Overview of responsibilities for ROSA - Red Hat OpenShift Service on AWS

Overview of responsibilities for ROSA

This documentation outlines the responsibilities of Amazon Web Services (AWS), Red Hat, and customers for the Red Hat OpenShift Service on AWS (ROSA) managed service. For more information about ROSA and its components, see Policies and service definition in the Red Hat documentation.

The AWS shared responsibility model defines AWS responsibility for protecting the infrastructure that runs all of the services offered in the AWS Cloud, including ROSA. AWS infrastructure includes the hardware, software, networking, and facilities that run AWS Cloud services. This AWS responsibility is commonly referred to as the “security of the cloud”. To operate ROSA as a fully managed service, Red Hat and the customer are responsible for the elements of the service that the AWS responsibility model defines as “security in the cloud”.

Red Hat is responsible for the ongoing management and security of the ROSA cluster infrastructure, the underlying application platform, and the operating system. While ROSA clusters are hosted on AWS resources in the customer AWS accounts, they are accessed remotely by ROSA service components and Red Hat site reliability engineers (SREs) through IAM roles that the customer creates. Red Hat uses this access to manage the deployment and capacity of all control plane and infrastructure nodes on the cluster, and maintain versions for the control plane nodes, infrastructure nodes, and worker nodes.

Red Hat and the customer share responsibility for ROSA network management, cluster logging, cluster versioning, and capacity management. While Red Hat manages the ROSA service, the customer is fully responsible for managing and securing any applications, workloads, and data deployed to ROSA.

Overview

The following table provides an overview of AWS, Red Hat, and customer responsibilities for Red Hat OpenShift Service on AWS.

Note

If the cluster-admin role is added to a user, see the responsibilities and exclusion notes in the Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services).

Resource Incident and operations management Change management Access and identity authorization Security and regulation compliance Disaster recovery

Customer data

Customer

Customer

Customer

Customer

Customer

Customer applications

Customer

Customer

Customer

Customer

Customer

Developer services

Customer

Customer

Customer

Customer

Customer

Platform monitoring

Red Hat

Red Hat

Red Hat

Red Hat

Red Hat

Logging

Red Hat

Red Hat and customer

Red Hat and customer

Red Hat and customer

Red Hat

Application networking

Red Hat and customer

Red Hat and customer

Red Hat and customer

Red Hat

Red Hat

Cluster networking

Red Hat

Red Hat and customer

Red Hat and customer

Red Hat

Red Hat

Virtual networking management

Red Hat and customer

Red Hat and customer

Red Hat and customer

Red Hat and customer

Red Hat and customer

Virtual compute management (control plane, infrastructure, and worker nodes)

Red Hat

Red Hat

Red Hat

Red Hat

Red Hat

Cluster version

Red Hat

Red Hat and customer

Red Hat

Red Hat

Red Hat

Capacity management

Red Hat

Red Hat and customer

Red Hat

Red Hat

Red Hat

Virtual storage management

Red Hat

Red Hat

Red Hat

Red Hat

Red Hat

AWS software (public AWS services)

AWS

AWS

AWS

AWS

AWS

Hardware/AWS global infrastructure

AWS

AWS

AWS

AWS

AWS

Tasks for shared responsibilities by area

AWS, Red Hat, and customers share responsibility for the monitoring and maintenance of ROSA components. This documentation defines ROSA service responsibilities by area and task.

Incident and operations management

AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. Red Hat is responsible for managing the service components necessary for default platform networking. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured.

Resource Service responsibilities Customer responsibilities

Application networking

Red Hat

  • Monitor native OpenShift router service, and respond to alerts.

Customer

  • Monitor health of application routes, and the endpoints behind them.

  • Report outages to AWS and Red Hat.

Virtual networking management

Red Hat

  • Monitor AWS load balancers, Amazon VPC subnets, and AWS service components necessary for default platform networking. Respond to alerts.

Customer

  • Monitor health of AWS load balancer endpoints.

  • Monitor network traffic that is optionally configured through Amazon VPC-to-VPC connection, AWS VPN connection, or AWS Direct Connect for potential issues or security threats.

