Responsibility assignment matrix - Policies and service definition | Introduction to ROSA

Overview of responsibilities for Red Hat OpenShift Service on AWS
Shared responsibility matrix
Customer responsibilities for data and applications

This documentation outlines Red Hat, cloud provider, and customer responsibilities for the Red Hat OpenShift Service on AWS (ROSA) managed service.

Overview of responsibilities for Red Hat OpenShift Service on AWS

While Red Hat and Amazon Web Services (AWS) manage the Red Hat OpenShift Service on AWS services, the customer shares certain responsibilities. The Red Hat OpenShift Service on AWS services are accessed remotely, hosted on public cloud resources, created in customer-owned AWS accounts, and have underlying platform and data security that is owned by Red Hat.

If the cluster-admin role is added to a user, see the responsibilities and exclusion notes in the Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services).

Resource	Incident and operations management	Change management	Access and identity authorization	Security and regulation compliance	Disaster recovery
Customer data	Customer	Customer	Customer	Customer	Customer
Customer applications	Customer	Customer	Customer	Customer	Customer
Developer services	Customer	Customer	Customer	Customer	Customer
Platform monitoring	Red Hat	Red Hat	Red Hat	Red Hat	Red Hat
Logging	Red Hat	Red Hat and Customer	Red Hat and Customer	Red Hat and Customer	Red Hat
Application networking	Red Hat and Customer	Red Hat and Customer	Red Hat and Customer	Red Hat	Red Hat
Cluster networking	Red Hat	Red Hat and Customer	Red Hat and Customer	Red Hat	Red Hat
Virtual networking	Red Hat and Customer	Red Hat and Customer	Red Hat and Customer	Red Hat and Customer	Red Hat and Customer
Control plane and infrastructure nodes	Red Hat	Red Hat	Red Hat	Red Hat	Red Hat
Worker nodes	Red Hat	Red Hat	Red Hat	Red Hat	Red Hat
Cluster version	Red Hat	Red Hat and Customer	Red Hat	Red Hat	Red Hat
Capacity management	Red Hat	Red Hat and Customer	Red Hat	Red Hat	Red Hat
Virtual storage	Red Hat and AWS	Red Hat and AWS	Red Hat and AWS	Red Hat and AWS	Red Hat and AWS
Physical infrastructure and security	AWS	AWS	AWS	AWS	AWS

Resource

Incident and operations management

Change management

Access and identity authorization

Security and regulation compliance

Disaster recovery

Customer data

Customer

Customer applications

Customer

Developer services

Customer

Platform monitoring

Red Hat

Logging

Red Hat

Red Hat and Customer

Red Hat

Application networking

Red Hat and Customer

Red Hat

Cluster networking

Red Hat

Red Hat and Customer

Red Hat

Virtual networking

Red Hat and Customer

Control plane and infrastructure nodes

Red Hat

Worker nodes

Red Hat

Cluster version

Red Hat

Red Hat and Customer

Red Hat

Capacity management

Red Hat

Red Hat and Customer

Red Hat

Virtual storage

Red Hat and AWS

Physical infrastructure and security

AWS

Shared responsibility matrix

The customer, Red Hat, and Amazon Web Services (AWS) share responsibility for the monitoring and maintenance of an Red Hat OpenShift Service on AWS cluster. This documentation illustrates the delineation of responsibilities by area and task.

Incident and operations management

The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured for the cluster network or virtual network.

Resource	Red Hat and AWS responsibilities	Customer responsibilities
Application networking	Monitor cloud load balancers and native OpenShift router service, and respond to alerts.	Monitor health of service load balancer endpoints. Monitor health of application routes, and the endpoints behind them. Report outages to Red Hat.
Virtual networking	Monitor cloud load balancers, subnets, and public cloud components necessary for default platform networking, and respond to alerts.	Monitor network traffic that is optionally configured through VPC to VPC connection, VPN connection, or Direct connection for potential issues or security threats.

Resource

Red Hat and AWS responsibilities

Customer responsibilities

Application networking

Monitor cloud load balancers and native OpenShift router service, and respond to alerts.

