|
1 | 1 |
|
2 | 2 | // Module included in the following assemblies: |
3 | 3 | // |
4 | | -// * rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc |
| 4 | +// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc |
5 | 5 |
|
6 | 6 | [id="rosa-policy-change-management_{context}"] |
7 | 7 | = Change management |
8 | 8 |
|
9 | | - |
10 | 9 | This section describes the policies about how cluster and configuration changes, patches, and releases are managed. |
11 | 10 |
|
| 11 | +Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the |
| 12 | +AWS Cloud. The customer is responsible for initiating infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications. |
| 13 | + |
12 | 14 | [id="rosa-policy-customer-initiated-changes_{context}"] |
13 | 15 | == Customer-initiated changes |
14 | 16 |
|
@@ -66,3 +68,160 @@ Because the required permissions can change between y-stream releases, the polic |
66 | 68 | ==== |
67 | 69 |
|
68 | 70 | You can review the history of all cluster upgrade events in the {cluster-manager} web console. For more information about releases, see the link:https://access.redhat.com/support/policy/updates/openshift/dedicated[Life Cycle policy]. |
| 71 | + |
| 72 | +[cols="2a,3a,3a",options="header"] |
| 73 | +|=== |
| 74 | + |
| 75 | +|Resource |
| 76 | +|Service responsibilities |
| 77 | +|Customer responsibilities |
| 78 | + |
| 79 | +|Logging |
| 80 | +|**Red Hat** |
| 81 | + |
| 82 | +- Centrally aggregate and monitor platform audit logs. |
| 83 | + |
| 84 | +- Provide and maintain a logging Operator to enable the customer to deploy a logging stack for default application logging. |
| 85 | + |
| 86 | +- Provide audit logs upon customer request. |
| 87 | + |
| 88 | +|- Install the optional default application logging Operator on the cluster. |
| 89 | +- Install, configure, and maintain any optional application logging solutions, such as logging sidecar containers or third-party logging applications. |
| 90 | +- Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster. |
| 91 | +- Request platform audit logs through a support case for researching specific incidents. |
| 92 | + |
| 93 | +|Application networking |
| 94 | +|**Red Hat** |
| 95 | + |
| 96 | +- Set up public load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required. |
| 97 | + |
| 98 | +- Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard. |
| 99 | + |
| 100 | +- Install, configure, and maintain OpenShift SDN components for default internal pod traffic (for clusters created prior to version 4.11). |
| 101 | + |
| 102 | +- Provide the ability for the customer to manage `NetworkPolicy` and `EgressNetworkPolicy` (firewall) objects. |
| 103 | + |
| 104 | +|- Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using `NetworkPolicy` objects. |
| 105 | +- Use {cluster-manager} to request a private load balancer for default application routes. |
| 106 | +- Use {cluster-manager} to configure up to one additional public or private router shard and corresponding load balancer. |
| 107 | +- Request and configure any additional service load balancers for specific services. |
| 108 | +- Configure any necessary DNS forwarding rules. |
| 109 | + |
| 110 | +|Cluster networking |
| 111 | +|**Red Hat** |
| 112 | + |
| 113 | +- Set up cluster management components, such as public or private service endpoints and necessary integration with Amazon VPC components. |
| 114 | + |
| 115 | +- Set up internal networking components required for internal cluster communication between worker, infrastructure, and control plane nodes. |
| 116 | + |
| 117 | +|- Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through {cluster-manager} when the cluster is provisioned. |
| 118 | +- Request that the API service endpoint be made public or private on cluster creation or after cluster creation through {cluster-manager}. |
| 119 | + |
| 120 | +|Virtual networking management |
| 121 | +|**Red Hat** |
| 122 | + |
| 123 | +- Set up and configure Amazon VPC components required to provision the cluster, such as subnets, load balancers, internet gateways, and NAT gateways. |
| 124 | + |
| 125 | +- Provide the ability for the customer to |
| 126 | +manage AWS VPN connectivity with on-premises resources, Amazon VPC-to-VPC connectivity, and AWS Direct Connect as required through {cluster-manager}. |
| 127 | + |
| 128 | +- Enable customers to create and deploy AWS load balancers for use with service load balancers. |
| 129 | + |
| 130 | +|- Set up and maintain optional Amazon VPC components, such as Amazon VPC-to-VPC connection, AWS VPN connection, or AWS Direct Connect. |