Virtual storage management

Red Hat

  • Monitor Amazon EBS volumes used for cluster nodes, and Amazon S3 buckets used for the ROSA service’s built-in container image registry. Respond to alerts.

Customer

  • Monitor health of application data.

  • If customer managed AWS KMS keys are used, create and control the key lifecycle and key policies for Amazon EBS encryption.

AWS software (public AWS services)

AWS

Customer

  • Monitor health of AWS resources in the customer account.

  • Use IAM tools to apply the appropriate permissions to AWS resources in the customer account.

Hardware/AWS global infrastructure

AWS

Customer

  • Configure, manage, and monitor customer applications and data to ensure application and data security controls are properly enforced.

Change management

AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes, and worker nodes. The customer is responsible for initiating infrastructure changes. The customer is also responsible for installing and maintaining optional services, networking configurations on the cluster, and changes to customer data and applications.

Resource Service responsibilities Customer responsibilities

Logging

Red Hat

  • Centrally aggregate and monitor platform audit logs.

  • Provide and maintain a logging Operator to enable the customer to deploy a logging stack for default application logging.

  • Provide audit logs upon customer request.

Customer

  • Install the optional default application logging Operator on the cluster.

  • Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications.

  • Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster.

  • Request platform audit logs through a support case for researching specific incidents.

Application networking

Red Hat

  • Set up public load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required.

  • Set up the native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard.

  • Install, configure, and maintain OpenShift SDN components for default internal pod traffic.

  • Provide the ability for the customer to manage NetworkPolicy and EgressNetworkPolicy (firewall) objects.

Customer

  • Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using NetworkPolicy objects.

  • Use OpenShift Cluster Manager to request a private load balancer for default application routes.

  • Use OpenShift Cluster Manager to configure up to one additional public or private router shard and corresponding load balancer.

  • Request and configure any additional service load balancers for specific services.

  • Configure any necessary DNS forwarding rules.

Cluster networking

Red Hat

  • Set up cluster management components, such as public or private service endpoints and necessary integration with Amazon VPCcomponents.

  • Set up internal networking components required for internal cluster communication between worker, infrastructure, and control plane nodes.

Customer

  • Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through OpenShift Cluster Manager when the cluster is provisioned.

  • Request that the API service endpoint be made public or private on cluster creation or after cluster creation through OpenShift Cluster Manager.

Virtual networking management

Red Hat

  • Set up and configure Amazon VPC components required to provision the cluster, such as subnets, load balancers, internet gateways, and NAT gateways.

  • Provide the ability for the customer to manage AWS VPN connectivity with on-premises resources, Amazon VPC-to-VPC connectivity, and AWS Direct Connect as required through OpenShift Cluster Manager.

  • Enable customers to create and deploy AWS load balancers for use with service load balancers.

Customer

  • Set up and maintain optional Amazon VPC components, such as Amazon VPC-to-VPC connection, AWS VPN connection, or AWS Direct Connect.

  • Request and configure any additional load balancers for specific services.

Virtual compute management

Red Hat

  • Set up and configure the ROSA control plane and data plane to use Amazon EC2 instances for cluster compute.

  • Monitor and manage the deployment of Amazon EC2 control plane and infrastructure nodes on the cluster.

Customer

  • Monitor and manage Amazon EC2 worker nodes by creating a machine pool using the OpenShift Cluster Manager or ROSA CLI.

  • Manage changes to customer-deployed applications and application data.

Cluster version

Red Hat

  • Enable upgrade scheduling process.

  • Monitor upgrade progress and remedy any issues encountered.

  • Publish change logs and release notes for minor and maintenance upgrades.

Customer

  • Schedule maintenance version upgrades either immediately, for the future, or have automatic upgrades.

  • Acknowledge and schedule minor version upgrades.

  • Ensure the cluster version stays on a supported minor version.

  • Test customer applications on minor and maintenance versions to ensure compatibility.

Capacity management

Red Hat

  • Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes.

