openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

rebase OSDOCS-5470: Rework Responsibility Assignment and Process/Security Sections

Browse Source
This commit is contained in:
Janelle Neczypor
2023-07-19 15:49:17 -07:00
committed by openshift-cherrypick-robot
parent a0c4f0b8d4
commit fc08160f5c
12 changed files with 552 additions and 544 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_topic_maps/_topic_map_rosa.yml
View File

@@ -65,7 +65,7 @@ Topics:
File: rosa-service-definition
- Name: ROSA update life cycle
File: rosa-life-cycle
- Name: Understanding process and security for ROSA
- Name: Understanding security for ROSA
File: rosa-policy-process-security
# - Name: SRE and service account access
# File: rosa-sre-access

163
modules/rosa-policy-change-management.adoc
View File

@@ -1,14 +1,16 @@
// Module included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc
[id="rosa-policy-change-management_{context}"]
= Change management
This section describes the policies about how cluster and configuration changes, patches, and releases are managed.
Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the
AWS Cloud. The customer is responsible for initiating infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.
[id="rosa-policy-customer-initiated-changes_{context}"]
== Customer-initiated changes
@@ -66,3 +68,160 @@ Because the required permissions can change between y-stream releases, the polic
====
You can review the history of all cluster upgrade events in the {cluster-manager} web console. For more information about releases, see the link:https://access.redhat.com/support/policy/updates/openshift/dedicated[Life Cycle policy].
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red Hat**
- Centrally aggregate and monitor platform audit logs.
- Provide and maintain a logging Operator to enable the customer to deploy a logging stack for default application logging.
- Provide audit logs upon customer request.
|- Install the optional default application logging Operator on the cluster.
- Install, configure, and maintain any optional application logging solutions, such as logging sidecar containers or third-party logging applications.
- Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster.
- Request platform audit logs through a support case for researching specific incidents.
|Application networking
|**Red Hat**
- Set up public load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required.
- Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard.
- Install, configure, and maintain OpenShift SDN components for default internal pod traffic (for clusters created prior to version 4.11).
- Provide the ability for the customer to manage `NetworkPolicy` and `EgressNetworkPolicy` (firewall) objects.
|- Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using `NetworkPolicy` objects.
- Use {cluster-manager} to request a private load balancer for default application routes.
- Use {cluster-manager} to configure up to one additional public or private router shard and corresponding load balancer.
- Request and configure any additional service load balancers for specific services.
- Configure any necessary DNS forwarding rules.
|Cluster networking
|**Red Hat**
- Set up cluster management components, such as public or private service endpoints and necessary integration with Amazon VPC components.
- Set up internal networking components required for internal cluster communication between worker, infrastructure, and control plane nodes.
|- Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through {cluster-manager} when the cluster is provisioned.
- Request that the API service endpoint be made public or private on cluster creation or after cluster creation through {cluster-manager}.
|Virtual networking management
|**Red Hat**
- Set up and configure Amazon VPC components required to provision the cluster, such as subnets, load balancers, internet gateways, and NAT gateways.
- Provide the ability for the customer to
manage AWS VPN connectivity with on-premises resources, Amazon VPC-to-VPC connectivity, and AWS Direct Connect as required through {cluster-manager}.
- Enable customers to create and deploy AWS load balancers for use with service load balancers.
|- Set up and maintain optional Amazon VPC components, such as Amazon VPC-to-VPC connection, AWS VPN connection, or AWS Direct Connect.
- Request and configure any additional service load balancers for specific services.
|Virtual compute management
|**Red Hat**
- Set up and configure the ROSA control plane and data plane to use Amazon EC2 instances for cluster compute.
- Monitor and manage the deployment of Amazon EC2 control plane and infrastructure nodes on the cluster.
|- Monitor and manage Amazon EC2 worker nodes by creating a
machine pool using the OpenShift Cluster Manager or the ROSA CLI (`rosa`).
- Manage changes to customer-deployed applications and application data.
|Cluster version
|**Red Hat**
- Enable upgrade scheduling process.
- Monitor upgrade progress and remedy any issues encountered.
- Publish change logs and release notes for patch release upgrades.
|- Either set up automatic upgrades or schedule patch release upgrades immediately or for the future.
- Acknowledge and schedule minor version upgrades.
- Test customer applications on patch releases to ensure compatibility.
|Capacity management
|**Red Hat**
- Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes.
- Scale and resize control plane nodes to maintain quality of service.
| - Monitor worker node utilization and, if appropriate, enables the auto-scaling feature.
- Determine the scaling strategy of the cluster. See the additional resources for more information on machine pools.
- Use the provided {cluster-manager} controls to add or remove additional worker nodes as required.
- Respond to Red Hat notifications regarding cluster resource requirements.
|Virtual storage management
|**Red Hat**
- Set up and configure Amazon EBS to provision local node storage and persistent volume storage for the cluster.
- Set up and configure the built-in image registry to use Amazon S3 bucket storage.
- Regularly prune image registry resources in
Amazon S3 to optimize Amazon S3 usage and cluster performance.
| - Optionally configure the Amazon EBS CSI driver or the Amazon
EFS CSI driver to provision persistent volumes on the cluster.
|AWS software (public AWS services)
|**AWS**
**Compute:** Provide the Amazon EC2 service, used for
ROSA control plane, infrastructure, and worker nodes.
**Storage:** Provide Amazon EBS, used by ROSA to provision local node storage and persistent volume storage for the cluster.
**Storage:** Provide Amazon S3, used for the ROSA service's
built-in image registry.
**Networking:**
Provide the following AWS Cloud services, used by ROSA
to satisfy virtual networking
infrastructure needs:
** Amazon VPC
** Elastic Load Balancing
** AWS IAM
**Networking:**
Provide the following AWS services, which customers can optionally integrate with ROSA:
- AWS VPN
- AWS Direct Connect
- AWS PrivateLink
- AWS Transit Gateway
| - Sign requests using an access key ID and secret access key
associated with an IAM principal or STS temporary security
credentials.
- Specify VPC subnets for the cluster to use during cluster
creation.
- Optionally configure a customer-managed VPC for use with ROSA clusters (required for PrivateLink and HCP clusters).
|Hardware/AWS global infrastructure
|**AWS**
- For information regarding management controls for AWS data centers, see link:https://aws.amazon.com/compliance/data-center/controls[Our Controls] on the AWS Cloud Security page.
- For information regarding change management best practices, see link:https://aws.amazon.com/solutions/guidance/change-management-on-aws/[Guidance for Change Management on AWS] in the AWS Solutions Library.
|- Implement change management best practices for customer
applications and data hosted on the AWS Cloud.
|===

