Legal

Requirements for Customer Cloud Subscriptions

LAST UPDATED: January 24, 2019

Red Hat OpenShift Dedicated Customer Cloud Subscription Requirements

Overview 

This document specifies the AWS Organization SCP and IAM Policies, Identity Providers, and Roles for the AWS account hosting the OpenShift Dedicated (OSD) cluster on Customer Cloud Subscription, supported by Red Hat OpenShift Service Reliability Engineers (SRE).

Any IAM Policy, Identity Provider, or Role not specified in this document may be deleted by Red Hat OpenShift SRE.

customer-cloud-subscription-fig-1

The AWS Organization managed by the Customer hosts multiple AWS Accounts. There is a root account in the organization that all accounts ultimately refer to in the account hierarchy.

In order for OSD to be hosted in an AWS Account in this AWS Organization, a Service Control Policy (SCP) is created that manages what services the account is permitted to access. The SCP applies only to the OSD Account. All other accounts in the customer’s AWS Organization are managed in whatever manner the customer requires. Red Hat SRE will not have any control of SCP within the AWS Organization.

Within the OSD Account IAM roles are created that permit AWS Console access by the Customer and SRE to administer the account. In addition to AWS Console access, SRE requires SSH access to all OpenShift nodes. Requirements for ingress are documented later in this document.

customer-cloud-subscription-fig-2

Access Requirements

  • Customer must provide SRE root user access to the OSD Account.
    • Customer sets the email address to one that SRE provides.
    • SRE resets root user password.
    • NOTES
      • This does not provide SRE access to anything outside of this individual AWS Account.
      • Using this account to run any workloads other than OSD, including resources that might be needed by applications run on the OSD cluster, may be terminated by SRE automation.
  • SRE must have SSH access to all OpenShift nodes from SRE bastion hosts.
    • SRE bastion hosts are deployed in an SRE managed AWS account.
    • Access via SRE bastion hosts is over the public internet.
    • OpenShift node access via SSH is limited to SRE bastion hosts via AWS Security Group.
  • SRE must have AWS Console access to the AWS Account hosting the OSD cluster.
    • Access is federated via Red Hat SSO to the admin role outlined in this document.
    • Red Hat user authorization is managed by SRE per customer account.
  • Customer may have AWS Console access to administer a subset of the AWS Account hosting the OSD cluster.
    • Access is federated via AWS Account federation to the customer-admin role outlined in this document.
    • Customer is responsible for managing authentication and authorization to this role via account federation.
  • Customer should have AWS Console access with read-only access to the AWS Account hosting the OSD cluster.
    • Access is federated via AWS Account federation to the read-only role outlined in this document.
    • Customer is responsible for managing authentication and authorization to this role via account federation.

OSD Service Control Policy

Service Control Policy (SCP) management is the responsibility of the customer. These policies are maintained in the AWS Organization and control what services are available within the attached AWS Accounts.

Priority Service Actions Effect
Required Amazon EC2 All Allow
Required Amazon EC2 Auto Scaling All Allow
Required Amazon S3 All Allow
Required Identity and Access Management All Allow
Required Elastic Load Balancing All Allow
Required Elastic Load Balancing V2 All Allow
Required AWS Direct Connect All Allow
Required Amazon CloudWatch All Allow
Required Amazon CloudWatch Events All Allow
Required Amazon CloudWatch Logs All Allow
Required AWS Support All Allow
Required AWS Key Management Service All Allow
Required AWS Security Token Service All Allow
Required AWS Cost and Usage Report All Allow
Required AWS Cost Explorer Service All Allow
Required AWS Billing ViewAccount
ViewBilling
ViewUsage
Allow

 

Detail

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1543327396000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327408000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327417000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327428000",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1543327652000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327656000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1546616571000",
            "Effect": "Allow",
            "Action": [
                "directconnect:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327666000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327671000",
            "Effect": "Allow",
            "Action": [
                "events:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327675000",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327772000",
            "Effect": "Allow",
            "Action": [
                "support:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327781000",
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1548175905000",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327792000",
            "Effect": "Allow",
            "Action": [
                "cur:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327798000",
            "Effect": "Allow",
            "Action": [
                "ce:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327831000",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewAccount",
                "aws-portal:ViewBilling",
                "aws-portal:ViewUsage"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

IAM Policies

All policies documented here are developed for OSD 3.11. The policies are subject to modification as the capabilities of OpenShift change.

AdministratorAccess

The AdministratorAccess policy is used by the “admin” role. It provides SRE the access necessary to administer the OSD cluster in the AWS Account.

Detail
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

CustomerAdministratorAccess

The CustomerAdministatorAccess role provides the customer access to administer a subset of services within the AWS Account. At this time, the following are allowed:

  • VPC Peering

  • VPN Setup

  • Direct Connect

  • AWS Support

Detail
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "customer-admin-policy",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVpnGateway",
                "ec2:DescribeVpnConnections",
                "ec2:AcceptVpcPeeringConnection",
                "ec2:DeleteVpcPeeringConnection",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:CreateVpnConnectionRoute",
                "ec2:RejectVpcPeeringConnection",
                "ec2:DetachVpnGateway",
                "ec2:DeleteVpnConnectionRoute",
                "ec2:DeleteVpnGateway",
                "ec2:DescribeVpcs",
                "ec2:CreateVpnGateway",
                "ec2:ModifyVpcPeeringConnectionOptions",
                "ec2:DeleteVpnConnection",
                "ec2:CreateVpcPeeringConnection",
                "ec2:DescribeVpnGateways",
                "ec2:CreateVpnConnection",
		"support:*",
                "directconnect:*"
            ],
            "Resource": "*"
        }
    ]
}

BillingReadOnlyAccess

The BillingReadOnlyAccess role provides read-only access to view billing and usage information for the account if it is enabled.  


Billing and usage access is only granted if the root account in the AWS Organization has it enabled.  This is an optional step the customer must perform to enable read-only billing and usage access and does not impact creation of this profile and the role that uses it.  If not enabled, the impact is users will not see billing and usage information. See this tutorial on how to enable access to billing data.

Detail
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewAccount",
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        }
    ]
}

IAM Roles

admin

Role providing Red Hat OpenShift SRE administrative access to the AWS account via SAML federation.

Type:  SAML 2.0 federation

Trust Relationship:  arn:aws:iam::<Account ID>:saml-provider/ops_sso_saml

Policies:

  • AdministratorAccess

 

customer-admin

Role providing customer federated administrative access to the AWS account via a separate AWS account.

Type:  AWS Account

Policies:

  • CustomerAdministratorAccess

 

read-only

Role providing customer federated read-only access to the AWS account via a separate AWS account.

Type:  AWS Account

Policies:

  • AWSAccountUsageReportAccess

  • BillingReadOnlyAccess

  • AmazonEC2ReadOnlyAccess

  • AmazonS3ReadOnlyAccess

  • IAMReadOnlyAccess