Monitor health of service load balancer endpoints.
Monitor health of application routes, and the endpoints behind them.
Report outages to Red Hat.

Virtual networking

Monitor cloud load balancers, subnets, and public cloud components necessary for default platform networking, and respond to alerts.

Monitor network traffic that is optionally configured through VPC to VPC connection, VPN connection, or Direct connection for potential issues or security threats.

Change management

Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. The customer is responsible for initiating infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.

Resource Red Hat responsibilities Customer responsibilities

Resource	Red Hat responsibilities	Customer responsibilities
Logging	Centrally aggregate and monitor platform audit logs. Provide and maintain a logging Operator to enable the customer to deploy a logging stack for default application logging. Provide audit logs upon customer request.	Install the optional default application logging Operator on the cluster. Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications. Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster. Request platform audit logs through a support case for researching specific incidents.
Application networking	Set up public cloud load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required. Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard. Install, configure, and maintain OpenShift SDN components for default internal pod traffic. Provide the ability for the customer to manage `NetworkPolicy` and `EgressNetworkPolicy` (firewall) objects.	Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using `NetworkPolicy` objects. Use OpenShift Cluster Manager to request a private load balancer for default application routes. Use OpenShift Cluster Manager to configure up to one additional public or private router shard and corresponding load balancer. Request and configure any additional service load balancers for specific services. Configure any necessary DNS forwarding rules.
Cluster networking	Set up cluster management components, such as public or private service endpoints and necessary integration with virtual networking components. Set up internal networking components required for internal cluster communication between worker, infrastructure, and control plane nodes.	Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through OpenShift Cluster Manager when the cluster is provisioned. Request that the API service endpoint be made public or private on cluster creation or after cluster creation through OpenShift Cluster Manager.
Virtual networking	Set up and configure virtual networking components required to provision the cluster, including virtual private cloud, subnets, load balancers, Internet gateways, NAT gateways, etc. Provide the ability for the customer to manage VPN connectivity with on-premises resources, VPC to VPC connectivity, and Direct connectivity as required through OpenShift Cluster Manager. Enable customers to create and deploy public cloud load balancers for use with service load balancers.	Set up and maintain optional public cloud networking components, such as VPC to VPC connection, VPN connection, or Direct connection. Request and configure any additional service load balancers for specific services.
Cluster version	Enable upgrade scheduling process. Monitor upgrade progress and remedy any issues encountered. Publish change logs and release notes for minor and maintenance upgrades.	Schedule maintenance version upgrades either immediately, for the future, or have automatic upgrades. Acknowledge and schedule minor version upgrades. Ensure the cluster version stays on a supported minor version. Test customer applications on minor and maintenance versions to ensure compatibility.
Capacity management	Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes. Scale and resize control plane nodes to maintain quality of service.	Monitors worker node utilization and, if appropriate, enables the auto-scaling feature. Determines the scaling strategy of the cluster. See the additional resources for more information on machine pools. Use the provided OpenShift Cluster Manager controls to add or remove additional worker nodes as required. Respond to Red Hat notifications regarding cluster resource requirements.

Logging

Centrally aggregate and monitor platform audit logs.
Provide and maintain a logging Operator to enable the customer to deploy a logging stack for default application logging.
Provide audit logs upon customer request.

Install the optional default application logging Operator on the cluster.
Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications.
Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the logging stack or the cluster.
Request platform audit logs through a support case for researching specific incidents.

Application networking

Set up public cloud load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required.
Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard.
Install, configure, and maintain OpenShift SDN components for default internal pod traffic.
Provide the ability for the customer to manage NetworkPolicy and EgressNetworkPolicy (firewall) objects.

Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using NetworkPolicy objects.
Use OpenShift Cluster Manager to request a private load balancer for default application routes.
Use OpenShift Cluster Manager to configure up to one additional public or private router shard and corresponding load balancer.
Request and configure any additional service load balancers for specific services.
Configure any necessary DNS forwarding rules.