3
modules/rosa-policy-customer-responsibility.adoc
View File

@@ -4,8 +4,7 @@
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc
[id="rosa-policy-customer-responsibility_{context}"]
= Customer responsibilities for data and applications
= Additional customer responsibilities for data and applications
The customer is responsible for the applications, workloads, and data that they deploy to Red Hat
OpenShift Service on AWS. However, Red Hat and AWS provide various tools to help the customer

77
modules/rosa-policy-disaster-recovery.adoc
View File

@@ -1,11 +1,10 @@
// Module included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc
[id="rosa-policy-disaster-recovery_{context}"]
= Disaster recovery
Disaster recovery includes data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.
{product-title} (ROSA) provides disaster recovery for failures that occur at the pod, worker node, infrastructure node, control plane node, and availability zone levels.
@@ -14,3 +13,75 @@ All disaster recovery requires that the customer use best practices for deployin
One single-zone cluster will not provide disaster avoidance or recovery in the event of an availability zone or region outage. Multiple single-zone clusters with customer-maintained failover can account for outages at the zone or at the regional level.
One multi-zone cluster will not provide disaster avoidance or recovery in the event of a full region outage. Multiple multi-zone clusters with customer-maintained failover can account for outages at the regional level.
[cols="2a,3a,3a" ,options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Virtual networking management
|**Red Hat**
- Restore or recreate affected virtual network components that are necessary for the platform to function.
|- Configure virtual networking connections with more than one tunnel where possible for protection against outages as recommended by the public cloud provider.
- Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.
|Virtual Storage management
|**Red Hat**
- For ROSA clusters created with IAM user credentials, back up all Kubernetes objects on the cluster through hourly, daily, and weekly volume snapshots.
- For ROSA clusters created with IAM user credentials, back up persistent volumes on the cluster through daily and weekly volume snapshots.
|- Back up customer applications and application data.
|Virtual compute management
|**Red Hat**
- Monitor the cluster and replace failed Amazon EC2 control plane or infrastructure nodes.
- Provide the ability for the customer to manually or automatically replace failed worker nodes.
|- Replace failed Amazon EC2 worker nodes by editing the
machine pool configuration through OpenShift Cluster Manager or the ROSA CLI.
|AWS software (public AWS services)
|**AWS**
**Compute:** Provide Amazon EC2 features that support data resiliency such as Amazon EBS snapshots and Amazon EC2 Auto Scaling. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/disaster-recovery-resiliency.html[Resilience in Amazon EC2] in the EC2 User Guide.
**Storage:** Provide the ability for the ROSA service
and customers to back up the Amazon EBS volume on the cluster through Amazon EBS volume snapshots.
**Storage:** For information about Amazon S3 features that support data resiliency, see link:https://docs.aws.amazon.com/AmazonS3/latest/userguide/disaster-recovery-resiliency.html[Resilience in Amazon S3].
**Networking:** For information about Amazon VPC features that support data resiliency, see link:https://docs.aws.amazon.com/vpc/latest/userguide/disaster-recovery-resiliency.html[Resilience in Amazon Virtual Private
Cloud] in the Amazon VPC User Guide.
|- Configure ROSA
multi-AZ clusters to
improve fault
tolerance and cluster
availability.
- Provision persistent
volumes using the
Amazon EBS CSI
driver to enable
volume snapshots.
- Create CSI volume snapshots of Amazon
EBS persistent volumes.
|Hardware/AWS global infrastructure
|**AWS**
- Provide AWS global infrastructure that allows ROSA to scale control plane, infrastructure, and worker nodes across
Availability Zones. This functionality enables ROSA to orchestrate automatic failover between zones without interruption.
- For more information about disaster recovery best practices, see link:https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html[Disaster recovery options in the cloud] in the AWS
Well-Architected Framework.
|- Configure ROSA multi-AZ clusters to improve fault tolerance and cluster availability.
|===