  • Scale and resize control plane nodes to maintain quality of service.

Customer

  • Monitor worker node utilization and, if appropriate, enable the auto scaling feature.

  • Determine the scaling strategy of the cluster.

  • Use the provided OpenShift Cluster Manager controls to add or remove additional worker nodes as required.

  • Respond to Red Hat notifications regarding cluster resource requirements.

Virtual storage management

Red Hat

  • Set up and configure Amazon EBS to provision local node storage and persistent volume storage for the cluster.

  • Set up and configure the built-in image registry to use Amazon S3 bucket storage.

  • Regularly prune image registry resources in Amazon S3 to optimize Amazon S3 usage and cluster performance.

Customer

  • Optionally configure the Amazon EBS CSI driver or the Amazon EFS CSI driver to provision persistent volumes on the cluster.

AWS software (public AWS services)

AWS

Compute

  • Provide the Amazon EC2 service, used for ROSA control plane, infrastructure, and worker nodes.

Storage

  • Provide Amazon EBS to allow the ROSA service to provision local node storage and persistent volume storage for the cluster.

Networking

  • Provide the following AWS Cloud services to satisfy ROSA virtual networking infrastructure needs:

    • Amazon VPC

    • Elastic Load Balancing

    • IAM

  • Provide the following optional AWS service integrations for ROSA:

    • AWS VPN

    • AWS Direct Connect

    • AWS PrivateLink

    • AWS Transit Gateway

Customer

  • Sign requests using an access key ID and secret access key associated with an IAM principal or AWS STS temporary security credentials.

  • Specify VPC subnets for the cluster to use during cluster creation.

  • Optionally configure a customer-managed VPC for use with ROSA clusters.

Hardware/AWS global infrastructure

AWS

Customer

  • Implement change management best practices for customer applications and data hosted on the AWS Cloud.

Access and identity authorization

Access and identity authorization includes responsibilities for managing authorized access to clusters, applications, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.

Resource Service responsibilities Customer responsibilities

Logging

Red Hat

  • Adhere to an industry standards-based tiered internal access process for platform audit logs.

  • Provide native OpenShift RBAC capabilities.

Customer

  • Configure OpenShift RBAC to control access to projects and by extension a project’s application logs.

  • For third-party or custom application logging solutions, the customer is responsible for access management.

Application networking

Red Hat

  • Provide native OpenShift RBAC and dedicated-admin capabilities.

Customer

  • Configure OpenShift dedicated-admin and RBAC to control access to route configuration as required.

  • Manage Red Hat organization administrators for Red Hat to grant access to OpenShift Cluster Manager. The cluster manager is used to configure router options and provide service load balancer quota.

Cluster networking

Red Hat

  • Provide customer access controls through OpenShift Cluster Manager. Provide native OpenShift RBAC and dedicated-admin capabilities.

Customer

  • Configure OpenShift dedicated-admin and RBAC to control access to route configuration as required.

  • Manage Red Hat organization membership of Red Hat accounts.

  • Manage organization administrators for Red Hat to grant access to OpenShift Cluster Manager.

Virtual networking management

Red Hat

  • Provide customer access controls through OpenShift Cluster Manager.

Customer

  • Manage optional user access to AWS components through OpenShift Cluster Manager.

Virtual compute management

Red Hat

  • Provide customer access controls through OpenShift Cluster Manager.

Customer

  • Manage optional user access to AWS components through OpenShift Cluster Manager.

  • Create IAM roles and attached policies necessary to enable ROSA service access.

Virtual storage management

Red Hat

  • Provide customer access controls through OpenShift Cluster Manager.

Customer

  • Manage optional user access to AWS components through OpenShift Cluster Manager.

  • Create IAM roles and attached policies necessary to enable ROSA service access.

AWS software (public AWS services)

AWS

Compute

  • Provide the Amazon EC2 service, used for ROSA control plane, infrastructure, and worker nodes.

Storage

  • Provide Amazon EBS, used to allow ROSA to provision local node storage and persistent volume storage for the cluster.

  • Provide Amazon S3, used for the service’s built-in image registry.

