Merge pull request #69335 from fmcdonal/OSDOCS-9050-OSD

OSDOCS-9050 Security groups changes for OSD files

Author: EricPonvelle

cli_reference/rosa_cli/rosa-manage-objects-cli.adoc

@@ -18,7 +18,7 @@ include::modules/rosa-create-objects.adoc[leveloffset=+1]
 * See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-instance-types_rosa-service-definition[AWS Instance types] for a list of supported instance types.
 * See xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference] for a list of IAM roles needed for cluster creation.
 * See xref:../../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-understanding-aws-account-association_rosa-sts-creating-a-cluster-with-customizations[Understanding AWS account association] for more information about the OCM role and user role.
-* See xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups] for information about security group requirements.
+* See xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups] for information about security group requirements.
 
 include::modules/rosa-edit-objects.adoc[leveloffset=+1]
 include::modules/rosa-delete-objects.adoc[leveloffset=+1]

modules/ccs-aws-provisioned.adoc

@@ -84,3 +84,11 @@ image::VPC-Diagram.png[VPC Reference Architecture]
 == Security groups
 
 AWS security groups provide security at the protocol and port-access level; they are associated with EC2 instances and Elastic Load Balancing. Each security group contains a set of rules that filter traffic coming in and out of an EC2 instance. You must ensure the ports required for the link:https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-user-infra.html#installation-aws-user-infra-other-infrastructure_installing-aws-user-infra[{OCP} installation] are open on your network and configured to allow access between hosts.
+
+[id="osd-security-groups-custom_{context}"]
+=== Additional custom security groups
+When you create a cluster by using a non-managed VPC, you can add custom security groups during cluster creation. Custom security groups are subject to the following limitations:
+
+* You must create the custom security groups in AWS before you create the cluster. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html[Amazon EC2 security groups for Linux instances].
+* You must associate the custom security groups with the VPC that the cluster will be installed into. Your custom security groups cannot be associated with another VPC.
+* You might need to request additional quota for your VPC if you are adding additional custom security groups. For information on requesting an AWS quota increase, see link:https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase].

modules/creating-a-machine-pool-cli.adoc

@@ -45,7 +45,7 @@ endif::openshift-rosa[]
 ifdef::openshift-rosa[]
 <8> Optional: Specifies the worker node disk size. The value can be in GB, GiB, TB, or TiB. Replace `<disk_size>` with a numeric value and unit, for example `--disk-size=200GiB`.
 <9> Optional: For Multi-AZ clusters, you can create a machine pool in a Single-AZ of your choice. Replace `<az>` with a Single-AZ.
-<10> Optional: For machine pools in clusters that do not have Red Hat managed VPCs, you can select additional custom security groups to use in your machine pools. You must have already created the security groups and associated them with the VPC you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for _Security groups_ under _Additional resources_.
+<10> Optional: For machine pools in clusters that do not have Red Hat managed VPCs, you can select additional custom security groups to use in your machine pools. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for security groups in the "Additional resources" section.
 endif::openshift-rosa[]
 +
 [IMPORTANT]

modules/creating-a-machine-pool-ocm.adoc

@@ -98,9 +98,9 @@ Creating a machine pool with taints is only possible if the cluster already has
 Alternatively, you can add the node labels and taints after you create the machine pool.
 ====
 
-ifdef::openshift-rosa[]
-. Optional: Select additional custom security groups to use for nodes in this machine pool. You must have already created the security groups and associated them with the VPC you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for _Security groups_ under _Additional resources_.
-endif::openshift-rosa[]
+ifdef::openshift-rosa,openshift-dedicated[]
+. Optional: Select additional custom security groups to use for nodes in this machine pool. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for security groups in the "Additional resources" section.
+endif::openshift-rosa,openshift-dedicated[]
 
 ifdef::openshift-dedicated[]
 . Optional: If you deployed {product-title} on AWS using the Customer Cloud Subscription (CCS) model, use Amazon EC2 Spot Instances if you want to configure your machine pool to deploy machines as non-guaranteed AWS Spot Instances:

modules/osd-create-cluster-ccs.adoc

@@ -279,6 +279,13 @@ ifdef::osd-on-gcp[]
 If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project.
 ====
 endif::osd-on-gcp[]
+ifdef::osd-on-aws[]
+.. Optional: Expand *Additional security groups* and select additional custom security groups to apply to nodes in the machine pools that are created by default. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.
++
+By default, the security groups you specify are added for all node types. Clear the *Apply the same security groups to all node types* checkbox to apply different security groups for each node type.
++
+For more information, see the requirements for _Security groups_ under _Additional resources_.
+endif::osd-on-aws[]
 . If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the *Cluster-wide proxy* page:
 +
 --

osd_cluster_admin/osd_nodes/osd-managing-worker-nodes.adoc

@@ -22,6 +22,7 @@ include::modules/rosa-osd-node-label-about.adoc[leveloffset=+1]
 .Additional resources
 
 * For more information about labels, see link:https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/[Kubernetes Labels and Selectors overview].
+* For more information about custom additional security group requirements, see xref:../../osd_planning/aws-ccs.adoc#osd-security-groups-custom_aws-ccs[Additional custom security groups].
 
 include::modules/rosa-adding-node-labels.adoc[leveloffset=+2]
 include::modules/rosa-adding-taints.adoc[leveloffset=+1]

osd_install_access_delete_cluster/creating-an-aws-cluster.adoc

@@ -27,3 +27,4 @@ include::modules/osd-create-cluster-red-hat-account.adoc[leveloffset=+1]
 * For information about load balancers for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#load-balancers_osd-service-definition[Load balancers] section in the {product-title} service definition.
 * For more information about etcd encryption, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#etcd-encryption_osd-service-definition[etcd encryption service definition].
 * For information about the end-of-life dates for {product-title} versions, see the xref:../osd_architecture/osd_policy/osd-life-cycle.adoc#osd-life-cycle[{product-title} update life cycle].
+* For information about the requirements for custom additional security groups, see xref:../osd_planning/aws-ccs.adoc#osd-security-groups-custom_aws-ccs[Additional custom security groups].

osd_planning/aws-ccs.adoc

@@ -22,4 +22,5 @@ include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+2]
 
 *  xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring]
 
+
 include::modules/aws-limits.adoc[leveloffset=+1]

rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc

@@ -16,13 +16,13 @@ include::modules/creating-a-machine-pool-ocm.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups]
+* xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups]
 
 include::modules/creating-a-machine-pool-cli.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups]
+* xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups]
 
 include::modules/configuring-machine-pool-disk-volume.adoc[leveloffset=+1]
 include::modules/configuring-machine-pool-disk-volume-ocm.adoc[leveloffset=+2]

rosa_release_notes/rosa-release-notes.adoc

@@ -22,7 +22,7 @@ toc::[]
 
 * **ROSA CLI update.** The ROSA CLI (`rosa`) was updated to a new version. For information about what has changed in this release, see the link:https://github.com/openshift/rosa/releases/tag/v1.2.31[ROSA CLI release notes]. For more information about the ROSA CLI (`rosa`), see xref:../cli_reference/rosa_cli/rosa-get-started-cli.adoc#rosa-about_rosa-getting-started-cli[About the ROSA CLI].
 
-* **Configure custom security groups.** With the release of ROSA CLI (`rosa`) version 1.2.31, administrators can use the `rosa create cluster` and `rosa create machinepool` commands to configure a new cluster or a new machine pool with up to 5 additional custom security groups. Additionally, administrators can create a new machine pool with up to 5 additional custom security groups by using OpenShift Cluster Manager. Configuring custom security groups gives administrators greater control over resource access in new clusters and machine pools. For more information, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups].
+* **Configure custom security groups.** With the release of ROSA CLI (`rosa`) version 1.2.31, administrators can use the `rosa create` command or the OpenShift Cluster Manager to create a new cluster or a new machine pool with up to 5 additional custom security groups. Configuring custom security groups gives administrators greater control over resource access in new clusters and machine pools. For more information, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups].
 
 * **Command update.** With the release of ROSA CLI (`rosa`) version 1.2.28, a new command, `rosa describe machinepool`, was added that allows you to check detailed information regarding a specific ROSA cluster machine pool. For more information, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-describe-machinepool_rosa-managing-objects-cli[describe machinepool].