Cluster networking

Set up cluster management components, such as public or private service endpoints and necessary integration with virtual networking components.
Set up internal networking components required for internal cluster communication between worker, infrastructure, and control plane nodes.

Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through OpenShift Cluster Manager when the cluster is provisioned.
Request that the API service endpoint be made public or private on cluster creation or after cluster creation through OpenShift Cluster Manager.

Virtual networking

Set up and configure virtual networking components required to provision the cluster, including virtual private cloud, subnets, load balancers, Internet gateways, NAT gateways, etc.
Provide the ability for the customer to manage VPN connectivity with on-premises resources, VPC to VPC connectivity, and Direct connectivity as required through OpenShift Cluster Manager.
Enable customers to create and deploy public cloud load balancers for use with service load balancers.

Set up and maintain optional public cloud networking components, such as VPC to VPC connection, VPN connection, or Direct connection.
Request and configure any additional service load balancers for specific services.

Cluster version

Enable upgrade scheduling process.
Monitor upgrade progress and remedy any issues encountered.
Publish change logs and release notes for minor and maintenance upgrades.

Schedule maintenance version upgrades either immediately, for the future, or have automatic upgrades.
Acknowledge and schedule minor version upgrades.
Ensure the cluster version stays on a supported minor version.
Test customer applications on minor and maintenance versions to ensure compatibility.

Capacity management

Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes.
Scale and resize control plane nodes to maintain quality of service.

Monitors worker node utilization and, if appropriate, enables the auto-scaling feature.
Determines the scaling strategy of the cluster. See the additional resources for more information on machine pools.
Use the provided OpenShift Cluster Manager controls to add or remove additional worker nodes as required.
Respond to Red Hat notifications regarding cluster resource requirements.

Access and identity authorization

The access and identity authorization matrix includes responsibilities for managing authorized access to clusters, applications, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.

Resource Red Hat responsibilities Customer responsibilities

Resource	Red Hat responsibilities	Customer responsibilities
Logging	Adhere to an industry standards-based tiered internal access process for platform audit logs. Provide native OpenShift RBAC capabilities.	Configure OpenShift RBAC to control access to projects and by extension a project’s application logs. For third-party or custom application logging solutions, the customer is responsible for access management.
Application networking	Provide native OpenShift RBAC and `dedicated-admin` capabilities.	Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required. Manage organization administrators for Red Hat to grant access to OpenShift Cluster Manager. The cluster manager is used to configure router options and provide service load balancer quota.
Cluster networking	Provide customer access controls through OpenShift Cluster Manager. Provide native OpenShift RBAC and `dedicated-admin` capabilities.	Manage Red Hat organization membership of Red Hat accounts. Manage organization administrators for Red Hat to grant access to OpenShift Cluster Manager. Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
Virtual networking	Provide customer access controls through OpenShift Cluster Manager.	Manage optional user access to public cloud components through OpenShift Cluster Manager.

Logging

Adhere to an industry standards-based tiered internal access process for platform audit logs.
Provide native OpenShift RBAC capabilities.

Configure OpenShift RBAC to control access to projects and by extension a project’s application logs.
For third-party or custom application logging solutions, the customer is responsible for access management.

Application networking

Provide native OpenShift RBAC and dedicated-admin capabilities.

Configure OpenShift dedicated-admin and RBAC to control access to route configuration as required.
Manage organization administrators for Red Hat to grant access to OpenShift Cluster Manager. The cluster manager is used to configure router options and provide service load balancer quota.

Cluster networking

Provide customer access controls through OpenShift Cluster Manager.
Provide native OpenShift RBAC and dedicated-admin capabilities.

Manage Red Hat organization membership of Red Hat accounts.
Manage organization administrators for Red Hat to grant access to OpenShift Cluster Manager.
Configure OpenShift dedicated-admin and RBAC to control access to route configuration as required.

Virtual networking

Provide customer access controls through OpenShift Cluster Manager.

Manage optional user access to public cloud components through OpenShift Cluster Manager.

Security and regulation compliance

The following are the responsibilities and controls related to compliance:

Resource	Red Hat responsibilities	Customer responsibilities
Logging	Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.	Analyze application logs for security events. Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
Virtual networking	Monitor virtual networking components for potential issues and security threats. Leverage additional public cloud provider tools for additional monitoring and protection.	Monitor optional configured virtual networking components for potential issues and security threats. Configure any necessary firewall rules or data center protections as required.

Resource

Red Hat responsibilities

Customer responsibilities

Logging

Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.

Analyze application logs for security events. Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.

Virtual networking

Monitor virtual networking components for potential issues and security threats.
Leverage additional public cloud provider tools for additional monitoring and protection.

Monitor optional configured virtual networking components for potential issues and security threats.
Configure any necessary firewall rules or data center protections as required.

Disaster recovery

Disaster recovery includes data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.

Resource	Red Hat responsibilities	Customer responsibilities
Virtual networking	Restore or recreate affected virtual network components that are necessary for the platform to function.	Configure virtual networking connections with more than one tunnel where possible for protection against outages as recommended by the public cloud provider. Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.

Resource

Red Hat responsibilities

Customer responsibilities

Virtual networking

Restore or recreate affected virtual network components that are necessary for the platform to function.

Configure virtual networking connections with more than one tunnel where possible for protection against outages as recommended by the public cloud provider.
Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.

Additional resources

About machine pools

Customer responsibilities for data and applications

The customer is responsible for the applications, workloads, and data that they deploy to Red Hat OpenShift Service on AWS. However, Red Hat provides various tools to help the customer manage data and applications on the platform.

Resource	Red Hat responsibilities	Customer responsibilities
Customer data	Maintain platform-level standards for data encryption. Provide OpenShift components to help manage application data, such as secrets. Enable integration with third-party data services, AWS RDS, to store and manage data outside of the cluster and cloud provider.	Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.
Customer applications	Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications. Create clusters with image pull secrets so that customer deployments can pull images from the Red Hat Container Catalog registry. Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, and Red Hat services to the cluster. Provide storage classes and plugins to support persistent volumes for use with customer applications. Provide a container image registry so customers can securely store application container images on the cluster to deploy and manage applications.	Maintain responsibility for customer and third-party applications, data, and their complete lifecycle. If a customer adds Red Hat, community, third-party, their own, or other services to the cluster by using Operators or external images, the customer is responsible for these services and for working with the appropriate provider, including Red Hat, to troubleshoot any issues. Use the provided tools and features to configure and deploy; keep up to date; set up resource requests and limits; size the cluster to have enough resources to run apps; set up permissions; integrate with other services; manage any image streams or templates that the customer deploys; externally serve; save, back up, and restore data; and otherwise manage their highly available and resilient workloads. Maintain responsibility for monitoring the applications run on Red Hat OpenShift Service on AWS, including installing and operating software to gather metrics and create alerts.

Resource

Red Hat responsibilities

Customer responsibilities

Customer data

Maintain platform-level standards for data encryption.
Provide OpenShift components to help manage application data, such as secrets.
Enable integration with third-party data services, AWS RDS, to store and manage data outside of the cluster and cloud provider.

Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.

Customer applications

Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications.
Create clusters with image pull secrets so that customer deployments can pull images from the Red Hat Container Catalog registry.
Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, and Red Hat services to the cluster.
Provide storage classes and plugins to support persistent volumes for use with customer applications.
Provide a container image registry so customers can securely store application container images on the cluster to deploy and manage applications.

Maintain responsibility for customer and third-party applications, data, and their complete lifecycle.
If a customer adds Red Hat, community, third-party, their own, or other services to the cluster by using Operators or external images, the customer is responsible for these services and for working with the appropriate provider, including Red Hat, to troubleshoot any issues.
Use the provided tools and features to configure and deploy; keep up to date; set up resource requests and limits; size the cluster to have enough resources to run apps; set up permissions; integrate with other services; manage any image streams or templates that the customer deploys; externally serve; save, back up, and restore data; and otherwise manage their highly available and resilient workloads.
Maintain responsibility for monitoring the applications run on Red Hat OpenShift Service on AWS, including installing and operating software to gather metrics and create alerts.