openshift-docs/modules/ccs-gcp-customer-requirements.adoc

// Module included in the following assemblies:
//
// * osd_planning/gcp-ccs.adoc

:_mod-docs-content-type: REFERENCE
[id="ccs-gcp-customer-requirements_{context}"]
= Customer requirements

[role="_abstract"]
{product-title} clusters using a Customer Cloud Subscription (CCS) model on {gcp-first} must meet several prerequisites before they can be deployed.

[id="ccs-gcp-requirements-account_{context}"]
== Account

* The customer ensures that link:https://cloud.google.com/storage/quotas[{gcp-full} limits] and link:https://cloud.google.com/compute/resource-usage[allocation quotas that apply to Compute Engine] are sufficient to support {product-title} provisioned within the customer-provided {gcp-short} account.

* The customer-provided {gcp-short} account should be in the customer's {gcp-full} Organization.

* The customer-provided {gcp-short} account must not be transferable to Red{nbsp}Hat.

* The customer may not impose {gcp-short} usage restrictions on Red{nbsp}Hat activities. Imposing restrictions severely hinders Red{nbsp}Hat's ability to respond to incidents.

* Red{nbsp}Hat deploys monitoring into {gcp-short} to alert Red{nbsp}Hat when a highly privileged account, such as a root account, logs into the customer-provided {gcp-short} account.

* The customer can deploy native {gcp-short} services within the same customer-provided {gcp-short} account.
+
[NOTE]
====
Customers are encouraged, but not mandated, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting {product-title} and other Red{nbsp}Hat supported services.
====

[id="ccs-gcp-requirements-access_{context}"]
== Access requirements

* To appropriately manage the {product-title} service, Red{nbsp}Hat must have the `AdministratorAccess` policy applied to the administrator role at all times.
+
[NOTE]
====
This policy only provides Red{nbsp}Hat with permissions and capabilities to change resources in the customer-provided {gcp-short} account.
====

* Red{nbsp}Hat must have {gcp-short} console access to the customer-provided {gcp-short} account. This access is protected and managed by Red{nbsp}Hat.

* The customer must not utilize the {gcp-short} account to elevate their permissions within the {product-title} cluster.

* Actions available in the {cluster-manager-url} must not be directly performed in the customer-provided {gcp-short} account.

[id="ccs-gcp-requirements-support_{context}"]
== Support requirements

* Red{nbsp}Hat recommends that the customer have at least link:https://cloud.google.com/support[Enhanced Support] from {gcp-short}.

* Red{nbsp}Hat has authority from the customer to request {gcp-short} support on their behalf.

* Red{nbsp}Hat has authority from the customer to request {gcp-short} resource limit increases on the customer-provided account.

* Red{nbsp}Hat manages the restrictions, limitations, expectations, and defaults for all {product-title} clusters in the same manner, unless otherwise specified in this requirements section.

[id="ccs-gcp-requirements-security_{context}"]
== Security requirements

* The customer-provided IAM credentials must be unique to the customer-provided {gcp-short} account and must not be stored anywhere in the customer-provided {gcp-short} account.

* Volume snapshots will remain within the customer-provided {gcp-short} account and customer-specified region.

* To manage, monitor, and troubleshoot {product-title} clusters, Red{nbsp}Hat must have direct access to the cluster's API server. You must not restrict or otherwise prevent Red{nbsp}Hat's access to the {product-title} cluster's API server.
+
[NOTE]
====
SRE uses various methods to access clusters, depending on network configuration. Access to private clusters is restricted to Red{nbsp}Hat trusted IP addresses only. These access restrictions are managed automatically by Red{nbsp}Hat.
====
+
* {product-title} requires egress access to certain endpoints over the internet. Only clusters deployed with Private Service Connect can use a firewall to control egress traffic. For additional information, see the _{gcp-short} firewall prerequisites_ section.