93
modules/rosa-policy-identity-access-management.adoc
View File

@@ -1,7 +1,7 @@
// Module included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc
[id="rosa-policy-identity-access-management_{context}"]
= Identity and access management
@@ -155,3 +155,94 @@ Customer access is limited to namespaces created by the customer and permissions
[id="rosa-policy-access-approval_{context}"]
== Access approval and review
New SRE user access requires management approval. Separated or transferred SRE accounts are removed as authorized users through an automated process. Additionally, the SRE performs periodic access review, including management sign-off of authorized user lists.
The access and identity authorization table includes responsibilities for managing authorized access to clusters, applications, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red Hat**
- Adhere to an industry standards-based tiered internal access process for platform audit logs.
- Provide native OpenShift RBAC capabilities.
|- Configure OpenShift RBAC to control access to projects and by extension a projects application logs.
- For third-party or custom application logging solutions, the customer is responsible for access management.
|Application networking
|**Red Hat**
- Provide native OpenShift RBAC and `dedicated-admin` capabilities.
|- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
- Manage organization administrators for Red Hat to grant access to {cluster-manager}. The cluster manager is used to configure router options and provide service load balancer quota.
|Cluster networking
|**Red Hat**
- Provide customer access controls through {cluster-manager}.
- Provide native OpenShift RBAC and `dedicated-admin` capabilities.
|- Manage Red Hat organization membership of Red Hat accounts.
- Manage organization administrators for Red Hat to grant access to {cluster-manager}.
- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
|Virtual networking management
|**Red Hat**
- Provide customer access controls through {cluster-manager}.
|- Manage optional user access to AWS components through {cluster-manager}.
|Virtual storage management
|**Red Hat**
- Provide customer access controls through
OpenShift Cluster Manager.
|- Manage optional user access to AWS components through {cluster-manager}.
- Create AWS IAM roles and attached policies necessary to enable ROSA service access.
|Virtual compute management
|**Red Hat**
- Provide customer access controls through
OpenShift Cluster Manager.
|- Manage optional user access to AWS components through {cluster-manager}.
- Create AWS IAM roles and attached policies necessary to enable ROSA service access.
|AWS software (public AWS services)
|**AWS**
**Compute:** Provide the Amazon EC2 service, used for ROSA control plane, infrastructure, and worker nodes.
**Storage:** Provide Amazon EBS, used to allow ROSA to provision local node storage and persistent volume storage for the cluster.
**Storage:** Provide Amazon S3, used for the services built-in image registry.
**Networking:** Provide AWS Identity and Access Management (IAM), used by customers to control access to ROSA resources running on customer accounts.
|- Create AWS IAM roles and attached policies necessary to enable ROSA service access.
- Use IAM tools to apply the appropriate permissions to AWS
resources in the customer account.
- To enable ROSA across your AWS organization, the customer is
responsible for managing AWS Organizations administrators.
- To enable ROSA across your AWS organization, the customer is
responsible for distributing the ROSA entitlement grant using AWS License Manager.
|Hardware/AWS global infrastructure
|**AWS**
- For information regarding physical access controls for AWS data centers, see link:https://aws.amazon.com/compliance/data-center/controls/[Our Controls] on the AWS Cloud Security page.
|- Customer is not responsible for AWS global infrastructure.
|===