Networking

  • Provide AWS Identity and Access Management (IAM), used by customers to control access to ROSA resources running on customer accounts.

Customer

  • Create IAM roles and attached policies necessary to enable ROSA service access.

  • Use IAM tools to apply the appropriate permissions to AWS resources in the customer account.

  • To enable ROSA across your AWS organization, the customer is responsible for managing AWS Organizations administrators.

  • To enable ROSA across your AWS organization, the customer is responsible for distributing the ROSA entitlement grant using AWS License Manager.

Hardware/AWS global infrastructure

AWS

  • For information on physical access controls for AWS data centers, see Our Controls on the AWS Cloud Security page.

Customer

  • Customer is not responsible for AWS global infrastructure.

Security and regulation compliance

The following are the responsibilities and controls related to compliance:

Resource Service responsibilities Customer responsibilities

Logging

Red Hat

  • Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.

Customer

  • Analyze application logs for security events.

  • Send application logs to an external endpoint through logging sidecar containers or third- party logging applications if longer retention is required than is offered by the default logging stack.

Virtual networking management

Red Hat

  • Monitor virtual networking components for potential issues and security threats.

  • Use public AWS tools for additional monitoring and protection.

Customer

  • Monitor optional configured virtual networking components for potential issues and security threats.

  • Configure any necessary firewall rules or customer data center protections as required.

Virtual compute management

Red Hat

  • Monitor virtual compute components for potential issues and security threats.

  • Use public AWS tools for additional monitoring and protection.

Customer

  • Monitor optional configured virtual networking components for potential issues and security threats.

  • Configure any necessary firewall rules or customer data center protections as required.

Virtual storage management

Red Hat

  • Monitor virtual storage components for potential issues and security threats.

  • Use public AWS tools for additional monitoring and protection.

  • Configure the ROSA service to encrypt control plane, infrastructure, and worker node volume data by default using the AWS managed KMS key that Amazon EBS provides.

  • Configure the ROSA service to encrypt customer persistent volumes that use the default storage class with the AWS managed KMS key that Amazon EBS provides.

  • Provide the ability for the customer to use a customer managed KMS key to encrypt persistent volumes.

  • Configure the container image registry to encrypt image registry data at rest using server-side encryption with Amazon S3 managed keys (SSE-3).

  • Provide the ability for the customer to create a public or private Amazon S3 image registry to protect their container images from unauthorized user access.

Customer

  • Provision Amazon EBS volumes.

  • Manage Amazon EBS volume storage to ensure enough storage is available to mount as a volume in ROSA.

  • Create the persistent volume claim and generate a persistent volume though OpenShift Cluster Manager.

AWS software (public AWS services)

AWS

Compute

Storage

  • Provide Amazon EBS, used for ROSA control plane, infrastructure, and worker node volumes, as well as Kubernetes persistent volumes. For more information, see Data protection in Amazon EC2 in the Amazon EC2 User Guide.

  • Provide AWS KMS, which ROSA uses to encrypt control plane, infrastructure, and worker node volumes and persistent volumes. For more information, see Amazon EBS encryption in the Amazon EC2 User Guide.

  • Provide Amazon S3, used for the ROSA service’s built-in container image registry. For more information, see Amazon S3 security in the Amazon S3 User Guide.

Networking

  • Provide security capabilities and services to increase privacy and control network access on AWS global infrastructure, including network firewalls built into Amazon VPC, private or dedicated network connections, and automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities. For more information, see the AWS Shared Responsibility Model and Infrastructure security in the Introduction to AWS Security whitepaper.

Customer

  • Ensure security best practices and the principle of least privilege are followed to protect data on the Amazon EC2 instance. For more information, see Infrastructure security in Amazon EC2 and Data protection in Amazon EC2.

  • Monitor optional configured virtual networking components for potential issues and security threats.

  • Configure any necessary firewall rules or customer data center protections as required.

  • Create an optional customer managed KMS key and encrypt the Amazon EBS persistent volume using the KMS key.

