diff --git a/modules/rosa-sre-access-privatelink-vpc.adoc b/modules/rosa-sre-access-privatelink-vpc.adoc new file mode 100644 index 000000000000..ce39c56fde18 --- /dev/null +++ b/modules/rosa-sre-access-privatelink-vpc.adoc @@ -0,0 +1,14 @@ +:_content-type: CONCEPT +[id="rosa-sre-access-privatelink-vpc.adoc_{context}"] += SRE access through PrivateLink VPC endpoint service + +PrivateLink VPC endpoint service is created as part of the ROSA cluster creation. + +When you have a PrivateLink ROSA cluster, its Kubernetes API Server is exposed through a load balancer that can only be accessed from within the VPC by default. Red Hat site reliability engineering (SRE) can connect to this load balancer through a VPC Endpoint Service that has an associated VPC Endpoint in a Red Hat-owned AWS account. This endpoint service contains the name of the cluster, which is also in the ARN. + +Under the *Allow principals* tab, a Red Hat-owned AWS account is listed. This specific user ensures that other entities cannot create VPC Endpoint connections to the PrivateLink cluster’s Kubernetes API Server. + +When Red Hat SREs access the API, this fleet management plane can connect to the internal API through the VPC endpoint service. + + + diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc index 575d673b4fa7..3ea1c6840e65 100644 --- a/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc +++ b/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc @@ -1,9 +1,10 @@ -//// :_content-type: ASSEMBLY include::_attributes/attributes-openshift-dedicated.adoc[] :context: rosa-sre-access [id="rosa-sre-access"] = SRE and service account access +Red Hat site reliability engineering (SRE) access to ROSA clusters is outlined through identity and access management. + include::modules/rosa-policy-identity-access-management.adoc[leveloffset=+1] -//// +include::modules/rosa-sre-access-privatelink-vpc.adoc[leveloffset=+1]