100
modules/rosa-policy-incident.adoc
View File

@@ -1,17 +1,98 @@
// Module included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc
[id="rosa-policy-incident_{context}"]
= Incident and operations management
Red Hat is responsible for overseeing the service components required for default platform networking.
AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured for the cluster network or virtual network.
This documentation details the Red Hat responsibilities for the {product-title} (ROSA) managed service.
[cols= "2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Application networking
|**Red Hat**
- Monitor native OpenShift router
service, and respond to alerts.
|- Monitor health of application routes, and the endpoints behind them.
- Report outages to Red Hat and AWS.
|Virtual networking management
|**Red Hat**
- Monitor AWS load balancers, Amazon VPC subnets, and AWS service components necessary for default
platform networking. Respond to alerts.
|- Monitor health of AWS load balancer endpoints.
- Monitor network traffic that is optionally configured through Amazon VPC-to-VPC connection, AWS VPN connection, or AWS
Direct Connect for potential issues or
security threats.
|Virtual storage management
|**Red Hat**
- Monitor Amazon EBS volumes attached to cluster nodes and Amazon S3 buckets used for the ROSA services built-in container image
registry. Respond to alerts.
|- Monitor health of application data.
- If customer managed AWS KMS keys are
used, create and control the key lifecycle and
key policies for Amazon EBS encryption.
|Platform monitoring
|**Red Hat**
- Maintain a centralized monitoring and alerting system for all ROSA cluster components, site reliability engineer (SRE) services, and underlying AWS accounts.
|
|Incident management
|**Red Hat**
- Raise and manage known incidents.
- Share root cause analysis (RCA) drafts with the customer.
|- Raise known incidents through a support case.
|Infrastructure and data resiliency
|**Red Hat**
- There is no Red Hat-provided backup method available for ROSA clusters with STS.
- Red Hat does not commit to any Recovery Point Objective (RPO) or Recovery Time Objective (RTO).
|- Take regular backups of data and deploy multi-AZ clusters with workloads that follow Kubernetes best practices to ensure high availability within a region.
- If an entire cloud region is unavailable, install a new cluster in a different region and restore apps using backup data.
|Cluster capacity
|**Red Hat**
- Manage the capacity of all control plane and infrastructure nodes on the cluster.
- Evaluate cluster capacity during upgrades and in response to cluster alerts.
|
|AWS software (public AWS services)
|**AWS**
- For information regarding AWS incident and operations management, see link:https://docs.aws.amazon.com/whitepapers/latest/aws-operational-resilience/how-aws-maintains-operational-resilience-and-continuity-of-service.html#incident-management[How AWS maintains operational resilience and continuity of service] in the AWS whitepaper.
|- Monitor health of AWS resources in the
customer account.
- Use IAM tools to apply the appropriate
permissions to AWS resources in the customer account.
|Hardware/AWS global infrastructure
|**AWS**
- For information regarding AWS incident and operations management, see link:https://docs.aws.amazon.com/whitepapers/latest/aws-operational-resilience/how-aws-maintains-operational-resilience-and-continuity-of-service.html#incident-management[How AWS maintains operational
resilience and continuity of service] in the AWS whitepaper.
|- Configure, manage, and monitor customer applications and data to ensure application and data security controls are properly enforced.
|===
[id="rosa-policy-platform-monitoring_{context}"]
== Platform monitoring
Red Hat site reliability engineers (SREs) maintain a centralized monitoring and alerting system for all ROSA cluster components, the SRE services, and underlying AWS accounts. Platform audit logs are securely forwarded to a centralized security information and event monitoring (SIEM) system, where they may trigger configured alerts to the SRE team and are also subject to manual review. Audit logs are retained in the SIEM system for one year. Audit logs for a given cluster are not deleted at the time the cluster is deleted.
Platform audit logs are securely forwarded to a centralized security information and event monitoring (SIEM) system, where they may trigger configured alerts to the SRE team and are also subject to manual review. Audit logs are retained in the SIEM system for one year. Audit logs for a given cluster are not deleted at the time the cluster is deleted.
[id="rosa-policy-incident-management_{context}"]
== Incident management
@@ -40,12 +121,6 @@ The following activities can trigger notifications:
- Critical vulnerabilities and resolution
- Upgrade scheduling
[id="rosa-policy-backup-recovery-sts_{context}"]
== Infrastructure and data resiliency
Customers are responsible for taking regular backups of their data and should deploy multi-AZ clusters with workloads that follow Kubernetes best practices to ensure high availability within a region. If an entire cloud region is unavailable, customers must install a new cluster in a different region and restore their apps using their backup data.
There is no Red Hat-provided backup method available for ROSA clusters with STS. Red Hat does not commit to any Recovery Point Objective (RPO) or Recovery Time Objective (RTO).
//Note: The following content will be used again in the future (per OSDOCS:4654)
//[id="backup-recovery_{context}"]
//== Backup and recovery
@@ -84,8 +159,7 @@ There is no Red Hat-provided backup method available for ROSA clusters with STS.
[id="rosa-policy-cluster-capacity_{context}"]
== Cluster capacity
Evaluating and managing cluster capacity is a responsibility that is shared between Red Hat and the customer. Red Hat SRE is responsible for the capacity of all control plane and infrastructure nodes on the cluster.
Red Hat SRE also evaluates cluster capacity during upgrades and in response to cluster alerts. The impact of a cluster upgrade on capacity is evaluated as part of the upgrade testing process to ensure that capacity is not negatively impacted by new additions to the cluster. During a cluster upgrade, additional worker nodes are added to make sure that total cluster capacity is maintained during the upgrade process.
The impact of a cluster upgrade on capacity is evaluated as part of the upgrade testing process to ensure that capacity is not negatively impacted by new additions to the cluster. During a cluster upgrade, additional worker nodes are added to make sure that total cluster capacity is maintained during the upgrade process.
Capacity evaluations by the Red Hat SRE staff also happen in response to alerts from the cluster, after usage thresholds are exceeded for a certain period of time. Such alerts can also result in a notification to the customer.
Capacity evaluations by the Red Hat SRE staff also happen in response to alerts from the cluster, after usage thresholds are exceeded for a certain period of time. Such alerts can also result in a notification to the customer.

1
modules/rosa-policy-responsibilities.adoc
View File

@@ -1,4 +1,3 @@
// Module included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc

125
modules/rosa-policy-security-and-compliance.adoc Normal file
View File

@@ -0,0 +1,125 @@
//Modules included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc
[id="rosa-policy-security-compliance_{context}"]
= Security and regulation compliance
The following table outlines the the responsibilities in regards to security and regulation compliance:
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red Hat**
- Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
|- Analyze application logs for security events.
- Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
|Virtual networking management
|**Red Hat**
- Monitor virtual networking components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
|- Monitor optional configured virtual networking components for potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
|Virtual storage management
|**Red Hat**
- Monitor virtual storage components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
- Configure the ROSA service to encrypt control plane, infrastructure, and worker node volume data by default using the
AWS managed Key Management Service (KMS) key that Amazon EBS provides.
- Configure the ROSA service to encrypt customer persistent volumes that use the default storage class with the AWS
managed KMS key that Amazon EBS provides.
- Provide the ability for the customer to use a customer managed AWS KMS key to encrypt persistent volumes.
- Configure the container image registry to encrypt image registry data at rest using server-side encryption with Amazon S3 managed keys (SSE-3).
- Provide the ability for the customer to create a public or private Amazon S3 image registry to protect their container
images from unauthorized user access.
|- Provision Amazon EBS volumes.
- Manage Amazon EBS volume storage to ensure enough storage is available to mount as a volume in ROSA.
- Create the persistent volume claim and generate a
persistent volume though OpenShift Cluster Manager.
|Virtual compute management
|**Red Hat**
- Monitor virtual compute components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
|- Monitor optional configured virtual networking components for
potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
|AWS software (public AWS services)
|**AWS**
**Compute:** Secure Amazon EC2, used for ROSA control plane, infrastructure, and worker nodes. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/infrastructure-security.html[
Infrastructure security in Amazon EC2] in the Amazon EC2 User Guide.
**Storage:** Secure Amazon Elastic Block Store (EBS),
used for ROSA control plane, infrastructure, and worker node volumes, as well as Kubernetes persistent volumes. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html[Data protection in Amazon EC2] in the Amazon EC2 User Guide.
**Storage:** Provide AWS KMS, which ROSA uses to
encrypt control plane, infrastructure, and worker node volumes and persistent volumes. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html[Amazon EBS encryption] in the Amazon EC2 User Guide.
**Storage:** Secure Amazon S3, used for the ROSA services built-in container image registry. For more information, see link:https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html[Amazon S3 security] in the S3 User Guide.
**Networking:** Provide security capabilities and services
to increase privacy and control network access on AWS global infrastructure, including network firewalls built into
Amazon VPC, private or dedicated network connections, and automatic encryption of all traffic on the AWS global
and regional networks between AWS secured facilities. For more information, see the link:https://aws.amazon.com/compliance/shared-responsibility-model/[AWS Shared Responsibility Model]
and link:https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/infrastructure-security.html[Infrastructure security] in the Introduction to AWS Security whitepaper.
|- Ensure security best practices and the principle of least
privilege are followed to protect data on the Amazon EC2
instance. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/infrastructure-security.html[Infrastructure security in Amazon EC2]
and link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html[Data protection in Amazon EC2].
- Monitor optional configured virtual networking components for
potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
- Create an optional customer managed KMS key and encrypt
the Amazon EBS persistent volume using the KMS key.
- Monitor the customer data in virtual storage
for potential issues and security threats. For more information,
see the link:https://aws.amazon.com/compliance/shared-responsibility-model/[shared responsibility model].
|Hardware/AWS global infrastructure
|**AWS**
- Provide the AWS global infrastructure that ROSA uses to deliver service functionality. For more information regarding AWS security
controls, see link:https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/security-of-the-aws-infrastructure.html[Security of the AWS Infrastructure] in the AWS whitepaper.
- Provide documentation for the customer to
manage compliance needs and check their
security state in AWS using tools such as
AWS Artifact and AWS Security Hub. For
more information, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/compliance-validation.html[Compliance
validation for ROSA] in the ROSA User
Guide.
|- Configure, manage, and monitor customer applications and data
to ensure application and data security controls are properly
enforced.
- Use IAM tools to apply the appropriate permissions to AWS
resources in the customer account.
|===
.Additional resources
* For more information about customer or shared responsibilities, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-process-security[ROSA Security] document.

