Merge pull request #64354 from mletalie/OSDOCS-7641

[OSDOCS-7641]: SRE cluster access

Author: EricPonvelle

modules/sre-cluster-access.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+// * rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc
+// * osd_architecture/osd_policy/osd-sre-access.adoc
+
+:_content-type: CONCEPT
+[id="sre-cluster-access_{context}"]
+= SRE cluster access
+
+SRE access to {product-title}
+ifdef::openshift-rosa[]
+(ROSA)
+endif::openshift-rosa[]
+clusters is controlled through several layers of required authentication, all of which are managed by strict company policy. All authentication attempts to access a cluster, as well as changes made within a cluster, are recorded within audit logs, along with the specific account identity of the SRE responsible for those actions. These audit logs help ensure that all changes made by SREs to a customer's cluster adhere to the strict policies and procedures that make up Red Hat's managed services guidelines.
+
+The information presented below is an overview of the process an SRE must perform to access a customer's cluster.
+
+** SRE makes a request to refresh ID token from the Red Hat SSO (Cloud Services).
+
+** SRE sends a request tunneled through the Red Hat VPN. This request is made via Corporate Identity and Access Management system (RH IAM); authentication is multi-factor (made up of a password and an ephemeral one-time token). Once the SRE authenticates and is allowed access to the orchestration and management systems, the authorization is managed by Red Hat corporate directory services. The use of RH IAM enables SREs to be managed internally per organization via groups and existing on-boarding/off-boarding processes. Changes to the orchestration and management systems require many layers of approval and are maintained by strict company policy.
+
+** Once authorized, SRE logs into the fleet management plane and receives a service account token that the fleet management plane created. The token is valid for twelve minutes. Once the token is no longer valid, it is deleted.
+
+** With access granted to the fleet management plane, SRE uses various methods to access clusters, depending on network configuration.
+
+*** Accessing a private or public cluster: Request is sent through a specific Network Load Balancer (NLB) using an encrypted HTTP connection on port 6443. The NLB contains an IP allow-list so the APIs accept connections from a specific set of IPs of which the fleet management plane contains.
+
+*** Accessing a PrivateLink cluster: Request is sent to the Red Hat Transit Gateway, which then connects to a Red Hat VPC per region. The VPC that receives the request will be dependent on the target private cluster’s region. Within the VPC, there is a private subnet which contains the PrivateLink endpoint to the customer’s PrivateLink cluster.
+
+

osd_architecture/osd_policy/osd-sre-access.adoc

@@ -4,4 +4,6 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 [id="osd-sre-access"]
 = SRE and service account access
 
+toc::[]
 include::modules/how-service-accounts-assume-aws-iam-roles-in-sre-owned-projects.adoc[leveloffset=+1]
+include::modules/sre-cluster-access.adoc[leveloffset=+1]

rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc

@@ -4,7 +4,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 [id="rosa-sre-access"]
 = SRE and service account access
 
-Red Hat site reliability engineering (SRE) access to ROSA clusters is outlined through identity and access management. 
+Red Hat site reliability engineering (SRE) access to ROSA clusters is outlined through identity and access management.
 
 include::modules/rosa-policy-identity-access-management.adoc[leveloffset=+1]
 include::modules/rosa-sre-access-privatelink-vpc.adoc[leveloffset=+1]
@@ -14,4 +14,4 @@ include::modules/how-service-accounts-assume-aws-iam-roles-in-sre-owned-projects
 .Additional resources
 
 * For more information about the AWS IAM roles used by the cluster Operators, see xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference].
-* For more information about the policies and permissions that the cluster Operators require, see xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies-creation-methods_rosa-sts-about-iam-resources[Methods of account-wide role creation].
+* For more information about the policies and permissions that the cluster Operators require, see xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies-creation-methods_rosa-sts-about-iam-resources[Methods of account-wide role creation].