Table of Contents
- Overview of responsibilities for OpenShift Dedicated
- Shared responsibility matrix by area and task
- Customer responsibilities when using OpenShift Dedicated
OpenShift Dedicated Responsibilities
This document outlines Red Hat, cloud provider, and customer responsibilities for the OpenShift Dedicated managed service. For more information about OpenShift Dedicated and its components, please refer to the OpenShift Dedicated Service Definition.
Overview of responsibilities for OpenShift Dedicated
While Red Hat manages the OpenShift Dedicated Service, the customer shares responsibility with respect to certain aspects. The OpenShift Dedicated Services are accessed remotely, hosted on public cloud resources, created in either Red Hat or customer-owned cloud service provider accounts, and have underlying platform and data security that is owned by Red Hat.
NOTE: If cluster-admin is enabled on a cluster, please see the responsibilities and exclusion notes in Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services).
|
Resource
|
Incident and Operations Management
|
Change Management
|
Identity and Access Management
|
Security and Regulation Compliance
|
Disaster Recovery
|
|
Customer data
|
Customer
|
Customer
|
Customer
|
Customer
|
Customer
|
|
Customer applications
|
Customer
|
Customer
|
Customer
|
Customer
|
Customer
|
|
Developer services
|
Customer
|
Customer
|
Customer
|
Customer
|
Customer
|
|
Platform monitoring
|
Red Hat
|
Red Hat
|
Red Hat
|
Red Hat
|
Red Hat
|
|
Logging
|
Red Hat
|
Shared
|
Shared
|
Shared
|
Red Hat
|
|
Application networking
|
Shared
|
Shared
|
Shared
|
Red Hat
|
Red Hat
|
|
Cluster networking
|
Red Hat
|
Shared
|
Shared
|
Red Hat
|
Red Hat
|
|
Virtual networking
|
Shared
|
Shared
|
Shared
|
Shared
|
Shared
|
|
Master and infrastructure nodes
|
Red Hat
|
Red Hat
|
Red Hat
|
Red Hat
|
Red Hat
|
|
Worker nodes
|
Red Hat
|
Red Hat
|
Red Hat
|
Red Hat
|
Red Hat
|
|
Cluster Version
|
Red Hat
|
Shared
|
Red Hat
|
Red Hat
|
Red Hat
|
|
Capacity Management
|
Red Hat
|
Shared
|
Red Hat
|
Red Hat
|
Red Hat
|
|
Virtual Storage
|
Red Hat and cloud provider
|
Red Hat and cloud provider
|
Red Hat and cloud provider
|
Red Hat and cloud provider
|
Red Hat and cloud provider
|
|
Physical Infrastructure and Security
|
Cloud provider
|
Cloud provider
|
Cloud provider
|
Cloud provider
|
Cloud provider
|
Table 1. Responsibilities by resource
Shared responsibility matrix by area and task
Incident and operations management
The customer and Red Hat share responsibility for the monitoring and maintenance of an OpenShift Dedicated cluster. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured for the cluster network or virtual network.
|
Resource
|
Red Hat responsibilities
|
Customer responsibilities
|
|
Application networking
|
- Monitor cloud load balancer(s) and native OpenShift router service, and respond to alerts.
|
- Monitor health of service load balancer endpoints
- Monitor health of application routes, and the endpoints behind them.
- Report outages to Red Hat.
|
|
Virtual networking
|
- Monitor cloud load balancers, subnets, and public cloud components necessary for default platform networking, and respond to alerts.
|
- Monitor network traffic that is optionally configured via VPC to VPC connection, VPN connection, or Direct connection for potential issues or security threats.
|
Table 2. Shared responsibilities for incident and operations management
Change management
Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the master nodes, infrastructure nodes and services, and worker nodes. The customer is responsible for initiating infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications..
|
Resource
|
Red Hat responsibilities
|
Customer responsibilities
|
|
Logging
|
- Centrally aggregate and monitor platform audit logs.
- Provide and maintain a logging operator to enable the customer to deploy a logging stack for default application logging.
- Provide audit logs upon customer request.
|
- Install the optional default application logging operator on the cluster.
- Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications.
- Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster.
- Request platform audit logs through a support case for researching specific incidents.
|
|
Application networking
|
- Set up public cloud load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required.
- Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard.
- Install, configure, and maintain OpenShift SDN components for default internal pod traffic.
- Provide the ability for the customer to manage NetworkPolicy and EgressNetworkPolicy (firewall) objects.
|
- Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using NetworkPolicy objects.
- Use OpenShift Cluster Manager to request a private load balancer for default application routes.
- Use OpenShift Cluster Manager to configure up to one additional public or private router shard and corresponding load balancer.
- Request and configure any additional service load balancers for specific services.
- Configure any necessary DNS forwarding rules.
|
|
Cluster networking
|
- Set up cluster management components, such as public or private service endpoints and necessary integration with virtual networking components.
- Set up internal networking components required for internal cluster communication between worker, infrastructure, and master nodes.
|
- Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through OpenShift Cluster Manager when the cluster is provisioned.