6
modules/rosa-policy-security-regulation-compliance.adoc
View File

@@ -6,7 +6,6 @@
[id="rosa-policy-security-regulation-compliance_{context}"]
= Security and regulation compliance
Security and regulation compliance includes tasks such as the implementation of security controls and compliance certification.
[id="rosa-policy-data-classification_{context}"]
@@ -71,8 +70,3 @@ Any issues that may be discovered are prioritized based on severity. Any issues
| SOC 3 | Yes | No
|===
[role="_additional-resources"]
.Additional resources
* See link:https://access.redhat.com/articles/5528091[Red Hat Subprocessor List] for information on SRE residency.

510
modules/rosa-policy-shared-responsibility.adoc
View File

@@ -1,4 +1,3 @@
// Module included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc
@@ -6,511 +5,4 @@
[id="rosa-policy-shared-responsibility_{context}"]
= Tasks for shared responsibilities by area
Red Hat, AWS, and the customer all share responsibility for the monitoring, maintenance, and overall health of a {product-title} (ROSA) cluster. This documentation illustrates the delineation of responsibilities for each of the listed resources as shown in the tables below.
[id="rosa-policy-incident-operations-management_{context}"]
== Incident and operations management
Red Hat is responsible for overseeing the service components required for default platform networking.
AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured for the cluster network or virtual network.
[cols= "2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Application networking
|**Red Hat**
- Monitor native OpenShift router
service, and respond to alerts.
|- Monitor health of application routes, and the endpoints behind them.
- Report outages to Red Hat and AWS.
|Virtual networking management
|**Red Hat**
- Monitor AWS load balancers, Amazon VPC subnets, and AWS service components necessary for default
platform networking. Respond to alerts.
|- Monitor health of AWS load balancer endpoints.
- Monitor network traffic that is optionally configured through Amazon VPC-to-VPC connection, AWS VPN connection, or AWS
Direct Connect for potential issues or
security threats.
|Virtual storage management
|**Red Hat**
- Monitor Amazon Elastic Block Store (Amazon EBS) volumes used for cluster nodes, and Amazon S3 buckets used for the ROSA services built-in container image
registry. Respond to alerts.
|- Monitor health of application data.
- If customer managed AWS KMS keys are
used, create and control the key lifecycle and
key policies for Amazon EBS encryption.
|AWS software (public AWS services)
|**AWS**
- For information regarding AWS incident and operations management, see link:https://docs.aws.amazon.com/whitepapers/latest/aws-operational-resilience/how-aws-maintains-operational-resilience-and-continuity-of-service.html#incident-management[How AWS maintains operational resilience and continuity of service] in the AWS whitepaper.
|- Monitor health of AWS resources in the
customer account.
- Use IAM tools to apply the appropriate
permissions to AWS resources in the customer account.
|Hardware/AWS global infrastructure
|**AWS**
- For information regarding AWS incident and operations management, see link:https://docs.aws.amazon.com/whitepapers/latest/aws-operational-resilience/how-aws-maintains-operational-resilience-and-continuity-of-service.html#incident-management[How AWS maintains operational
resilience and continuity of service] in the AWS whitepaper.
|- Configure, manage, and monitor customer applications and data to ensure application and data security controls are properly enforced.
|===
[id="rosa-policy-change-management_{context}"]
== Change management
Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the
AWS Cloud. The customer is responsible for initiating infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red Hat**
- Centrally aggregate and monitor platform audit logs.
- Provide and maintain a logging Operator to enable the customer to deploy a logging stack for default application logging.
- Provide audit logs upon customer request.
|- Install the optional default application logging Operator on the cluster.
- Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications.
- Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster.
- Request platform audit logs through a support case for researching specific incidents.
|Application networking
|**Red Hat**
- Set up public load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required.
- Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard.
- Install, configure, and maintain OpenShift SDN components for default internal pod traffic.
- Provide the ability for the customer to manage `NetworkPolicy` and `EgressNetworkPolicy` (firewall) objects.
|- Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using `NetworkPolicy` objects.
- Use {cluster-manager} to request a private load balancer for default application routes.
- Use {cluster-manager} to configure up to one additional public or private router shard and corresponding load balancer.
- Request and configure any additional service load balancers for specific services.
- Configure any necessary DNS forwarding rules.
|Cluster networking
|**Red Hat**
- Set up cluster management components, such as public or private service endpoints and necessary integration with Amazon VPC components.
- Set up internal networking components required for internal cluster communication between worker, infrastructure, and control plane nodes.
|- Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through {cluster-manager} when the cluster is provisioned.
- Request that the API service endpoint be made public or private on cluster creation or after cluster creation through {cluster-manager}.
|Virtual networking management
|**Red Hat**
- Set up and configure Amazon VPC components required to provision the cluster, such as subnets, load balancers, internet gateways, and NAT gateways.
- Provide the ability for the customer to
manage AWS VPN connectivity with on-premises resources, Amazon VPC-to-VPC connectivity, and AWS Direct Connect as required through {cluster-manager}.
- Enable customers to create and deploy AWS load balancers for use with service load balancers.
|- Set up and maintain optional Amazon VPC components, such as Amazon VPC-to-VPC connection, AWS VPN connection, or AWS Direct Connect.
- Request and configure any additional service load balancers for specific services.
|Virtual compute management
|**Red Hat**
- Set up and configure the ROSA control plane and data plane to use Amazon EC2 instances for cluster compute.
- Monitor and manage the deployment of Amazon EC2 control plane and infrastructure nodes on the cluster.
|- Monitor and manage Amazon EC2 worker nodes by creating a
machine pool using the OpenShift Cluster Manager or the ROSA CLI (`rosa`).
- Manage changes to customer-deployed applications and application data.
|Cluster version
|**Red Hat**
- Enable upgrade scheduling process.
- Monitor upgrade progress and remedy any issues encountered.
- Publish change logs and release notes for minor and maintenance upgrades.
|- Schedule maintenance version upgrades either immediately, for the future, or have automatic upgrades.
- Acknowledge and schedule minor version upgrades.
- Ensure the cluster version stays on a supported minor version.
- Test customer applications on minor and maintenance versions to ensure compatibility.
