Azure Red Hat OpenShift Responsibility Assignment Matrix - Azure Red Hat OpenShift (2023)

  • Article
  • 8 minutes to read

This document outlines the responsibilities of Microsoft, Red Hat, and customers for Azure Red Hat OpenShift clusters. For more information about Azure Red Hat OpenShift and its components, see the Azure Red Hat OpenShift Service Definition.

While Microsoft and Red Hat manage the Azure Red Hat OpenShift service, the customer shares responsibility for the functionality of their cluster. While Azure Red Hat OpenShift clusters are hosted on Azure resources in customer Azure subscriptions, they are accessed remotely. Underlying platform and data security is owned by Microsoft and Red Hat.

Overview

Resource Incident and Operations Management Change Management Identity and Access Management Security and Regulation Compliance
Customer data Customer Customer Customer Customer
Customer applications Customer Customer Customer Customer
Developer services Customer Customer Customer Customer
Platform monitoring Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat
Logging Microsoft and Red Hat Shared Shared Shared
Application networking Shared Shared Shared Microsoft and Red Hat
Cluster networking Microsoft and Red Hat Shared Shared Microsoft and Red Hat
Virtual networking Shared Shared Shared Shared
Control plane nodes Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat
Worker nodes Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat
Cluster Version Microsoft and Red Hat Shared Microsoft and Red Hat Microsoft and Red Hat
Capacity Management Microsoft and Red Hat Shared Microsoft and Red Hat Microsoft and Red Hat
Virtual Storage Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat
Physical Infrastructure and Security Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat Microsoft and Red Hat

Table 1. Responsibilities by resource

Incident and operations management

The customer and Microsoft and Red Hat share responsibility for the monitoring and maintenance of an Azure Red Hat OpenShift cluster. The customer is responsible for incident and operations management of customer application data and any custom networking the customer may have configured.

Resource Microsoft and Red Hat responsibilities Customer responsibilities
Application networking
  • Monitor cloud load balancer(s) and native OpenShift router service, and respond to alerts.
  • Monitor health of service load balancer endpoints.
  • Monitor health of application routes, and the endpoints behind them.
  • Report outages to Microsoft and Red Hat.
Virtual networking
  • Monitor cloud load balancers, subnets, and Azure cloud components necessary for default platform networking, and respond to alerts.
  • Monitor network traffic that is optionally configured via VNet to VNet connection, VPN connection, or Private Link connection for potential issues or security threats.

Table 2. Shared responsibilities for incident and operations management

Change management

Microsoft and Red Hat are responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions available for the master nodes, infrastructure services, and worker nodes. The customer is responsible for initiating infrastructure changes and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.

Resource Microsoft and Red Hat responsibilities Customer responsibilities
Logging
  • Centrally aggregate and monitor platform audit logs.
  • Provide documentation for the customer to enable application logging using Log Analytics through Azure Monitor for containers.
  • Provide audit logs upon customer request.
  • Install the optional default application logging operator on the cluster.
  • Install, configure, and maintain any optional app logging solutions, such as logging sidecar containers or third-party logging applications.
  • Tune size and frequency of application logs being produced by customer applications if they are affecting the stability of the cluster.
  • Request platform audit logs through a support case for researching specific incidents.
Application networking
  • Set up public cloud load balancers
  • Set up native OpenShift router service. Provide the ability to set the router as private and add up to one additional router shard.
  • Install, configure, and maintain OpenShift SDN components for default internal pod traffic.
  • Configure non-default pod network permissions for project and pod networks, pod ingress, and pod egress using NetworkPolicy objects.
  • Request and configure any additional service load balancers for specific services.
Cluster networking
  • Set up cluster management components, such as public or private service endpoints and necessary integration with virtual networking components.
  • Set up internal networking components required for internal cluster communication between worker and master nodes.
  • Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through OpenShift Cluster Manager when the cluster is provisioned.
  • Request that the API service endpoint be made public or private on cluster creation or after cluster creation through Azure CLI.
Virtual networking
  • Set up and configure virtual networking components required to provision the cluster, including virtual private cloud, subnets, load balancers, internet gateways, NAT gateways, etc.
  • Provide the ability for the customer to manage VPN connectivity with on-premises resources, VNet to VNet connectivity, and Private Link connectivity as required through OpenShift Cluster Manager.
  • Enable customers to create and deploy public cloud load balancers for use with service load balancers.
  • Set up and maintain optional public cloud networking components, such as VNet to VNet connection, VPN connection, or Private Link connection.
  • Request and configure any additional service load balancers for specific services.
Cluster Version
  • Communicate schedule and status of upgrades for minor and maintenance versions
  • Publish changelogs and release notes for minor and maintenance upgrades
  • Initiate Upgrade of cluster
  • Test customer applications on minor and maintenance versions to ensure compatibility
Capacity Management
  • Monitor utilization of control plane (master nodes)
  • Scale and/or resize control plane nodes to maintain quality of service
  • Monitor utilization of customer resources including Network, Storage and Compute capacity. Where autoscaling features are not enabled alert customer for any changes required to cluster resources (eg. new compute nodes to scale, additional storage, etc.)
  • Use the provided OpenShift Cluster Manager controls to add or remove additional worker nodes as required.
  • Respond to Microsoft and Red Hat notifications regarding cluster resource requirements.