- Request that the API service endpoint be made public or private on cluster creation or after cluster creation through OpenShift Cluster Manager.
|
|
Virtual networking
|
- Set up and configure virtual networking components required to provision the cluster, including virtual private cloud, subnets, load balancers, internet gateways, NAT gateways, etc.
- Provide the ability for the customer to manage VPN connectivity with on-premises resources, VPC to VPC connectivity, and Direct connectivity as required through OpenShift Cluster Manager.
- Enable customers to create and deploy public cloud load balancers for use with service load balancers.
|
- Set up and maintain optional public cloud networking components, such as VPC to VPC connection, VPN connection, or Direct connection.
- Request and configure any additional service load balancers for specific services.
|
|
Cluster Version
|
- Communicate schedule and status of upgrades for minor and maintenance versions
- Publish changelogs and release notes for minor and maintenance upgrades
|
- Work with Red Hat to establish maintenance start times for upgrades
- Test customer applications on minor and maintenance versions to ensure compatibility
|
|
Capacity Management
|
- Monitor utilization of control plane (master nodes and infrastructure nodes)
- Scale and/or resize control plane nodes to maintain quality of service
- Monitor utilization of customer resources including Network, Storage and Compute capacity. Where autoscaling features are not enabled alert customer for any changes required to cluster resources (eg. new compute nodes to scale, additional storage, etc)
|
- Use the provided OpenShift Cluster Manager controls to add or remove additional worker nodes as required.
- Respond to Red Hat notifications regarding cluster resource requirements.
|
Table 3. Shared responsibilities for change management
Identity and Access management
The Identity and Access Management matrix includes responsibilities for managing authorized access to cluster, application, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.
|
Resource
|
Red Hat responsibilities
|
Customer responsibilities
|
|
Logging
|
- Adhere to an industry standards-based tiered internal access process for platform audit logs.
- Provide native OpenShift RBAC capabilities.
|
- Configure OpenShift RBAC to control access to projects and by extension a project’s application logs.
- For third-party or custom application logging solutions, the customer is responsible for access management.
|
|
Application networking
|
- Provide native OpenShift RBAC and dedicated-admin capabilities.
|
- Configure OpenShift dedicated-admins and RBAC to control access to route configuration as required.
- Manage Org Admins for Red Hat organization to grant access to OpenShift Cluster Manager. OCM is used to configure router options and provide service load balancer quota.
|
|
Cluster networking
|
- Provide customer access controls through OpenShift Cluster Manager.
- Provide native OpenShift RBAC and dedicated-admin capabilities.
|
- Manage Red Hat organization membership of Red Hat accounts.
- Manage Org Admins for Red Hat organization to grant access to OpenShift Cluster Manager.
- Configure OpenShift dedicated-admins and RBAC to control access to route configuration as required.
|
|
Virtual networking
|
- Provide customer access controls through OpenShift Cluster Manager.
|
- Manage optional user access to public cloud components through OpenShift Cluster Manager.
|
Table 4. Shared responsibilities for identity and access management
Security and regulation compliance
The following includes responsibilities and controls related to compliance .
|
Resource
|
Red Hat responsibilities
|
Customer responsibilities
|
|
Logging
|
- Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
|
- Analyze application logs for security events. Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
|
|
Virtual networking
|
- Monitor virtual networking components for potential issues and security threats.
- Leverage additional public cloud provider tools for additional monitoring and protection.
|
- Monitor optionally-configured virtual networking components for potential issues and security threats.
- Configure any necessary firewall rules or data center protections as required.
|
Table 5. Shared responsibilities related to security and regulation compliance
Disaster recovery
Disaster recovery includes data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.
|
Resource
|
Red Hat responsibilities
|
Customer responsibilities
|
|
Virtual networking
|
- Restore or recreate affected virtual network components that are necessary for the platform to function.
|
- Configure virtual networking connections with more than one tunnel where possible for protection against outages as recommended by the public cloud provider.
- Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.
|
Table 6. Shared responsibilities for disaster recovery
Customer responsibilities when using OpenShift Dedicated
Customer Data and Customer Applications
The customer is responsible for the applications, workloads, and data that they deploy to OpenShift Dedicated. However, Red Hat provides various tools to help the customer manage data and applications on the platform.
|
Resource
|
How Red Hat helps
|
Customer responsibilities
|
|
Customer Data
|
- Maintain platform-level standards for data encryption.
- Provide OpenShift components to help manage application data, such as secrets.
- Enable integration with third-party data services (such as AWS RDS or Google Cloud SQL) to store and manage data outside of the cluster and/or cloud provider.
|
- Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.
|
|
Customer Applications
|
- Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications.
- Create clusters with image pull secrets so that customer deployments can pull images from the Red Hat Container Catalog registry.
- Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, and Red Hat services to the cluster.
- Provide storage classes and plug-ins to support persistent volumes for use with customer applications.
|
|
|
Developer Services (CodeReady)
|
- Make CodeReady Workspaces available as an add-on through OpenShift Cluster Manager
|
- Install, secure, and operate CodeReady Workspaces and Developer CLI.
|
Table 7. Customer responsibilities for customer data, customer applications, and services