|Capacity management
|**Red Hat**
- Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes.
- Scale and resize control plane nodes to maintain quality of service.
| - Monitor worker node utilization and, if appropriate, enables the auto-scaling feature.
- Determine the scaling strategy of the cluster. See the additional resources for more information on machine pools.
- Use the provided {cluster-manager} controls to add or remove additional worker nodes as required.
- Respond to Red Hat notifications regarding cluster resource requirements.
|Virtual storage management
|**Red Hat**
- Set up and configure Amazon EBS to provision local node storage and persistent volume storage for the cluster.
- Set up and configure the built-in image registry to use Amazon S3 bucket storage.
- Regularly prune image registry resources in
Amazon S3 to optimize Amazon S3 usage and cluster performance.
| - Optionally configure the link:https://github.com/openshift/aws-ebs-csi-driver[AWS EBS CSI driver] or the https://github.com/openshift/aws-efs-csi-driver[AWS EFS CSI driver] to provision persistent volumes on the cluster.
|AWS software (public AWS services)
|**AWS**
**Compute:** Provide the Amazon EC2 service, used for
ROSA control plane, infrastructure, and worker nodes.
**Storage:** Provide Amazon EBS to allow the ROSA service to provision local node storage and persistent volume storage for the cluster.
**Storage:** Provide Amazon S3 for the ROSA services
built-in image registry.
**Networking:**
Provide the following AWS Cloud services
to satisfy ROSA virtual networking
infrastructure needs:
** Amazon VPC
** Elastic Load Balancing
** AWS IAM
**Networking:**
Provide the following optional AWS service integrations for ROSA:
- AWS VPN
- AWS Direct Connect
- AWS PrivateLink
- AWS Transit Gateway
| - Sign requests using an access key ID and secret access key
associated with an IAM principal or STS temporary security
credentials.
- Specify VPC subnets for the cluster to use during cluster
creation.
- Optionally configure a customer-managed VPC for use with ROSA clusters.
|Hardware/AWS global infrastructure
|**AWS**
- For information regarding management controls for AWS data centers, see link:https://aws.amazon.com/compliance/data-center/controls[Our Controls] on the AWS Cloud Security page.
- For information regarding change management best practices, see link:https://aws.amazon.com/solutions/guidance/change-management-on-aws/[Guidance for Change Management on AWS] in the AWS Solutions Library.
|- Implement change management best practices for customer
applications and data hosted on the AWS Cloud.
|===
[id="rosa-policy-identity-access-management_{context}"]
== Access and identity authorization
The access and identity authorization table includes responsibilities for managing authorized access to clusters, applications, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red Hat**
- Adhere to an industry standards-based tiered internal access process for platform audit logs.
- Provide native OpenShift RBAC capabilities.
|- Configure OpenShift RBAC to control access to projects and by extension a projects application logs.
- For third-party or custom application logging solutions, the customer is responsible for access management.
|Application networking
|**Red Hat**
- Provide native OpenShift RBAC and `dedicated-admin` capabilities.
|- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
- Manage organization administrators for Red Hat to grant access to {cluster-manager}. The cluster manager is used to configure router options and provide service load balancer quota.
|Cluster networking
|**Red Hat**
- Provide customer access controls through {cluster-manager}.
- Provide native OpenShift RBAC and `dedicated-admin` capabilities.
|- Manage Red Hat organization membership of Red Hat accounts.
- Manage organization administrators for Red Hat to grant access to {cluster-manager}.
- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
|Virtual networking management
|**Red Hat**
- Provide customer access controls through {cluster-manager}.
|- Manage optional user access to AWS components through {cluster-manager}.
|Virtual storage management
|**Red Hat**
- Provide customer access controls through
OpenShift Cluster Manager.
|- Manage optional user access to AWS components through {cluster-manager}.
- Create AWS IAM roles and attached policies necessary to enable ROSA service access.
|Virtual compute management
|**Red Hat**
- Provide customer access controls through
OpenShift Cluster Manager.
|- Manage optional user access to AWS components through {cluster-manager}.
- Create AWS IAM roles and attached policies necessary to enable ROSA service access.
|AWS software (public AWS services)
|**AWS**
**Compute:** Provide the Amazon EC2 service, used for ROSA control plane, infrastructure, and worker nodes.
**Storage:** Provide Amazon EBS, used to allow ROSA to provision local node storage and persistent volume storage for the cluster.
**Storage:** Provide Amazon S3, used for the services built-in image registry.
**Networking:** Provide AWS Identity and Access Management (IAM), used by customers to control access to ROSA resources running on customer accounts.
|- Create AWS IAM roles and attached policies necessary to enable ROSA service access.
- Use IAM tools to apply the appropriate permissions to AWS
resources in the customer account.
- To enable ROSA across your AWS organization, the customer is
responsible for managing AWS Organizations administrators.
- To enable ROSA across your AWS organization, the customer is
responsible for distributing the ROSA entitlement grant using AWS License Manager.
|Hardware/AWS global infrastructure
|**AWS**
- For information regarding physical access controls for AWS data centers, see link:https://aws.amazon.com/compliance/data-center/controls/[Our Controls] on the AWS Cloud Security page.
|- Customer is not responsible for AWS global infrastructure.
|===
[id="rosa-policy-security-regulation-compliance_{context}"]
== Security and regulation compliance
The following table outlines the the responsibilities in regards to security and regulation compliance:
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red Hat**
- Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
|- Analyze application logs for security events.
- Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
|Virtual networking management
|**Red Hat**
- Monitor virtual networking components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
|- Monitor optional configured virtual networking components for potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
|Virtual storage management
|**Red Hat**
- Monitor virtual storage components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
- Configure the ROSA service to encrypt control plane, infrastructure, and worker node volume data by default using the
AWS managed Key Management Service (KMS) key that Amazon EBS provides.
- Configure the ROSA service to encrypt customer persistent volumes that use the default storage class with the AWS
managed KMS key that Amazon EBS provides.
- Provide the ability for the customer to use a customer managed AWS KMS key to encrypt persistent volumes.
- Configure the container image registry to encrypt image registry data at rest using server-side encryption with Amazon S3 managed keys (SSE-3).
