Legal

Requirements for Customer Cloud Subscriptions

LAST UPDATED: January 24, 2019

Red Hat OpenShift Dedicated Customer Cloud Subscription Requirements

Overview 

This document specifies the AWS Organization Service Control Policies (SCP), IAM Policies, Identity Providers, and Roles for the AWS account hosting the OpenShift Dedicated (OSD) cluster using Bring-Your-Own-Cloud (BYOC). This service is supported by Red Hat OpenShift Service Reliability Engineers (SRE).

NOTE: Any IAM Policy, Identity Provider, or Role not specified in this document may be deleted by Red Hat OpenShift SRE.

customer-cloud-subscription-fig-1

The AWS Organization managed by the customer hosts multiple AWS accounts. There is a root account in the organization that all accounts ultimately refer to in the account hierarchy.

In order for OSD to be hosted in an AWS account in this AWS Organization, an SCP is created that manages what services the account is permitted to access. The SCP applies only to the OSD account. All other accounts in the customer’s AWS Organization are managed in whatever manner the customer requires. Red Hat SRE will not have any control over SCPs within the AWS Organization.

Within the OSD account, IAM roles are created that permit AWS Console access by the Customer and SRE to administer the account. In addition to AWS Console access, SRE requires SSH access to all OpenShift nodes. Requirements for ingress are documented later in this document.

byoc-fig-2-1

Account Requirements

  • All BYOC accounts are in AWS.
  • Customer has an Enterprise support plan with AWS.
  • Customer AWS account is in an AWS Organization that supports Service Control Policies.
  • Customer AWS account cannot be transferred to SRE.
  • Customer creates and attaches the SCP to the account from within their AWS Organization. See SCP Service Control Policy section for details.
  • Customer sets account email address to the one provided by SRE. This is used by SRE to reset password and obtain root access.
  • Customer will not impose restrictions on AWS usage on the SRE team. To impose limits will severely hinder SRE’s ability to respond to incidents.
  • Customer pays all AWS costs incurred by SRE to provision, upgrade, support, and operate  their OSD cluster to AWS directly.
  • SRE will terminate any services and resources running in the OSD account that are not required for hosting OSD.

Access Requirements

  • SRE must have root user access to the AWS account.
    • This does not provide SRE access to anything outside of this individual AWS account.
  • SRE must have SSH access to all OpenShift nodes from SRE bastion hosts.
    • SRE bastion hosts are deployed in an SRE managed AWS account.
    • Access via SRE bastion hosts is over the public internet.
    • OpenShift node access over SSH is limited to SRE bastion hosts via an AWS Security Group.
  • SRE must have AWS Console access to the AWS account hosting the OSD cluster.
    • Access is federated via Red Hat SSO to the admin role outlined in this document.
    • Red Hat user authorization is managed by SRE per customer account.
  • SRE must have standard access granted with any OSD customer cluster, such as API access with the cluster-admin.
  • SRE must not have access to any non OSD resources that may be made available to the cluster by way of VPN, VPC Peering, or AWS Direct Connect.
  • Customer must not have root user access to the AWS account.
  • Customer must not request access to the root user from AWS Support.
  • Customer must not have SSH access to any EC2 Instances in the AWS account.
  • Customer may have AWS Console access to administer a subset of the AWS account hosting the OSD cluster.
    • Access is federated via AWS account federation to the customer-admin role outlined in this document.
    • Customer is responsible for managing authentication and authorization to this role via account federation.
  • Customer should have AWS Console access with read-only access to the AWS account hosting the OSD cluster.
    • Access is federated via AWS account federation to the read-only role outlined in this document.
    • Customer is responsible for managing authentication and authorization to this role via account federation.
  • Customer must have standard access granted to any OSD customer, such as API access and assignment of dedicated-admin to a customer provided set of users.

Support Requirements

  • SRE is not responsible for OSD outages caused by Customer’s failure to pay AWS.
  • SRE has authority from Customer to request AWS resource limit increases on the Customer’s account.
  • SRE has authority from Customer to request AWS support on behalf of the Customer.
  • Customer’s OSD cluster is administered the same as other OSD clusters managed by SRE and have the same restrictions, limitations, expectations, and defaults unless otherwise specified in this requirements section. Of specific note:
    • System logs are forwarded to a Red Hat managed central logging stack.
    • SRE deploys Red Hat Insights on all OSD clusters.

Security Requirements

  • Credentials used to access resources in the AWS account:
    • are unique to the account
    • are securely accessed by SRE
    • are not stored anywhere in the Customer’s account
  • Customer cannot read data in persistent storage (EBS, S3, EFS, etc) directly via any mechanism.
  • Snapshots are maintained within the account and region of the OSD cluster.
  • Ingress
    • SSH access from privileged hosts (Bastion & Ansible Tower) must be allowed.
    • API access from an SRE management VPC must be allowed.
  • Egress
    • System logs are forwarded to a Red Hat managed central logging stack.
    • No customer data leaves the OSD VPC in the customer’s AWS account.

