You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/sre-cluster-access.adoc
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,15 +14,15 @@ clusters is controlled through several layers of required authentication, all of
14
14
15
15
The information presented below is an overview of the process an SRE must perform to access a customer's cluster.
16
16
17
-
** SRE makes a request to refresh ID token from the Red Hat SSO (Cloud Services).
17
+
** SRE requests a refreshed ID token from the Red Hat SSO (Cloud Services). This request is authenticated. The token is valid for fifteen minutes. After the token expires, you can refresh the token again and receive a new token. The ability to refresh to a new token is indefinite; however, the ability to refresh to a new token is revoked after 30 days of inactivity.
18
18
19
-
** SRE sends a request tunneled through the Red Hat VPN. This request is made via Corporate Identity and Access Management system (RH IAM); authentication is multi-factor (made up of a password and an ephemeral one-time token). Once the SRE authenticates and is allowed access to the orchestration and management systems, the authorization is managed by Red Hat corporate directory services. The use of RH IAM enables SREs to be managed internally per organization via groups and existing on-boarding/off-boarding processes. Changes to the orchestration and management systems require many layers of approval and are maintained by strict company policy.
19
+
** SRE connects to the Red Hat VPN. The authentication to the VPN is completed by the Red Hat Corporate Identity and Access Management system (RH IAM). With RH IAM, SREs can be managed internally per organization via groups and existing on-boarding/off-boarding processes, and is multi-factor. After an SRE is authenticated and connected, the SRE can access the cloud services fleet management plane. Changes to the cloud services fleet management plane require many layers of approval and are maintained by strict company policy.
20
20
21
-
**Once authorized, SRE logs into the fleet management plane and receives a service account token that the fleet management plane created. The token is valid for twelve minutes. Once the token is no longer valid, it is deleted.
21
+
**After authorization is complete, the SRE logs into the fleet management plane and receives a service account token that the fleet management plane created. The token is valid for 15 minutes. After the token is no longer valid, it is deleted.
22
22
23
23
** With access granted to the fleet management plane, SRE uses various methods to access clusters, depending on network configuration.
24
24
25
-
*** Accessing a private or public cluster: Request is sent through a specific Network Load Balancer (NLB) using an encrypted HTTP connection on port 6443. The NLB contains an IP allow-list so the APIs accept connections from a specific set of IPs of which the fleet management plane contains.
25
+
*** Accessing a private or public cluster: Request is sent through a specific Network Load Balancer (NLB) by using an encrypted HTTP connection on port 6443.
26
26
27
27
*** Accessing a PrivateLink cluster: Request is sent to the Red Hat Transit Gateway, which then connects to a Red Hat VPC per region. The VPC that receives the request will be dependent on the target private cluster’s region. Within the VPC, there is a private subnet which contains the PrivateLink endpoint to the customer’s PrivateLink cluster.
0 commit comments