Table 3. Shared responsibilities for change management

Identity and Access Management

Identity and Access management includes all responsibilities for ensuring that only proper individuals have access to cluster, application, and infrastructure resources. This includes tasks such as providing access control mechanisms, authentication, authorization, and managing access to resources.

Resource Microsoft and Red Hat responsibilities Customer responsibilities
Logging
  • Adhere to an industry standards-based tiered internal access process for platform audit logs.
  • Provide native OpenShift RBAC capabilities.
  • Configure OpenShift RBAC to control access to projects and by extension a project's application logs.
  • For third-party or custom application logging solutions, the customer is responsible for access management.
Application networking
  • Provide native OpenShift RBAC capabilities.
  • Configure OpenShift RBAC to control access to route configuration as required.
Cluster networking
  • Provide native OpenShift RBAC capabilities.
  • Manage Red Hat organization membership of Red Hat accounts.
  • Manage Org Admins for Red Hat organization to grant access to OpenShift Cluster Manager.
  • Configure OpenShift RBAC to control access to route configuration as required.
Virtual networking
  • Provide customer access controls through OpenShift Cluster Manager.
  • Manage optional user access to public cloud components through OpenShift Cluster Manager.

Table 4. Shared responsibilities for identity and access management

Security and regulation compliance

Security and compliance includes any responsibilities and controls that ensure compliance with relevant laws, policies, and regulations.

Resource Microsoft and Red Hat responsibilities Customer responsibilities
Logging
  • Send cluster audit logs to a Microsoft and Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
  • Analyze application logs for security events. Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
Virtual networking
  • Monitor virtual networking components for potential issues and security threats.
  • Use additional public Microsoft and Red Hat Azure tools for additional monitoring and protection.
  • Monitor optionally configured virtual networking components for potential issues and security threats.
  • Configure any necessary firewall rules or data center protections as required.

Table 5. Shared responsibilities for security and regulation compliance

Customer responsibilities when using Azure Red Hat OpenShift

Customer data and applications

The customer is responsible for the applications, workloads, and data that they deploy to Azure Red Hat OpenShift. However, Microsoft and Red Hat provide various tools to help the customer manage data and applications on the platform.

Resource How Microsoft and Red Hat helps Customer responsibilities
Customer Data
  • Maintain platform-level standards for data encryption as defined by industry security and compliance standards.
  • Provide OpenShift components to help manage application data, such as secrets.
  • Enable integration with third-party data services (such as Azure SQL) to store and manage data outside of the cluster and/or Microsoft and Red Hat Azure.
  • Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.
  • Etcd encryption
Customer Applications
  • Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications.
  • Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, Microsoft and Red Hat, and Red Hat services to the cluster.
  • Provide storage classes and plug-ins to support persistent volumes for use with customer applications.

Table 7. Customer responsibilities for customer data, customer applications, and services

Top Articles
Latest Posts
Article information

Author: Clemencia Bogisich Ret

Last Updated: 11/27/2022

Views: 6391

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Clemencia Bogisich Ret

Birthday: 2001-07-17

Address: Suite 794 53887 Geri Spring, West Cristentown, KY 54855

Phone: +5934435460663

Job: Central Hospitality Director

Hobby: Yoga, Electronics, Rafting, Lockpicking, Inline skating, Puzzles, scrapbook

Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.