diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml index cbc00aa45c..4bf9b98fb3 100644 --- a/_topic_maps/_topic_map_osd.yml +++ b/_topic_maps/_topic_map_osd.yml @@ -375,6 +375,8 @@ Distros: openshift-dedicated Topics: - Name: Viewing audit logs File: audit-log-view +- Name: Required allowlist IP addresses for SRE cluster access + File: rh-required-whitelisted-IP-addresses-for-sre-access --- Name: Authentication and authorization Dir: authentication diff --git a/modules/ccs-gcp-customer-requirements.adoc b/modules/ccs-gcp-customer-requirements.adoc index de3f6ce96b..86af20e2d1 100644 --- a/modules/ccs-gcp-customer-requirements.adoc +++ b/modules/ccs-gcp-customer-requirements.adoc @@ -62,6 +62,11 @@ This policy only provides Red Hat with permissions and capabilities to change re * Volume snapshots will remain within the customer-provided GCP account and customer-specified region. -* Red Hat must have ingress access to the API server through white-listed Red Hat machines. - +* Red Hat must have ingress access to the API server through allowlist IP addresses. ++ +[NOTE] +==== +For information about allowlist IP addresses, see Additional resources. +==== ++ * Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack. diff --git a/osd_planning/gcp-ccs.adoc b/osd_planning/gcp-ccs.adoc index 83dd24cf4b..e8105feab4 100644 --- a/osd_planning/gcp-ccs.adoc +++ b/osd_planning/gcp-ccs.adoc @@ -15,3 +15,8 @@ include::modules/ccs-gcp-customer-procedure.adoc[leveloffset=+1] include::modules/ccs-gcp-iam.adoc[leveloffset=+1] include::modules/ccs-gcp-provisioned.adoc[leveloffset=+1] include::modules/gcp-limits.adoc[leveloffset=+1] + +[id="additional-resources_{context}"] +== Additional resources + +* xref:../security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc#rh-required-whitelisted-IP-addresses-for-sre-access[Required allowlist IP addresses for SRE access] \ No newline at end of file diff --git a/security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc b/security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc new file mode 100644 index 0000000000..4c0ef5ccf3 --- /dev/null +++ b/security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc @@ -0,0 +1,39 @@ +:_mod-docs-content-type: ASSEMBLY +[id="rh-required-whitelisted-IP-addresses-for-sre-access_{context}"] +include::_attributes/attributes-openshift-dedicated.adoc[] +include::_attributes/common-attributes.adoc[] += Required allowlist IP addresses for SRE cluster access + +:context: rh-required-whitelisted-IP-addresses-for-sre-access + +toc::[] + +[id="required-whitelisted-overview_{context}"] +== Overview + +For Red Hat SREs to troubleshoot any issues within {product-title} clusters, they must have ingress access to the API server through allowlist IP addresses. + +[id="required-whitelisted-access_{context}"] +== Obtaining allowlisted IP addresses +{product-title} users can use an {cluster-manager} CLI command to obtain the most up-to-date allowlist IP addresses for the Red Hat machines that are necessary for SRE access to {product-title} clusters. + +[NOTE] +==== +These allowlist IP addresses are not permanent and are subject to change. You must continuously review the API output for the most current allowlist IP addresses. +==== +.Prerequisites +* You installed the link:https://console.redhat.com/openshift/downloads[OpenShift Cluster Manager API command-line interface (`ocm`)]. +* You are able to configure your firewall to include the allowlist IP addresses. + +.Procedure +. To get the current allowlist IP addresses needed for SRE access to your {product-title} cluster, run the following command: ++ +[source,terminal] +---- +$ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses|jq -r '.items[].id' +---- +. Configure your firewall to grant access to the allowlist IP addresses. + + + +