×

Red Hat Site Reliability Engineering (SRE) typically does not require elevated access to systems as part of normal operations to manage and support Red Hat OpenShift Service on AWS clusters. Elevated access gives SRE the access levels of a cluster-admin role. See cluster roles for more information.

In the unlikely event that SRE needs elevated access to systems, you can use the Approved Access interface to review and approve or deny access to these systems.

Elevated access requests to clusters on Red Hat OpenShift Service on AWS clusters and the corresponding cloud accounts can be created by SRE either in response to a customer-initiated support ticket or in response to alerts received by SRE as part of the standard incident response process.

When Approved Access is enabled and an SRE creates an access request, cluster owners receive an email notification informing them of a new access request. The email notification contains a link allowing the cluster owner to quickly approve or deny the access request. You must respond in a timely manner otherwise there is a risk to your SLA for Red Hat OpenShift Service on AWS.

  • If customers require additional users that are not the cluster owner to receive the email, they can add notification cluster contacts.

  • Pending access requests are available in the Hybrid Cloud Console on the clusters list or Access Requests tab on the cluster overview for the specific cluster.

Denying an access request requires you to complete the Justification field. In this case, SRE can not directly act on the resources related to the incident. Customers can still use the Customer Support to help investigate and resolve any issues.

Enabling Approved Access for ROSA clusters by submitting a support case

Red Hat OpenShift Service on AWS Approved Access is not enabled by default. To enable Approved Access for your Red Hat OpenShift Service on AWS clusters, you should create a support ticket.

Procedure
  1. Log in to the Customer Support page of the Red Hat Customer Portal.

  2. Click Get support.

  3. On the Cases tab of the Customer support page:

    1. Optional: Change the pre-filled account and owner details if needed.

    2. Select the Configuration category and click Continue.

  4. Enter the following information:

    1. In the Product field, select Red Hat OpenShift Service on AWS or Red Hat OpenShift Service on AWS Hosted control planes.

    2. In the Problem statement field, enter Enable ROSA Access Protection.

    3. Click See more options.

  5. Select OpenShift Cluster ID from the drop-down list.

  6. Fill the remaining mandatory fields in the form:

    1. What are you experiencing? What are you expecting to happen?

      1. Fill with Approved Access.

    2. Define the value or impact to you or the business.

      1. Fill with Approved Access.

    3. Click Continue.

  7. Select Severity as 4(Low) and click Continue.

  8. Preview the case details and click Submit.

Reviewing an access request from an email notification

Cluster owners will receive an email notification when Red Hat Site Reliability Engineering (SRE) request access to their cluster with a link to review the request in the Hybrid Cloud Console.

Procedure
  1. Click the link within the email to bring you to the Hybrid Cloud Console.

  2. In the Access Request Details dialog, click Approve or Deny under Decision.

    Denying an access request requires you to complete the Justification field. In this case, SRE can not directly act on the resources related to the incident. Customers can still use the Customer Support to help investigate and resolve any issues.

  3. Click Save.

Reviewing an access request from the Hybrid Cloud Console

Review access requests for your Red Hat OpenShift Service on AWS clusters from the Hybrid Cloud Console.

Procedure
  1. Navigate to OpenShift Cluster Manager and select Cluster List.

  2. Click the cluster name to review the Access Request.

  3. Select the Access Requests tab to list all states.

  4. Select Open under Actions for the Pending state.

  5. In the Access Request Details dialog, click Approve or Deny under Decision.

    Denying an access request requires you to complete the Justification field. In this case, SRE can not directly act on the resources related to the incident. Customers can still use the Customer Support to help investigate and resolve any issues.

  6. Click Save.