| 131 | +- Request and configure any additional service load balancers for specific services. |
| 132 | + |
| 133 | +|Virtual compute management |
| 134 | +|**Red Hat** |
| 135 | + |
| 136 | +- Set up and configure the ROSA control plane and data plane to use Amazon EC2 instances for cluster compute. |
| 137 | + |
| 138 | +- Monitor and manage the deployment of Amazon EC2 control plane and infrastructure nodes on the cluster. |
| 139 | + |
| 140 | +|- Monitor and manage Amazon EC2 worker nodes by creating a |
| 141 | +machine pool using the OpenShift Cluster Manager or the ROSA CLI (`rosa`). |
| 142 | +- Manage changes to customer-deployed applications and application data. |
| 143 | + |
| 144 | +|Cluster version |
| 145 | +|**Red Hat** |
| 146 | + |
| 147 | +- Enable upgrade scheduling process. |
| 148 | + |
| 149 | +- Monitor upgrade progress and remedy any issues encountered. |
| 150 | + |
| 151 | +- Publish change logs and release notes for patch release upgrades. |
| 152 | + |
| 153 | +|- Either set up automatic upgrades or schedule patch release upgrades immediately or for the future. |
| 154 | +- Acknowledge and schedule minor version upgrades. |
| 155 | +- Test customer applications on patch releases to ensure compatibility. |
| 156 | + |
| 157 | +|Capacity management |
| 158 | +|**Red Hat** |
| 159 | + |
| 160 | +- Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes. |
| 161 | + |
| 162 | +- Scale and resize control plane nodes to maintain quality of service. |
| 163 | + |
| 164 | +| - Monitor worker node utilization and, if appropriate, enables the auto-scaling feature. |
| 165 | +- Determine the scaling strategy of the cluster. See the additional resources for more information on machine pools. |
| 166 | +- Use the provided {cluster-manager} controls to add or remove additional worker nodes as required. |
| 167 | +- Respond to Red Hat notifications regarding cluster resource requirements. |
| 168 | + |
| 169 | +|Virtual storage management |
| 170 | +|**Red Hat** |
| 171 | + |
| 172 | +- Set up and configure Amazon EBS to provision local node storage and persistent volume storage for the cluster. |
| 173 | + |
| 174 | +- Set up and configure the built-in image registry to use Amazon S3 bucket storage. |
| 175 | + |
| 176 | +- Regularly prune image registry resources in |
| 177 | +Amazon S3 to optimize Amazon S3 usage and cluster performance. |
| 178 | + |
| 179 | +| - Optionally configure the Amazon EBS CSI driver or the Amazon |
| 180 | +EFS CSI driver to provision persistent volumes on the cluster. |
| 181 | + |
| 182 | +|AWS software (public AWS services) |
| 183 | +|**AWS** |
| 184 | + |
| 185 | +**Compute:** Provide the Amazon EC2 service, used for |
| 186 | +ROSA control plane, infrastructure, and worker nodes. |
| 187 | + |
| 188 | +**Storage:** Provide Amazon EBS, used by ROSA to provision local node storage and persistent volume storage for the cluster. |
| 189 | + |
| 190 | +**Storage:** Provide Amazon S3, used for the ROSA service's |
| 191 | +built-in image registry. |
| 192 | + |
| 193 | +**Networking:** |
| 194 | +Provide the following AWS Cloud services, used by ROSA |
| 195 | +to satisfy virtual networking |
| 196 | +infrastructure needs: |
| 197 | + |
| 198 | +** Amazon VPC |
| 199 | +** Elastic Load Balancing |
| 200 | +** AWS IAM |
| 201 | + |
| 202 | +**Networking:** |
| 203 | +Provide the following AWS services, which customers can optionally integrate with ROSA: |
| 204 | + |
| 205 | +- AWS VPN |
| 206 | +- AWS Direct Connect |
| 207 | +- AWS PrivateLink |
| 208 | +- AWS Transit Gateway |
| 209 | + |
| 210 | +| - Sign requests using an access key ID and secret access key |
| 211 | +associated with an IAM principal or STS temporary security |
| 212 | +credentials. |
| 213 | +- Specify VPC subnets for the cluster to use during cluster |
| 214 | +creation. |
| 215 | +- Optionally configure a customer-managed VPC for use with ROSA clusters (required for PrivateLink and HCP clusters). |
| 216 | + |
| 217 | +|Hardware/AWS global infrastructure |
| 218 | +|**AWS** |
| 219 | + |
| 220 | +- For information regarding management controls for AWS data centers, see link:https://aws.amazon.com/compliance/data-center/controls[Our Controls] on the AWS Cloud Security page. |
| 221 | + |
| 222 | +- For information regarding change management best practices, see link:https://aws.amazon.com/solutions/guidance/change-management-on-aws/[Guidance for Change Management on AWS] in the AWS Solutions Library. |
| 223 | + |
| 224 | +|- Implement change management best practices for customer |
| 225 | +applications and data hosted on the AWS Cloud. |
| 226 | + |
| 227 | +|=== |
0 commit comments