer |
Red Hat and customer |
Red Hat and customer |
Red Hat |
Application networking |
Red Hat and customer |
Red Hat and customer |
Red Hat and customer |
Red Hat |
Red Hat |
Cluster networking |
Red Hat |
Red Hat and customer |
Red Hat and customer |
Red Hat |
Red Hat |
Virtual networking management |
Red Hat and customer |
Red Hat and customer |
Red Hat and customer |
Red Hat and customer |
Red Hat and customer |
Virtual compute management (control plane, infrastructure, and worker nodes) |
Red Hat |
Red Hat |
Red Hat |
Red Hat |
Red Hat |
Cluster version |
Red Hat |
Red Hat and customer |
Red Hat |
Red Hat |
Red Hat |
Capacity management |
Red Hat |
Red Hat and customer |
Red Hat |
Red Hat |
Red Hat |
Virtual storage management |
Red Hat |
Red Hat |
Red Hat |
Red Hat |
Red Hat |
AWS software (public AWS services) |
AWS |
AWS |
AWS |
AWS |
AWS |
Hardware/AWS global infrastructure |
AWS |
AWS |
AWS |
AWS |
AWS |
Tasks for shared responsibilities by area
AWS, Red Hat, and customers share responsibility for the monitoring and maintenance of ROSA components. This documentation defines ROSA service responsibilities by area and task.
Incident and operations management
AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. Red Hat is responsible for managing the service components necessary for default platform networking. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured.
Resource | Service responsibilities | Customer responsibilities |
---|---|---|
Application networking |
Red Hat
|
Customer
|
Virtual networking management |
Red Hat
|
Customer
|
Virtual storage management |
Red Hat
|
Customer
|
AWS software (public AWS services) |
AWS
|
Customer
|
Hardware/AWS global infrastructure |
AWS
|
Customer
|
Change management
AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes, and worker nodes. The customer is responsible for initiating infrastructure changes. The customer is also responsible for installing and maintaining optional services, networking configurations on the cluster, and changes to customer data and applications.
Resource | Service responsibilities | Customer responsibilities |
---|---|---|
Logging |
Red Hat
|
Customer
|
Application networking |
Red Hat
|
Customer
|
Cluster networking |
Red Hat
|
Customer
|
Virtual networking management |
Red Hat
|
Customer
|
Virtual compute management |
Red Hat
|
Customer
|
Cluster version |
Red Hat
|
Customer
|
Capacity management |
Red Hat
|
Customer
|
Virtual storage management |
Red Hat
|
Customer
|
AWS software (public AWS services) |
AWS Compute
Storage
Networking
|
Customer
|
Hardware/AWS global infrastructure |
AWS
|
Customer
|
Access and identity authorization
Access and identity authorization includes responsibilities for managing authorized access to clusters, applications, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.
Resource | Service responsibilities | Customer responsibilities |
---|---|---|
Logging |
Red Hat
|
Customer
|
Application networking |
Red Hat
|
Customer
|
Cluster networking |
Red Hat
|
Customer
|
Virtual networking management |
Red Hat
|
Customer
|
Virtual compute management |
Red Hat
|
Customer
|
Virtual storage management |
Red Hat
|
Customer
|
AWS software (public AWS services) |
AWS Compute
Storage
Networking
|
Customer
|
Hardware/AWS global infrastructure |
AWS
|
Customer
|
Security and regulation compliance
The following are the responsibilities and controls related to compliance:
Resource | Service responsibilities | Customer responsibilities |
---|---|---|
Logging |
Red Hat
|
Customer
|
Virtual networking management |
Red Hat
|
Customer
|
Virtual compute management |
Red Hat
|
Customer
|
Virtual storage management |
Red Hat
|
Customer
|
AWS software (public AWS services) |
AWS Compute
Storage
Networking
|
Customer
|
Hardware/AWS global infrastructure |
AWS
|
Customer
|
Disaster recovery
Disaster recovery includes data and configuration backup, data replication and configuration of the disaster recovery environment, and failover on disaster events.
Resource | Service responsibilities | Customer responsibilities |
---|---|---|
Virtual networking management |
Red Hat
|
Customer
|
Virtual compute management |
Red Hat
|
Customer
|
Virtual storage management |
Red Hat
|
Customer
|
AWS software (public AWS services) |
AWS Compute
Storage
Networking
|
Customer
|
Hardware/AWS global infrastructure |
AWS
|
Customer
|
Customer responsibilities for data and applications
The customer is responsible for the applications, workloads, and data that they deploy to Red Hat OpenShift Service on AWS. However, AWS and Red Hat provide various tools to help the customer manage data and applications on the platform.
Resource | How AWS and Red Hat helps | Customer responsibilities |
---|---|---|
Customer data |
Red Hat
AWS
|
Customer
|
Customer applications |
Red Hat
AWS
|
Customer
|