AWS Organization

Within the AWS Organization the Customer is responsible for managing a Service Control Policy (SCP) that grants sufficient permissions for SRE to manage the OSD cluster. This policy is only attached to the AWS account in the AWS Organization that is hosting OSD. The policy does not impact any other accounts in the organization.


NOTE: All policies documented here are developed for OSD 3.11. The policies are subject to modification as the capabilities of OpenShift change.

OSD Service Control Policy

Service Control Policy (SCP) management is the responsibility of the customer. These policies are maintained in the AWS Organization and control what services are available within the attached AWS Accounts.

Priority Service Actions Effect
Required Amazon EC2 All Allow
Required Amazon EC2 Auto Scaling All Allow
Required Amazon S3 All Allow
Required Identity and Access Management All Allow
Required Elastic Load Balancing All Allow
Required Elastic Load Balancing V2 All Allow
Required AWS Direct Connect All Allow
Required Amazon CloudWatch All Allow
Required Amazon CloudWatch Events All Allow
Required Amazon CloudWatch Logs All Allow
Required AWS Support All Allow
Required AWS Key Management Service All Allow
Required AWS Security Token Service All Allow
Required AWS Cost and Usage Report All Allow
Required AWS Cost Explorer Service All Allow
Required AWS Billing ViewAccount
ViewBilling
ViewUsage
Allow

 

Detail

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1543327396000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327408000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327417000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327428000",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1543327652000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327656000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1546616571000",
            "Effect": "Allow",
            "Action": [
                "directconnect:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327666000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327671000",
            "Effect": "Allow",
            "Action": [
                "events:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327675000",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327772000",
            "Effect": "Allow",
            "Action": [
                "support:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327781000",
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1548175905000",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327792000",
            "Effect": "Allow",
            "Action": [
                "cur:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327798000",
            "Effect": "Allow",
            "Action": [
                "ce:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1543327831000",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewAccount",
                "aws-portal:ViewBilling",
                "aws-portal:ViewUsage"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

IAM Policies

All policies documented here are developed for OSD 3.11. The policies are subject to modification as the capabilities of OpenShift change.

AdministratorAccess

The AdministratorAccess policy is used by the “admin” role. It provides SRE the access necessary to administer the OSD cluster in the AWS Account.

Detail
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

CustomerAdministratorAccess

The CustomerAdministatorAccess role provides the customer access to administer a subset of services within the AWS Account. At this time, the following are allowed:

  • VPC Peering

  • VPN Setup

  • Direct Connect

  • AWS Support

Detail
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "customer-admin-policy",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVpnGateway",
                "ec2:DescribeVpnConnections",
                "ec2:AcceptVpcPeeringConnection",
                "ec2:DeleteVpcPeeringConnection",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:CreateVpnConnectionRoute",
                "ec2:RejectVpcPeeringConnection",
                "ec2:DetachVpnGateway",
                "ec2:DeleteVpnConnectionRoute",
                "ec2:DeleteVpnGateway",
                "ec2:DescribeVpcs",
                "ec2:CreateVpnGateway",
                "ec2:ModifyVpcPeeringConnectionOptions",
                "ec2:DeleteVpnConnection",
                "ec2:CreateVpcPeeringConnection",
                "ec2:DescribeVpnGateways",
                "ec2:CreateVpnConnection",
                "ec2:DescribeRouteTables",
                "ec2:CreateTags",
                "ec2:CreateRoute",

		"support:*",
                "directconnect:*"
            ],
            "Resource": "*"
        }
    ]
}

BillingReadOnlyAccess

The BillingReadOnlyAccess role provides read-only access to view billing and usage information for the account if it is enabled.  


Billing and usage access is only granted if the root account in the AWS Organization has it enabled.  This is an optional step the customer must perform to enable read-only billing and usage access and does not impact creation of this profile and the role that uses it.  If not enabled, the impact is users will not see billing and usage information. See this tutorial on how to enable access to billing data.

Detail
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewAccount",
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        }
    ]
}

IAM Identity Providers

Any Identity Providers not specified here will be deleted from the AWS account.

ops_sso_saml

This is the SAML provider used to federate access for SRE administration of the account.

Detail

SAML identity provider metadata provided at time of integration.

IAM Roles

admin

Role providing Red Hat OpenShift SRE administrative access to the AWS account via SAML federation.

Type:  SAML 2.0 federation

Trust Relationship:  arn:aws:iam::<Account ID>:saml-provider/ops_sso_saml

Policies:

  • AdministratorAccess

 

customer-admin

Role providing customer federated administrative access to the AWS account via a separate AWS account.

Type:  AWS Account

Policies:

  • CustomerAdministratorAccess

 

read-only

Role providing customer federated read-only access to the AWS account via a separate AWS account.

Type:  AWS Account

Policies:

  • AWSAccountUsageReportAccess

  • BillingReadOnlyAccess

  • AmazonEC2ReadOnlyAccess

  • AmazonS3ReadOnlyAccess

  • IAMReadOnlyAccess