Overview of responsibilities for Azure Red Hat OpenShift
Article
This document outlines the responsibilities of Microsoft, Red Hat, and customers for Azure Red Hat OpenShift clusters. For more information about Azure Red Hat OpenShift and its components, see the Azure Red Hat OpenShift Service Definition.
While Microsoft and Red Hat manage the Azure Red Hat OpenShift service, the customer shares responsibility for the functionality of their cluster. While Azure Red Hat OpenShift clusters are hosted on Azure resources in customer Azure subscriptions, they are accessed remotely. Underlying platform and data security is owned by Microsoft and Red Hat.
The customer, Microsoft, and Red Hat share responsibility for the monitoring and maintenance of an Azure Red Hat OpenShift cluster. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured.
Resource
Microsoft and Red Hat responsibilities
Customer responsibilities
Application networking
Monitor cloud load balancer(s) and native OpenShift router service, and respond to alerts.
Monitor health of service load balancer endpoints.
Monitor health of application routes, and the endpoints behind them.
Report outages to Microsoft and Red Hat.
Virtual networking
Monitor cloud load balancers, subnets, and Azure cloud components necessary for default platform networking, and respond to alerts.
Monitor network traffic that is optionally configured via VNet to VNet connection, VPN connection, or Private Link connection for potential issues or security threats.
Table 2. Shared responsibilities for incident and operations management
Change management
Microsoft and Red Hat are responsible for enabling changes to the cluster infrastructure and services that the customer controls, as well as maintaining versions available for the master nodes, infrastructure services, and worker nodes. The customer is responsible for initiating infrastructure changes and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.
Resource
Microsoft and Red Hat responsibilities
Customer responsibilities
Logging
Centrally aggregate and monitor platform audit logs.
Provide documentation for the customer to enable application logging using Log Analytics through Azure Monitor for containers.
Provide audit logs upon customer request.
Install the optional default application logging operator on the cluster.
Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications.
Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the cluster.
Request platform audit logs through a support case for researching specific incidents.
Application networking
Set up public cloud load balancers
Set up the OpenShift Ingress cluster operator and the default IngressController. Provide the ability to add additional customer-managed IngressControllers and set the default IngressController as private.
Install, configure, and maintain the OVN-Kubernetes network plugin and related components for default internal pod traffic.
Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using NetworkPolicy objects.
Request and configure any additional service load balancers for specific services.
Cluster networking
Set up cluster management components, such as public or private service endpoints and necessary integration with virtual networking components.
Set up internal networking components required for internal cluster communication between worker and master nodes.
Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through OpenShift Cluster Manager when the cluster is provisioned.
Request that the API service endpoint be made public or private on cluster creation or after cluster creation through Azure CLI.
Virtual networking
Set up and configure virtual networking components required to provision the cluster, including virtual private cloud, subnets, load balancers, internet gateways, NAT gateways, etc.
Provide the ability for the customer to manage VPN connectivity with on-premises resources, VNet to VNet connectivity, and Private Link connectivity as required through OpenShift Cluster Manager.
Enable customers to create and deploy public cloud load balancers for use with service load balancers.
Set up and maintain optional public cloud networking components, such as VNet to VNet connection, VPN connection, or Private Link connection.
Request and configure any additional service load balancers for specific services.
Cluster Version
Communicate schedule and status of upgrades for minor and maintenance versions
Publish changelogs and release notes for minor and maintenance upgrades
Initiate Upgrade of cluster
Test customer applications on minor and maintenance versions to ensure compatibility
Capacity Management
Monitor utilization of control plane (master nodes) resources including Network, Storage and Compute capacity
Proactively scale and/or resize control plane nodes to maintain quality of service
Add or remove additional worker nodes as required.
Respond to Microsoft and Red Hat notifications regarding cluster resource requirements.
Ensure ample quota is available for larger control plane VMs in case of scaling operation
Table 3. Shared responsibilities for change management
Identity and Access Management
Identity and Access management includes all responsibilities for ensuring that only proper individuals have access to cluster, application, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.
Resource
Microsoft and Red Hat responsibilities
Customer responsibilities
Logging
Adhere to an industry standards-based tiered internal access process for platform audit logs.
Provide native OpenShift RBAC capabilities.
Configure OpenShift RBAC to control access to projects and by extension a project's application logs.
For third-party or custom application logging solutions, the customer is responsible for access management.
Application networking
Provide native OpenShift RBAC capabilities.
Configure OpenShift RBAC to control access to route configuration as required.
Cluster networking
Provide native OpenShift RBAC capabilities.
Manage Red Hat organization membership of Red Hat accounts.
Manage Org Admins for Red Hat organization to grant access to OpenShift Cluster Manager.
Configure OpenShift RBAC to control access to route configuration as required.
Virtual networking
Provide customer access controls through OpenShift Cluster Manager.
Manage optional user access to public cloud components through OpenShift Cluster Manager.
Table 4. Shared responsibilities for identity and access management
Security and compliance
Security and compliance includes any responsibilities and controls that ensure compliance with relevant laws, policies, and regulations.
Resource
Microsoft and Red Hat responsibilities
Customer responsibilities
Logging
Send cluster audit logs to a Microsoft and Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
Analyze application logs for security events. Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
Virtual networking
Monitor virtual networking components for potential issues and security threats.
Use additional public Microsoft and Red Hat Azure tools for additional monitoring and protection.
Monitor optionally configured virtual networking components for potential issues and security threats.
Configure any necessary firewall rules or data center protections as required.
Table 5. Shared responsibilities for security and regulation compliance
Customer responsibilities when using Azure Red Hat OpenShift
Customer data and applications
The customer is responsible for the applications, workloads, and data they deploy to Azure Red Hat OpenShift. However, Microsoft and Red Hat provide various tools to help the customer manage data and applications on the platform.
Resource
How Microsoft and Red Hat helps
Customer responsibilities
Customer Data
Maintain platform-level standards for data encryption as defined by industry security and compliance standards.
Provide OpenShift components to help manage application data, such as secrets.
Enable integration with third-party data services (such as Azure SQL) to store and manage data outside of the cluster and/or Microsoft and Red Hat Azure.
Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.
Etcd encryption
Customer Applications
Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications.
Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, Microsoft and Red Hat, and Red Hat services to the cluster.
Provide storage classes and plug-ins to support persistent volumes for use with customer applications.
Maintain responsibility for customer and third-party applications, data, and their complete lifecycle.
If a customer adds Red Hat, community, third party, their own, or other services to the cluster by using Operators or external images, the customer is responsible for these services and for working with the appropriate provider (including Red Hat) to troubleshoot any issues.
Maintain responsibility for monitoring the applications run on Azure Red Hat OpenShift; including installing and operating software to gather metrics and create alerts.
Table 6. Customer responsibilities for customer data, customer applications, and services