- Provide the ability for the customer to create a public or private Amazon S3 image registry to protect their container
images from unauthorized user access.
|- Provision Amazon EBS volumes.
- Manage Amazon EBS volume storage to ensure enough storage is available to mount as a volume in ROSA.
- Create the persistent volume claim and generate a
persistent volume though OpenShift Cluster Manager.
|Virtual compute management
|**Red Hat**
- Monitor virtual compute components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
|- Monitor optional configured virtual networking components for
potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
|AWS software (public AWS services)
|**AWS**
**Compute:** Secure Amazon EC2, used for ROSA control plane, infrastructure, and worker nodes. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/infrastructure-security.html[
Infrastructure security in Amazon EC2] in the Amazon EC2 User Guide.
**Storage:** Secure Amazon EBS, used for ROSA control plane, infrastructure, and worker node volumes, as well as Kubernetes persistent volumes. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html[Data protection in Amazon EC2] in the Amazon EC2 User Guide.
**Storage:** Provide AWS KMS, which ROSA uses to
encrypt control plane, infrastructure, and worker node volumes and persistent volumes. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html[Amazon EBS encryption] in the Amazon EC2 User Guide.
**Storage:** Secure Amazon S3, used for the ROSA services built-in container image registry. For more information, see link:https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html[Amazon S3 security] in the S3 User Guide.
**Networking:** Provide security capabilities and services
to increase privacy and control network access on AWS global infrastructure, including network firewalls built into
Amazon VPC, private or dedicated network connections, and automatic encryption of all traffic on the AWS global
and regional networks between AWS secured facilities. For more information, see the link:https://aws.amazon.com/compliance/shared-responsibility-model/[AWS Shared Responsibility Model]
and link:https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/infrastructure-security.html[Infrastructure security] in the Introduction to AWS Security whitepaper.
|- Ensure security best practices and the principle of least
privilege are followed to protect data on the Amazon EC2
instance. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/infrastructure-security.html[Infrastructure security in Amazon EC2]
and link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html[Data protection in Amazon EC2].
- Monitor optional configured virtual networking components for
potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
- Create an optional customer managed KMS key and encrypt
the Amazon EBS persistent volume using the KMS key.
- Monitor the customer data in virtual storage
for potential issues and security threats. For more information,
see the link:https://aws.amazon.com/compliance/shared-responsibility-model/AWS[shared responsibility model].
|Hardware/AWS global infrastructure
|**AWS**
- Provide the AWS global infrastructure that ROSA uses to deliver service functionality. For more information regarding AWS security
controls, see link:https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/security-of-the-aws-infrastructure.html[Security of the AWS Infrastructure] in the AWS whitepaper.
- Provide documentation for the customer to
manage compliance needs and check their
security state in AWS using tools such as
AWS Artifact and AWS Security Hub. For
more information, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/compliance-validation.html[Compliance
validation for ROSA] in the ROSA User
Guide.
|- Configure, manage, and monitor customer applications and data
to ensure application and data security controls are properly
enforced.
- Use IAM tools to apply the appropriate permissions to AWS
resources in the customer account.
|===
[id="rosa-policy-disaster-recovery_{context}"]
== Disaster recovery
Disaster recovery includes data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.
[cols="2a,3a,3a" ,options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Virtual networking management
|**Red Hat**
- Restore or recreate affected virtual network components that are necessary for the platform to function.
|- Configure virtual networking connections with more than one tunnel where possible for protection against outages as recommended by the public cloud provider.
- Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.
|Virtual Storage management
|**Red Hat**
- For ROSA clusters created with IAM user credentials, back up all Kubernetes objects on the cluster through hourly, daily, and weekly volume snapshots.
- For ROSA clusters created with IAM user credentials, back up persistent volumes on the cluster through daily and weekly volume snapshots.
|- Back up customer applications and application data.
|Virtual compute management
|**Red Hat**
- Monitor the cluster and replace failed Amazon EC2 control plane or infrastructure nodes.
- Provide the ability for the customer to manually or automatically replace failed worker nodes.
|- Replace failed Amazon EC2 worker nodes by editing the
machine pool configuration through OpenShift Cluster Manager or the ROSA CLI.
|AWS software (public AWS services)
|**AWS**
**Compute:** Provide Amazon EC2 features that support data resiliency such as Amazon EBS snapshots and Amazon EC2 Auto Scaling. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/disaster-recovery-resiliency.html[Resilience in Amazon EC2] in the EC2 User Guide.
**Storage:** Provide the ability for the ROSA service
and customers to back up the Amazon EBS volume on the cluster through Amazon EBS volume snapshots.
**Storage:** For information about Amazon S3 features that support data resiliency, see link:https://docs.aws.amazon.com/AmazonS3/latest/userguide/disaster-recovery-resiliency.html[Resilience in Amazon S3].
**Networking:** For information about Amazon VPC features that support data resiliency, see link:https://docs.aws.amazon.com/vpc/latest/userguide/disaster-recovery-resiliency.html[Resilience in Amazon Virtual Private
Cloud] in the Amazon VPC User Guide.
|- Configure ROSA
multi-AZ clusters to
improve fault
tolerance and cluster
availability.
- Provision persistent
volumes using the
AWS EBS CSI
driver to enable
volume snapshots.
- Create CSI volume snapshots of AWS
EBS persistent volumes.
|Hardware/AWS global infrastructure
|**AWS**
- Provide AWS global infrastructure that allows ROSA to scale control plane, infrastructure, and worker nodes across
Availability Zones. This functionality enables ROSA to orchestrate automatic failover between zones without interruption.
- For more information about disaster recovery best practices, see link:https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html[Disaster recovery options in the cloud] in the AWS
Well-Architected Framework.
|- Configure ROSA multi-AZ clusters to improve fault tolerance and cluster availability.
|===
Red Hat, AWS, and the customer all share responsibility for the monitoring, maintenance, and overall health of a {product-title} (ROSA) cluster. This documentation illustrates the delineation of responsibilities for each of the listed resources as shown in the tables below.

