IP Whitelist for OSD

_topic_maps/_topic_map_osd.yml

@@ -375,6 +375,8 @@ Distros: openshift-dedicated
 Topics:
 - Name: Viewing audit logs
   File: audit-log-view
+- Name: Required allowlist IP addresses for SRE cluster access
+  File: rh-required-whitelisted-IP-addresses-for-sre-access
 ---
 Name: Authentication and authorization
 Dir: authentication

modules/ccs-gcp-customer-requirements.adoc

@@ -62,6 +62,11 @@ This policy only provides Red Hat with permissions and capabilities to change re
 
 * Volume snapshots will remain within the customer-provided GCP account and customer-specified region.
 
-* Red Hat must have ingress access to the API server through white-listed Red Hat machines.
-
+* Red Hat must have ingress access to the API server through allowlist IP addresses.
++
+[NOTE]
+====
+For information about allowlist IP addresses, see Additional resources.
+====
++
 * Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack.

osd_planning/gcp-ccs.adoc

@@ -15,3 +15,8 @@ include::modules/ccs-gcp-customer-procedure.adoc[leveloffset=+1]
 include::modules/ccs-gcp-iam.adoc[leveloffset=+1]
 include::modules/ccs-gcp-provisioned.adoc[leveloffset=+1]
 include::modules/gcp-limits.adoc[leveloffset=+1]
+
+[id="additional-resources_{context}"]
+== Additional resources
+
+* xref:../security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc#rh-required-whitelisted-IP-addresses-for-sre-access[Required allowlist IP addresses for SRE access]

security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc

@@ -0,0 +1,39 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rh-required-whitelisted-IP-addresses-for-sre-access_{context}"]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+include::_attributes/common-attributes.adoc[]
+= Required allowlist IP addresses for SRE cluster access
+
+:context: rh-required-whitelisted-IP-addresses-for-sre-access
+
+toc::[]
+
+[id="required-whitelisted-overview_{context}"]
+== Overview
+
+For Red Hat SREs to troubleshoot any issues within {product-title} clusters, they must have ingress access to the API server through allowlist IP addresses.
+
+[id="required-whitelisted-access_{context}"]
+== Obtaining  allowlisted IP addresses
+{product-title} users can use an {cluster-manager} CLI command to obtain the most up-to-date allowlist IP addresses for the Red Hat machines that are necessary for SRE access to {product-title} clusters.
+
+[NOTE]
+====
+These allowlist IP addresses are not permanent and are subject to change. You must continuously review the API output for the most current allowlist IP addresses.
+====
+.Prerequisites
+*  You installed the link:https://console.redhat.com/openshift/downloads[OpenShift Cluster Manager API command-line interface (`ocm`)].
+* You are able to configure your firewall to include the allowlist IP addresses.
+
+.Procedure
+. To get the current allowlist IP addresses needed for SRE access to your {product-title} cluster, run the following command:
++
+[source,terminal]
+----
+$ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses|jq -r '.items[].id'
+----
+. Configure your firewall to grant access to the allowlist IP addresses.
+
+
+
+