LAST UPDATED: September 29, 2020
Red Hat OpenShift Dedicated (OSD) provides a Customer Cloud Subscription (CCS) model that allows Red Hat to deploy and manage OpenShift Dedicated into a customer's AWS account. Red Hat requires several prerequisites be met in order to provide this service. This document is intended to outline our prerequisites, procedural requirements, and also provide a guide to the AWS resources and Identity and Access Management (IAM) users, roles, policies, and identity providers that will be provisioned as part of this service. This service is supported by Red Hat Site Reliability Engineers (SRE).
Figure 1. Red Hat recommended AWS Organization and Account structure
Red Hat recommends the usage of an AWS Organization to manage multiple AWS accounts.
The AWS Organization managed by the customer hosts multiple AWS accounts. There is a root account in the organization that all accounts ultimately refer to in the account hierarchy.
Best practices for OSD CCS is for the cluster to be hosted in an AWS account within an AWS Organizational Unit. A SCP is created and applied to the Organizational Unit that manages what services the AWS sub-accounts are permitted to access. The SCP applies only to available permissions within a single AWS account for all AWS sub-accounts within the Organizational Unit. It is also possible to apply a SCP to a single AWS account. All other accounts in the customer’s AWS Organization are managed in whatever manner the customer requires. Red Hat SRE will not have any control over SCPs within the AWS Organization.
Figure 2. AWS configuration procedure
Service Control Policy (SCP) management is the responsibility of the customer. These policies are maintained in the AWS Organization and control what services are available within the attached AWS accounts.
Service | Actions | Effect | |
Required | Amazon EC2 | All | Allow |
Amazon EC2 Auto Scaling | All | Allow | |
Amazon S3 | All | Allow | |
Identity And Access Management | All | Allow | |
Elastic Load Balancing | All | Allow | |
Elastic Load Balancing V2 | All | Allow | |
Amazon CloudWatch | All | Allow | |
Amazon CloudWatch Events | All | Allow | |
Amazon CloudWatch Logs | All | Allow | |
AWS Support | All | Allow | |
AWS Key Management Service | All | Allow | |
AWS Security Token Service | All | Allow | |
AWS Resource Tagging | All | Allow | |
AWS Route53 DNS | All | Allow | |
AWS Service Quotas | ListServices GetRequestedServiceQuotaChange GetServiceQuota RequestServiceQuotaIncrease ListServiceQuotas |
Allow | |
Optional | AWS Billing | ViewAccount ViewBilling ViewUsage |
Allow |
AWS Cost and Usage Report | All | Allow | |
AWS Cost Explorer Service | All | Allow |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"events:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"tag:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"servicequotas:ListServices",
"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:GetServiceQuota",
"servicequotas:RequestServiceQuotaIncrease",
"servicequotas:ListServiceQuotas"
],
"Resource": [
"*"
]
}
]
}
The below sections define AWS resources that Red Hat is responsible for creating.
These policies are subject to modification as the capabilities of OpenShift Dedicated change.
The AdministratorAccess policy is used by the "admin" role. It provides Red Hat the access necessary to administer the OSD cluster in the customer-provided AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
The CustomerAdministatorAccess role provides the customer access to administer a subset of services within the AWS account. At this time, the following are allowed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVpnGateway",
"ec2:DescribeVpnConnections",
"ec2:AcceptVpcPeeringConnection",
"ec2:DeleteVpcPeeringConnection",
"ec2:DescribeVpcPeeringConnections",
"ec2:CreateVpnConnectionRoute",
"ec2:RejectVpcPeeringConnection",
"ec2:DetachVpnGateway",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DescribeVpcs",
"ec2:CreateVpnGateway",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:DeleteVpnConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:DescribeVpnGateways",
"ec2:CreateVpnConnection",
"ec2:DescribeRouteTables",
"ec2:CreateTags",
"ec2:CreateRoute",
"directconnect:*"
],
"Resource": "*"
}
]
}
The BillingReadOnlyAccess role provides read-only access to view billing and usage information for the account if it is enabled.
Billing and usage access is only granted if the root account in the AWS Organization has it enabled. This is an optional step the customer must perform to enable read-only billing and usage access and does not impact the creation of this profile and the role that uses it. If not enabled, the impact is that users will not see billing and usage information. See this tutorial on how to enable access to billing data.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:ViewAccount",
"aws-portal:ViewBilling"
],
"Resource": "*"
}
]
}
This user is created immediately after taking control of the customer-provided AWS account. This is the user that will be performing the OSD cluster install.
This role provides customer-federated administrative access to the AWS account via a separate AWS account. It also has the same access as read-only role.