10
rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
View File

@@ -2,11 +2,11 @@
include::_attributes/attributes-openshift-dedicated.adoc[]
:context: rosa-policy-process-security
[id="rosa-policy-process-security"]
= Understanding process and security for {product-title}
= Understanding security for {product-title}
toc::[]
This document details the Red Hat responsibilities for the managed {product-title} (ROSA).
This document details the Red Hat, Amazon Web Services (AWS), and customer security responsibilities for the managed {product-title} (ROSA).
.Acronyms and terms
@@ -19,15 +19,13 @@ This document details the Red Hat responsibilities for the managed {product-titl
* *SRE* - Red Hat Site Reliability Engineering
* *VPC* - Virtual Private Cloud
include::modules/rosa-policy-incident.adoc[leveloffset=+1]
include::modules/rosa-policy-change-management.adoc[leveloffset=+1]
include::modules/rosa-policy-identity-access-management.adoc[leveloffset=+1]
include::modules/rosa-policy-security-regulation-compliance.adoc[leveloffset=+1]
include::modules/rosa-policy-disaster-recovery.adoc[leveloffset=+1]
[role="_additional-resources"]
.Additional resources
* See link:https://access.redhat.com/articles/5528091[Red Hat Subprocessor List] for information on SRE residency.
* For more information about customer or shared responsibilities, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc#rosa-policy-responsibilities_rosa-policy-responsibility-matrix[ROSA Responsibilities] document.
* For more information about ROSA and its components, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-service-definition[ROSA Service Definition].

6
rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc
View File

@@ -11,6 +11,12 @@ This documentation outlines Red Hat, Amazon Web Services (AWS), and customer res
include::modules/rosa-policy-responsibilities.adoc[leveloffset=+1]
include::modules/rosa-policy-shared-responsibility.adoc[leveloffset=+1]
include::modules/rosa-policy-incident.adoc[leveloffset=+1]
include::modules/rosa-policy-change-management.adoc[leveloffset=+1]
include::modules/rosa-policy-identity-access-management.adoc[leveloffset=+1]
include::modules/rosa-policy-security-and-compliance.adoc[leveloffset=+1]
include::modules/rosa-policy-disaster-recovery.adoc[leveloffset=+1]
[role="_additional-resources"]
.Additional resources