  • Monitor the customer data in virtual storage for potential issues and security threats. For more information, see the AWS Shared Responsibility Model.

Hardware/AWS global infrastructure

AWS

  • Provide the AWS global infrastructure that ROSA uses to deliver service functionality. For more information about AWS security controls, see Security of the AWS Infrastructure in the AWS whitepaper.

  • Provide documentation for the customer to manage compliance needs and check their security state in AWS using tools such as AWS Artifact and AWS Security Hub.

Customer

  • Configure, manage, and monitor customer applications and data to ensure application and data security controls are properly enforced.

  • Use IAM tools to apply the appropriate permissions to AWS resources in the customer account.

Disaster recovery

Disaster recovery includes data and configuration backup, data replication and configuration of the disaster recovery environment, and failover on disaster events.

Resource Service responsibilities Customer responsibilities

Virtual networking management

Red Hat

  • Restore or recreate affected virtual network components that are necessary for the platform to function.

Customer

  • Configure virtual networking connections with more than one tunnel where possible for protection against outages.

  • Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.

Virtual compute management

Red Hat

  • Monitor the cluster and replace failed Amazon EC2 control plane or infrastructure nodes.

  • Provide the ability for the customer to manually or automatically replace failed worker nodes.

Customer

  • Replace failed Amazon EC2 worker nodes by editing the machine pool configuration through OpenShift Cluster Manager or the ROSA CLI.

Virtual storage management

Red Hat

  • For ROSA clusters created with AWS IAM user credentials, back up all Kubernetes objects on the cluster through hourly, daily, and weekly volume snapshots.

Customer

  • Back up customer applications and application data.

AWS software (public AWS services)

AWS

Compute

  • Provide Amazon EC2 features that support data resiliency such as Amazon EBS snapshots and Amazon EC2 Auto Scaling. For more information, see Resilience in Amazon EC2 in the Amazon EC2 User Guide.

Storage

  • Provide the ability for the ROSA service and customers to back up the Amazon EBS volume on the cluster through Amazon EBS volume snapshots.

  • For information about Amazon S3 features that support data resiliency, see Resilience in Amazon S3.

Networking

Customer

  • Configure ROSA multi-AZ clusters to improve fault tolerance and cluster availability.

  • Provision persistent volumes using the Amazon EBS CSI driver to enable volume snapshots.

  • Create CSI volume snapshots of Amazon EBS persistent volumes.

Hardware/AWS global infrastructure

AWS

  • Provide AWS global infrastructure that allows ROSA to scale control plane, infrastructure, and worker nodes across Availability Zones. This functionality enables ROSA to orchestrate automatic failover between zones without interruption.

  • For more information about disaster recovery best practices, see Disaster recovery options in the cloud in the AWS Well-Architected Framework.

Customer

  • Configure ROSA multi-AZ clusters to improve fault tolerance and cluster availability.

Customer responsibilities for data and applications

The customer is responsible for the applications, workloads, and data that they deploy to Red Hat OpenShift Service on AWS. However, AWS and Red Hat provide various tools to help the customer manage data and applications on the platform.

Resource How AWS and Red Hat helps Customer responsibilities

Customer data

Red Hat

  • Maintain platform-level standards for data encryption as defined by industry security and compliance standards.

  • Provide OpenShift components to help manage application data, such as secrets.

  • Enable integration with data services such as Amazon RDS to store and manage data outside of the cluster and/or AWS.

AWS

  • Provide Amazon RDS to allow customers to store and manage data outside of the cluster.

Customer

  • Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.

Customer applications

Red Hat

  • Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications.

  • Create clusters with image pull secrets so that customer deployments can pull images from the Red Hat Container Catalog registry.

  • Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, AWS, and Red Hat services to the cluster.

  • Provide storage classes and plugins to support persistent volumes for use with customer applications.

  • Provide a container image registry so customers can securely store application container images on the cluster to deploy and manage applications.

AWS

  • Provide Amazon EBS to support persistent volumes for use with customer applications.

  • Provide Amazon S3 to support Red Hat provisioning of the container image registry.

Customer