|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: REFERENCE |
| 6 | + |
| 7 | +[id="rosa-policy-access-approval_{context}"] |
| 8 | += Access approval and review |
| 9 | +New SRE user access requires management approval. Separated or transferred SRE accounts are removed as authorized users through an automated process. Additionally, the SRE performs periodic access review, including management sign-off of authorized user lists. |
| 10 | + |
| 11 | +The access and identity authorization table includes responsibilities for managing authorized access to clusters, applications, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources. |
| 12 | + |
| 13 | +[cols="2a,3a,3a",options="header"] |
| 14 | +|=== |
| 15 | +|Resource |
| 16 | +|Service responsibilities |
| 17 | +|Customer responsibilities |
| 18 | + |
| 19 | +|Logging |
| 20 | +|**Red Hat** |
| 21 | + |
| 22 | +- Adhere to an industry standards-based tiered internal access process for platform audit logs. |
| 23 | + |
| 24 | +- Provide native OpenShift RBAC capabilities. |
| 25 | + |
| 26 | +|- Configure OpenShift RBAC to control access to projects and by extension a project's application logs. |
| 27 | +- For third-party or custom application logging solutions, the customer is responsible for access management. |
| 28 | + |
| 29 | +|Application networking |
| 30 | +|**Red Hat** |
| 31 | + |
| 32 | +- Provide native OpenShift RBAC and `dedicated-admin` capabilities. |
| 33 | + |
| 34 | +|- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required. |
| 35 | +- Manage organization administrators for Red Hat to grant access to {cluster-manager}. The cluster manager is used to configure router options and provide service load balancer quota. |
| 36 | + |
| 37 | +|Cluster networking |
| 38 | +|**Red Hat** |
| 39 | + |
| 40 | +- Provide customer access controls through {cluster-manager}. |
| 41 | + |
| 42 | +- Provide native OpenShift RBAC and `dedicated-admin` capabilities. |
| 43 | + |
| 44 | +|- Manage Red Hat organization membership of Red Hat accounts. |
| 45 | +- Manage organization administrators for Red Hat to grant access to {cluster-manager}. |
| 46 | +- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required. |
| 47 | + |
| 48 | +|Virtual networking management |
| 49 | +|**Red Hat** |
| 50 | + |
| 51 | +- Provide customer access controls through {cluster-manager}. |
| 52 | + |
| 53 | +|- Manage optional user access to AWS components through {cluster-manager}. |
| 54 | + |
| 55 | +|Virtual storage management |
| 56 | +|**Red Hat** |
| 57 | + |
| 58 | +- Provide customer access controls through |
| 59 | +Red Hat OpenShift Cluster Manager. |
| 60 | + |
| 61 | +|- Manage optional user access to AWS components through {cluster-manager}. |
| 62 | +- Create AWS IAM roles and attached policies necessary to enable ROSA service access. |
| 63 | + |
| 64 | +|Virtual compute management |
| 65 | +|**Red Hat** |
| 66 | + |
| 67 | +- Provide customer access controls through |
| 68 | +Red Hat OpenShift Cluster Manager. |
| 69 | + |
| 70 | +|- Manage optional user access to AWS components through {cluster-manager}. |
| 71 | +- Create AWS IAM roles and attached policies necessary to enable ROSA service access. |
| 72 | + |
| 73 | +|AWS software (public AWS services) |
| 74 | +|**AWS** |
| 75 | + |
| 76 | +**Compute:** Provide the Amazon EC2 service, used for ROSA control plane, infrastructure, and worker nodes. |
| 77 | + |
| 78 | +**Storage:** Provide Amazon EBS, used to allow ROSA to provision local node storage and persistent volume storage for the cluster. |
| 79 | + |
| 80 | +**Storage:** Provide Amazon S3, used for the service's built-in image registry. |
| 81 | + |
| 82 | +**Networking:** Provide AWS Identity and Access Management (IAM), used by customers to control access to ROSA resources running on customer accounts. |
| 83 | + |
| 84 | +|- Create AWS IAM roles and attached policies necessary to enable ROSA service access. |
| 85 | + |
| 86 | +- Use IAM tools to apply the appropriate permissions to AWS |
| 87 | +resources in the customer account. |
| 88 | + |
| 89 | +- To enable ROSA across your AWS organization, the customer is |
| 90 | +responsible for managing AWS Organizations administrators. |
| 91 | + |
| 92 | +- To enable ROSA across your AWS organization, the customer is |
| 93 | +responsible for distributing the ROSA entitlement grant using AWS License Manager. |
| 94 | + |
| 95 | +|Hardware and AWS global infrastructure |
| 96 | +|**AWS** |
| 97 | + |
| 98 | +- For information about physical access controls for AWS data centers, see link:https://aws.amazon.com/compliance/data-center/controls/[Our Controls] on the AWS Cloud Security page. |
| 99 | +|- Customer is not responsible for AWS global infrastructure. |
| 100 | +|=== |
0 commit comments