From d87e9de65fb30ad35cc8d025f9b2b2f9c1c39da9 Mon Sep 17 00:00:00 2001 From: Frances_McDonald Date: Thu, 12 Dec 2024 18:20:31 +0000 Subject: [PATCH] adding updates as suggestedby CS for SRE access information in Approved Access fixing link in table for Approved Access updated CS replies updated numbers removed number from CEE row in table --- modules/rosa-red-hat-support-access.adoc | 35 ++++++++++++++++-------- support/approved-access.adoc | 4 ++- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/modules/rosa-red-hat-support-access.adoc b/modules/rosa-red-hat-support-access.adoc index 46cc59f737..2128c528a4 100644 --- a/modules/rosa-red-hat-support-access.adoc +++ b/modules/rosa-red-hat-support-access.adoc @@ -14,20 +14,34 @@ Members of the Red{nbsp}Hat Customer Experience and Engagement (CEE) team typica | Role | Core namespace | Layered product namespace | Customer namespace | AWS account^*^ -|OpenShift SRE| Read: All +|OpenShift SRE - Normal operations ^[1]^| Read: All Write: Very -limited ^[1]^ +limited | Read: All Write: None -| Read: None^[2]^ +| Read: None Write: None -|Read: All ^[3]^ +|Read: None -Write: All ^[3]^ +Write: None + +|OpenShift SRE - Elevated Access ^[2]^ (Gated by link:https://docs.openshift.com/rosa/support/approved-access.html[Approved Access])| Read: All + +Write: All + +| Read: All + +Write: All +| Read: All + +Write: All +|Read: All + +Write: All |CEE |Read: All @@ -38,7 +52,7 @@ Write: None Write: None -|Read: None^[2]^ +|Read: None Write: None @@ -72,9 +86,9 @@ Write: None Write: None -|Read: Limited^[4]^ +|Read: Limited ^[3]^ -Write: Limited^[4]^ +Write: Limited ^[3]^ |Read: None @@ -97,7 +111,6 @@ Write: None |=== -- 1. Limited to addressing common use cases such as failing deployments, upgrading a cluster, and replacing bad worker nodes. -2. Red{nbsp}Hat associates have no access to customer data by default. -3. SRE access to the AWS account is an emergency procedure for exceptional troubleshooting during a documented incident. -4. Limited to what is granted through RBAC by the Customer Administrator and namespaces created by the user. +2. Elevated access gives SRE the access levels of a cluster-admin role. See link:https://docs.openshift.com/container-platform/4.17/authentication/using-rbac.html#default-roles_using-rbac[cluster roles] for more information. +3. Limited to what is granted through RBAC by the Customer Administrator and namespaces created by the user. -- \ No newline at end of file diff --git a/support/approved-access.adoc b/support/approved-access.adoc index 24f0610244..064819defd 100644 --- a/support/approved-access.adoc +++ b/support/approved-access.adoc @@ -9,7 +9,9 @@ endif::[] toc::[] -Red{nbsp}Hat Site Reliability Engineering (SRE) typically does not require an elevated access to systems as part of normal operations to manage and support {product-title} clusters. In the unlikely event that SRE needs elevated access to systems, you can use the _Approved Access_ interface to review and _approve_ or _deny_ access to these systems. +Red{nbsp}Hat Site Reliability Engineering (SRE) typically does not require elevated access to systems as part of normal operations to manage and support {product-title} clusters. Elevated access gives SRE the access levels of a cluster-admin role. See link:https://docs.openshift.com/container-platform/4.17/authentication/using-rbac.html#default-roles_using-rbac[cluster roles] for more information. + +In the unlikely event that SRE needs elevated access to systems, you can use the _Approved Access_ interface to review and _approve_ or _deny_ access to these systems. Elevated access requests to clusters on {product-rosa} clusters and the corresponding cloud accounts can be created by SRE either in response to a customer-initiated support ticket or in response to alerts received by SRE as part of the standard incident response process.