Type: AWS account
Policies:
This role provides customer-federated read-only access to the AWS account via a separate AWS account.
Type: AWS account
Policies:
This is an overview of the OpenShift Dedicated specific deployments. For a more detailed listing of all AWS components provisioned, you can refer to the OpenShift Container Platform documentation.
AWS EC2 instances are required for deploying control plane and data plane functions of OpenShift Dedicated in the AWS public cloud.
Amazon EBS block storage is used for both local node storage and persistent volume storage.
Volume requirements for each EC2 instance:
Up to two Network Elastic Load Balancers (ELBs) for API and up to two Classic ELBs for application router. See here for more details on ELBs.
The image registry and EBS volume snapshots are backed by AWS S3 storage. Pruning of resources is performed regularly to optimize S3 usage and cluster performance.
Buckets required: 2
Typical size: 2TB each
Customers should expect to see one VPC per cluster. Additionally, the VPC will need following configurations:
AWS security groups are associated with EC2 instances and Elastic Load Balancers and provide security at the protocol and port access level. Each security group, working much the same way as a firewall, contains a set of rules that filter traffic coming into and out of an EC2 instance. You must ensure the ports required for OpenShift installation listed here are open on your network and configured to allow access between hosts.
LAST UPDATED: December 2, 2020
Red Hat OpenShift Dedicated (OSD) provides a Customer Cloud Subscription (CCS) model that allows Red Hat to deploy and manage OpenShift Dedicated into a customer's Google Cloud account. Red Hat requires several prerequisites be met in order to provide this service. This document is intended to outline our prerequisites, procedural requirements, and also provide a guide to the Google Cloud resources and Identity and Access Management (IAM) users, roles, policies, and identity providers that will be provisioned as part of this service. This service is supported by Red Hat Site Reliability Engineers (SRE).
Red Hat recommends the usage of a Google Cloud (GCP) project, managed by the customer, to organize all of your GCP resources. A project consists of a set of users and APIs, as well as billing, authentication, and monitoring settings for those APIs.
It is a best practice for the OpenShift Dedicated CCS cluster to be hosted in a GCP project within a GCP organization. The Organization resource is the root node of the GCP resource hierarchy and all resources that belong to an organization are grouped under the organization node. An IAM service account with certain roles granted is created and applied to the GCP project. When you make calls to the API, you typically provide service account keys for authentication. Each service account is owned by a specific project, but service accounts can be provided roles to access resources for other projects.
The CCS model allows Red Hat to deploy and manage OpenShift managed services into a customer’s Google Cloud (GCP) project. Red Hat requires several prerequisites in order to provide these services.
constraints/iam.allowedPolicyMemberDomains
, cannot be in place.API service | Console service name |
---|---|
Cloud Deployment Manager V2 API | deploymentmanager.googleapis.com |
Compute Engine API | compute.googleapis.com |
Google Cloud APIs | cloudapis.googleapis.com |
Cloud Resource Manager API | cloudresourcemanager.googleapis.com |
Google DNS API | dns.googleapis.com |
IAM Service Account Credentials API | iamcredentials.googleapis.com |
Identity and Access Management (IAM) API | iam.googleapis.com |
Service Management API | servicemanagement.googleapis.com |
Service Usage API | serviceusage.googleapis.com |
Google Cloud Storage JSON API | storage-api.googleapis.com |
Cloud Storage | storage-component.googleapis.com |
osd-ccs-admin
IAM service account user within the Google Cloud project.Role | Console role name |
---|---|
DNS Admin | roles/dns.admin |
Organizational Policy Viewer | roles/orgpolicy.policyViewer |
Owner | roles/owner |
Project IAM Admin | roles/resourcemanager.projectIamAdmin |
Service Management Administrator | roles/servicemanagement.admin |
Service Usage Admin | roles/serviceusage.serviceUsageAdmin |
Storage Admin | roles/storage.admin |
osd-ccs-admin
IAM service account. Export the key to a file named osServiceAccount.json
, this JSON file will be uploaded in OpenShift Cluster Manager (OCM) when you create your cluster.Red Hat is responsible for creating the following Google Cloud resources.
The osd-managed-admin
IAM service account is created immediately after taking control of the customer-provided GCP account. This is the user that will be performing the OpenShift Dedicated cluster install.
The following roles are attached to the service account:
The sd-sre-platform-gcp-access
Google group is created to allow Red Hat Site Reliability Engineering (SRE) access to the console for emergency troubleshooting purposes.
The following roles are attached to the group:
Responsibility Assignment Matrix
Requirements for Customer Cloud Subscriptions