Subscribe to the feed

With Red Hat OpenShift Service on AWS (ROSA) we developed a turnkey application platform to build and deploy applications more quickly and with the scale of AWS -- enabling users to focus on innovation rather than managing infrastructure. Today, we are pleased to announce the next evolution of ROSA with the general availability of hosted control planes as part of the service, expected to be available December 4.

Based on the HyperShift project, ROSA with hosted control planes provides a highly available control plane that is isolated within a ROSA service AWS account. By shifting the control plane ownership away from the customer, users are provided additional operational efficiencies on top of what they are already experiencing with ROSA as well as substantial cost savings.

Having the control plane hosted and managed in a ROSA service AWS account rather than the customer’s individual account provides more effective and efficient use of resources, offering:

Optimized total cost of ownership

According to a Red Hat conducted study, deploying ROSA with hosted control planes users can reduce costs by 5x on average vs. hosting the control plane in their own cloud account. Customers can also spin up and tear down clusters more quickly and easily when not in use, driving additional cost savings.

Hosted control planes also provides more flexibility and portability for centralized and annual billing, allowing customers to more easily change between node types. The overall footprint is smaller as well, with a two nodes minimum as opposed to seven.

Enhanced operational efficiency 

With hosted control planes, provisioning is streamlined and more efficient, reducing the time it takes to start deploying applications. Additionally, workload scheduling only has to wait for worker nodes, which simplifies and speeds up the building and deployment process. ROSA with hosted control planes also removes the need for autoscaling of the control plane, as this is managed automatically in the ROSA service AWS account, abstracting the costs and time impacts.

Increased reliability and resiliency

By offloading the control plane infrastructure management from the end-user, there is no longer a chance for accidental deletion of cloud resources as AWS administrators will only interact with the workloads, not the control plane artifacts. This simplifies the ownership model and dependency between management planes and workloads. Users can selectively upgrade control plane and worker nodes separately, giving increased control and flexibility.

Architecture improvements

Purpose-built for managed services, the latest iteration of ROSA introduces a paradigm shift in how organizations deploy and manage their ROSA clusters at scale. This improved architecture provides a number of business benefits already highlighted, but it also provides many technological benefits as well.

ROSA with hosted control planes enables organizations and developers to:

  • Roll out applications to only a single availability zone (AZ), two AZs, or all the AZs in a region without having to be concerned with the availability of the control plane, which is always distributed over multiple availability zones.
  • Rapidly provision a dedicated and isolated control plane for each cluster that can be optionally made available publicly or exposed privately through a dedicated AWS PrivateLink endpoint in your AWS VPC.

Cluster and cloud administrators also reap several benefits in the ROSA with hosted control planes architecture, including:

  • Various resources are moved outside the scope of the cluster boundary, and now rely on a single source of truth provisioned through the rosa CLI or OpenShift Cluster Manager (OCM).
    • All machine APIs are managed externally through the rosa CLI or OCM as MachinePool objects.
    • Node API resources are still available in-cluster, including the ability to label and taint existing nodes.
    • OAuth components are also no longer exposed internally within the cluster.
  • Strengthened security boundaries by decoupling control planes from workloads.
  • A reduced AWS policy permission set utilizing AWS approved and published managed policies reducing the complexity for prerequisites and increasing the security by default by enabling tag-based permission enforcement.
  • Separation between control plane and worker node upgrades, enabling a consistent and security-focused control plane upgrade cadence without impact to worker nodes, in order to provide application developers additional time and flexibility on when their nodes will be upgraded.

With the control plane and worker node separation, an AWS PrivateLink endpoint provides one-way communication originating from your AWS account to an internal network load balancer. The kubelet for each worker node establishes the communication directly to the Kube API Server fronted by the load balancer.

All management and maintenance on your ROSA cluster happens in the ROSA service account, without any access needed to your AWS infrastructure. Our AWS managed support policy grants a necessary level of tag-enforced access to your AWS infrastructure for break-glass troubleshooting scenarios.

Application network traffic remains in your AWS account, fronted by a separate load balancer. ROSA with hosted control planes defaults to fronting the application router with a network load balancer, but classic load balancers remain an option.


Red Hat OpenShift Service on AWS with hosted control planes is expected to be generally available on December 4. ROSA with hosted control planes builds on our goal to simplify Kubernetes and enable users to focus on what matters to them most -- delivering applications quickly and managing them efficiently. More information on ROSA with hosted control planes and how to get started today can be found here.

About the author

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

Read full bio

Browse by channel

automation icon


The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon


The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon


The latest on the world’s leading enterprise Linux platform

application development icon


Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech