Red Hat OpenShift Service on AWS frequently asked questions

Get answers to common questions about Red Hat® OpenShift® Service on AWS (ROSA).  Learn how to quickly build, deploy, and manage Kubernetes applications on the industry’s most comprehensive application platform in AWS cloud.

Jump to section

What does Red Hat OpenShift Service on AWS include?

Each Red Hat OpenShift Service on AWS cluster comes with a fully-managed control plane (master nodes) and application nodes. Installation, management, maintenance and upgrades are  monitored by Red Hat site reliability engineers (SRE) with joint Red Hat and Amazon support.  Cluster services (such as logging, metrics, monitoring) are available as well.

How is Red Hat OpenShift Service on AWS different from Red Hat OpenShift Container Platform?

Red Hat OpenShift Service on AWS delivers a turnkey application platform, optimized for performance, scalability, and security. Red Hat OpenShift Service on AWS is hosted on Amazon Web Services public cloud and jointly managed by Red Hat and AWS. Some options and administrative functions may be restricted or unavailable. A Red Hat OpenShift Container Platform subscription entitles you to host and manage the software on your infrastructure of choice.

How Is Red Hat OpenShift Service on AWS different from Red Hat OpenShift Dedicated?

Red Hat OpenShift Service on AWS is a fully managed implementation of OpenShift Container Platform deployed and operated on AWS, jointly managed and supported by both Red Hat and AWS. This option is purchased directly through the AWS console and offers pay-as-you-go, single-vendor invoicing. It's best for organizations that want close integration to AWS services, joint support, and a single bill.

Red Hat OpenShift Dedicated is a service hosted and fully-managed by Red Hat that offers clusters in a virtual private cloud on AWS or Google Cloud Platform. It is completely managed and supported by Red Hat, and includes a guaranteed SLA. It may be best for organizations that already have a Red Hat footprint and are interested in a fully managed service from Red Hat deployed on AWS.

What are the differences between Red Hat OpenShift Service on AWS and Kubernetes?

Everything you need to deploy and manage containers is bundled with ROSA, including container management, automation (Operators), networking, load balancing, service mesh, CI/CD, firewall, monitoring, registry, authentication, and authorization capabilities. These components are tested together for unified operations as a complete platform. Automated cluster operations, including over-the-air platform upgrades, further enhance your Kubernetes experience.

Will Red Hat OpenShift Service on AWS integrate with other AWS services?

Yes. Red Hat OpenShift Service on AWS will integrate with a range of AWS compute, database, analytics, machine learning, networking, mobile, and various application services which will enable customers to benefit from the robust portfolio of AWS services which scale on-demand across the globe. These AWS native services will be directly accessible to quickly deploy and scale services through the same management interface.

How does ROSA work?

Red Hat OpenShift Service on AWS (ROSA) has infrastructure components (virtual machines, storage disks, etc.) and a software component (OpenShift). When you provision ROSA clusters you will incur the infrastructure and OpenShift charges at the pay-as-you-go hourly rate. Refer to the Red Hat OpenShift Service on AWS pricing page for more information. You can also do 1 or 3 year commits for even deeper discounts.

How do I receive support for ROSA?

ROSA is supported by AWS and Red Hat, and you have the option to contact support from either company to begin troubleshooting. Any escalations that are necessary will be facilitated as necessary by AWS and Red Hat to engage the best team to address the issues.

Where can I learn more about using ROSA?

Our Red Hat OpenShift Service on AWS (ROSA) learning hub has materials and tools designed to help you use Red Hat® OpenShift® Service on AWS, organized by the tasks you need to accomplish.

Visit the learning hub

For more, visit Red Hat OpenShift Service on AWS (ROSA) documentation.

What is ROSA with hosted control planes? And when will it be available?

ROSA with hosted control planes is a new deployment model for ROSA in which a highly available control plane is hosted in a Red Hat-owned AWS account instead of the customer’s AWS account, increasing efficiency and reliability while reducing costs and provisioning time. ROSA with hosted control planes is available in preview as of May 2023 with general availability expected later in the year.

Where can I see a roadmap or make feature requests for the service?

You can visit our ROSA roadmap to stay up to date with the status of features currently in development. Please feel free to open a new issue if you have any suggestions for the product team.

Click for a walkthrough of the ROSA install process

How is the total cost of Red Hat OpenShift Service on AWS calculated?

The total cost of Red Hat OpenShift Service on AWS consists of two components: ROSA service fees and AWS infrastructure fees. View detailed ROSA pricing information, pricing examples, and an AWS pricing calculator.

Is Red Hat OpenShift Service on AWS available for purchase in all countries?

Red Hat OpenShift Service on AWS is available for purchase in all countries where AWS is commercially available.

How can I purchase Red Hat OpenShift Service on AWS?

Customers can acquire the service directly from the AWS console on their own. As with other AWS services, such as EC2, customers will spin up OpenShift clusters and will be charged based on their consumption. Customers can contact their Red Hat or AWS representative for more pricing information, or view ROSA pricing details here.

Will I receive an invoice from Red Hat or AWS?

You will receive a single invoice from AWS.

Does Red Hat OpenShift Service on AWS qualify for AWS EDP Program?

Yes, Red Hat OpenShift Service on AWS fully qualifies for 100% of the spend on the AWS Enterprise Discount Program.

When pricing out my EC2 instances, do I need to use RHEL for the operating system?

No, being that ROSA includes Red Hat Enterprise Linux CoreOS (RHCOS) as the operating system, you only need to choose Linux. For clarity, ROSA cluster creation handles the setup of all the RHCOS nodes entirely.

Can I use spot/preemptible VMs?

Yes, additional MachinePools can be configured with Spot instances. Using Amazon EC2 Spot instances allows you to take advantage of unused capacity at a significant cost savings. Please see the Creating a machine pool section in the documentation for more information.

Is there an upfront commitment?

There is no required upfront commitment. ROSA clusters can be provisioned on-demand, with pay-as-you-go billing, for both AWS & OpenShift expenses. In this case, there is no upfront commitment. One year & three year RI pricing is also available to take advantage of pricing discounts.

How can I start using Red Hat OpenShift Service on AWS?

You can acquire the service directly from the AWS console. As with other AWS services, such as EC2, just spin up your OpenShift clusters and you will be charged based on your consumption. You can also contact your Red Hat or AWS representative. Here is a short video that demonstrates the process to deploy a ROSA cluster.

Do I need to sign/have a contract with Red Hat?

No. You do not need to have a contract with Red Hat to use ROSA. You will need a Red Hat account for use on which includes accepting our Enterprise Agreement and Online services terms.

Can I bring my own license to the service (e.g. Red Hat Cloud Access)?

No. Billing occurs directly through AWS, preventing OpenShift Container Platform or OpenShift Dedicated subscriptions from being used with Red Hat OpenShift Service on AWS.

Can I migrate my existing OpenShift Subscriptions to AWS?

  • OpenShift (OCP, OSD, OKE) subscriptions cannot be used with ROSA.
  • It is not possible to transfer the unused part of your Red Hat OpenShift subscription to ROSA.
  • Subscriptions included with a purchase of an IBM CloudPak cannot be used with ROSA.
  • ROSA subscriptions can only be purchased directly from AWS & AWS resellers.

What are the regions where SREs have residency to operate?

Please see the Red Hat Subprocessor List.

Which Amazon regions are supported?

See supported resources for a list of global regions where Red Hat OpenShift Service on AWS is supported.

What virtual machine sizes can I use?

See Red Hat OpenShift Service on AWS virtual machine sizes for a list of virtual machine sizes you can use with a Red Hat OpenShift Service on AWS cluster.

Which Red Hat OpenShift Container Platform rights do we have? Cluster-admin? Project-admin?

You are granted Cluster Admin rights on the clusters you create.

Can I add RHEL workers to my cluster?

No. In order to maintain our ability to provide seamless updates to your clusters, only Red Hat Enterprise Linux CoreOS (RHCOS) workers are supported by Red Hat OpenShift Service on AWS.

Which services are performed by Red Hat and AWS Operations?

Red Hat SRE is responsible for provisioning, managing, and upgrading the Red Hat OpenShift platform as well as monitoring the core cluster infrastructure for availability. They are not responsible for managing the application lifecycle of applications that run on the platform.

How do I access a ROSA cluster?

There are multiple ways to interact with your cluster. You can connect to it via the command-line-interface (CLI) or via the Web Console. Follow the learning path Getting started with Red Hat OpenShift Service on AWS (ROSA) to learn how.

Visit documentation for the Red Hat OpenShift Service on AWS (ROSA) CLI for more detailed information on how to get started, manage objects, and check logs with the ROSA CLI.

How do I make configuration changes to my cluster?

An administrative user has the ability to add/remove users and projects, manage project quotas, view cluster usage statistics, and change the default project template. Admins can also scale a cluster up or down, and even delete an existing cluster.

Are ROSA clusters deployed in the customer account?

Yes. ROSA clusters are deployed in your account with support for existing VPCs. We suggest you follow security best practices for application isolation and least privileges when considering placement.

Is my ROSA cluster infrastructure shared with any other customer?

Each Red Hat OpenShift Service on AWS cluster is dedicated to a given customer and lives within the customer's subscription.

How are upgrades managed?

Customers can define the upgrade policy and schedule for their clusters in OpenShift Cluster Manager. Clusters can be configured to be automatically upgraded during a customer defined maintenance window to the latest release, for example "Saturday at 02:00 UTC" or clusters can be upgraded to a specific release at a date and time specified by the customer. Following best practices helps ensure minimal to no downtime. For more details, visit documentation for OpenShift Cluster Manager. 

All upgrades are monitored and managed by Red Hat’s SREs service.

What about emergency vs. planned maintenance windows?

We do not distinguish between the two types of maintenance. Our teams are available 24/7/365 and do not use traditional scheduled "out-of-hours" maintenance windows.

How will the host operating systems and OpenShift software be updated?

The host operating systems and OpenShift software are updated through the general upgrade process.

Can logs of underlying VMs be streamed out to a customer log analysis system?

Customers are able to select Application, Infrastructure, and Audit log streams to be forwarded.

Which UNIX rights (in IaaS) are available for Masters/Worker Nodes?

Not applicable to this offering. Node access is not enabled. Worker nodes are fully managed by the SRE team.

Which compliance certifications does ROSA have so far?

Red Hat OpenShift Service on AWS is currently compliant with with FedRAMP High Agency ATO, SOC-2 type 2, SOC 3, ISO-27001, ISO 27017, ISO 27018, HIPAA & PCI-DSS. We are also currently working towards FedRAMP High.

Can a cluster have worker nodes across multiple AWS regions?

No, all nodes in a Red Hat OpenShift Service on AWS cluster must be located in the same AWS region; this follows the same model as that of OCP. For clusters configured for multiple availability zones control plane nodes and worker nodes will be distributed across the availability zones.

What is the minimum number of worker nodes that a ROSA cluster can have?

For a ROSA cluster the minimum is 2 worker nodes for single AZ and 3 for multiple AZ.

Learn more about managing worker nodes.

Where can I find the product documentation for ROSA?

ROSA documentation can be found here.

Can an admin manage users and quotas?

Yes, a Red Hat OpenShift Service on AWS customer administrator can manage users and quotas in addition to accessing all user created projects. Please see for example resource quotas per project.

When will features of the latest version of Kubernetes be supported in ROSA via OpenShift 4?

Customers are able to upgrade to the newest version of OpenShift in order to inherit the features from that version of OpenShift (see life cycle dates). Note, that since ROSA is an opinionated installation of OpenShift Container Platform, not all features may be available on ROSA. Please review the Service Definition.

How can customers get support for the service?

ROSA is supported by AWS and Red Hat, and you have the option to contact support from either company to begin troubleshooting. Any escalations that are necessary will be facilitated as necessary by AWS and Red Hat to engage the best team to address the issues.

You can also visit the Red Hat Customer Portal to search or browse through the Red Hat Knowledgebase of articles and solutions relating to Red Hat products or to submit a support case to Red Hat Support. Or you can open up a ticket directly from OpenShift Cluster Manager (OCM). See the ROSA documentation for more details about obtaining support.

What happens if I do not upgrade my cluster before the "end of life" date?

Nothing will happen to an existing ROSA cluster. Your ROSA cluster will continue to operate though it will be in a "limited support" status. In short, this means that the SLA for that cluster will no longer be applicable, but you can still get support for that cluster. Please see Limited support status for more details.

What is the SLA?

Please refer to the Red Hat OpenShift Service on AWS SLA page for details.

How will customers be notified when new features/updates are available?

Updates will go through the regular communication channels, including AWS updates and email.

What version of OpenShift is running?

Red Hat OpenShift Service on AWS is a managed service which is based on OpenShift Container Platform. You can view the current version and life cycle dates in the ROSA documentation.

Is Open Service Broker for AWS (OBSA) supported?

Yes, you can use OSBA with Red Hat OpenShift Service on AWS. See Open Service Broker for AWS for more information. Though a more recent development is the AWS Controller for Kubernetes. This is the preferred method.

What is the underlying node OS used?

As with all OpenShift v4.x offerings, the control plane, infra and worker nodes run Red Hat Enterprise Linux CoreOS (RHCOS).

What is the process for customers wishing to ‘offboard’ their deployment in ROSA - is there a process?

Customers can stop using the service anytime and move their applications to on-prem, private cloud or other cloud providers. Standard reserved instances (RI) policy applies for unused RI.

What authentication mechanisms are supported with ROSA?

OpenID Connect (a profile of OAuth2), Google OAuth, GitHub OAuth, GitLab, and LDAP.

How will events such as product updates and scheduled maintenance be communicated?

Red Hat will provide updates via email and Red Hat console service log.

Does ROSA have a hibernation or shut-down feature for any nodes in the cluster to save costs on infrastructure or to retain a configured cluster for long-term?

No, not at this time. The shutdown/hibernation feature is an OpenShift platform feature not yet mature enough for widespread cloud services use.

Is SRE access to clusters secured by MFA?

Yes, all SRE access is secured by MFA. See SRE access in the documentation for more details.

What encryption keys, if any, are used in a new ROSA cluster?

We encrypt EBS volumes that we use for ROSA, using a key stored in KMS. Customers have the option to provide their own KMS keys at cluster creation time as well.

If I specify a KMS key to use, what exactly gets encrypted with that key?

Control plane, infrastructure and worker node root volumes, along with your persistent volumes.

Is data on my cluster encrypted?

By default, there is encryption at rest. The AWS Storage platform automatically encrypts your data before persisting it, and decrypts the data before retrieval. See AWS EBS Encryption details. There is also the ability to encrypt etcd in the cluster, and that would combine with AWS storage encryption, resulting in double the encryption (redundant), which adds up to 20% performance hit. For further details see etcd encryption.

When can etcd encryption be done with a ROSA cluster?

Only at cluster creation time, can etcd encryption be enabled. Note that this incurs additional overhead with negligible security risk mitigation. See the prior question about EBS encryption.

How is etcd encryption configured in a ROSA cluster?

The same as in OCP. The aescbc cypher is used and the setting is patched during cluster deployment. Relevant Kubernetes documentation. For further details see etcd encryption.

What infrastructure is provisioned as part of a new ROSA cluster?

ROSA makes use of a number of different cloud services such as virtual machines, storage, load balancers, etc. You can see a defined list in the AWS prerequisites.

I see there are two "kinds" of ROSA clusters. One uses an IAM user with admin permissions and the other AWS STS. Which should I choose?

AWS STS. These aren't "kinds" but rather credential methods. Basically, "how do you grant Red Hat the permissions needed in order to perform the required actions in your AWS account?". The roadmap forward is focused on STS, and the IAM user method will eventually be deprecated. This better aligns with principles of least privilege and is much better aligned to secure practices in cloud service resource management. Please see the section "ROSA with STS Explained" for a detailed explanation. 

Visit documentation for more details, including requirements for deploying ROSA using STS and IAM resources for ROSA clusters that use STS.

I’m seeing a number of permission or failure errors related to prerequisite tasks or cluster creation, what might be the problem?

Please check for a newer version of the ROSA CLI. Every release of the ROSA CLI lands in two places: Github and the Red Hat signed binary releases.

ROSA clusters must also meet several prerequisites before they can be deployed. Visit the documentation for requirements.

What are the available storage options?

Please refer to the storage section of the service definition.

What options are available to use shared storage in containers?

AWS EFS (Using AWS EFS CSI Driver, OpenShift includes the CSI driver out of the box in 4.10.). See Setting up AWS EFS for Red Hat OpenShift Service on AWS.

Can I deploy into an already existing VPC and choose the specific subnets?

Yes. At install time you are able to select whether you’d like to deploy to an existing VPC and then choose that VPC. You will then be able to select the desired subnets and also provide a valid CIDR range (encompassing the subnets) the installer will handle using those subnets. Please see the VPC section in the documentation for further details.

Which network plugin is used in Red Hat OpenShift Service on AWS?

Red Hat OpenShift Service on AWS uses the default OpenShift SDN network provider configured to NetworkPolicy mode. OVN-Kubernetes is on our roadmap.

Is cross-namespace networking supported?

Cluster admins in ROSA can customize cross-namespace networking (including denying it) on a per project basis using NetworkPolicy objects. Refer to Configuring multitenant isolation with network policy on how to configure.

Can more than one ROSA cluster be set up in one VPC?

Yes, ROSA allows multiple clusters to share the same VPC. Essentially, the number of clusters would be limited by what AWS resource quota remains, as well as any chosen CIDR ranges that must not overlap. See CIDR Range Definitions for more information.

Can I use Prometheus/Grafana to monitor containers and manage capacity?

Yes, using OpenShift User Workload Monitoring. This is a check-box option in OpenShift Cluster Manager ( 

For more details, visit documentation for OpenShift Cluster Manager. 

Can I see audit logs output from the cluster control-plane?

If the Cluster Logging Operator Add-on has been added to the cluster then audit logs are available through CloudWatch. If it has not, then a support request would allow you to request some audit logs. Small targeted and time-boxed logs can be requested for export and sent to a customer. The selection of audit logs available are at the discretion of SRE in the category of platform security and compliance. Requests for exports of a cluster’s entirety of logs will be rejected.

Can I use an AWS Permissions Boundary around the policies for my cluster?

Yes, using AWS Permissions Boundary is supported.

Do ROSA worker nodes share the same AMI as other OpenShift products?

ROSA worker nodes use a different AMI from OSD and OCP. Control Plane and Infra node AMIs are common across products in the same version.

Are backups taken for clusters?

Only non-STS clusters have SRE managed backups at this time, which means that ROSA STS clusters don’t have backups. You can also see our backup policy. It is imperative for users to have their own backup policies for applications and data.

Is ROSA GDPR Compliant?

Yes:  Learn more.

Does the ROSA CLI accept Multi-region KMS keys for EBS encryption?

Not at this time. This feature is in our backlog. Though we do accept single region KMS keys for EBS Encryption as long as it is defined at cluster creation time.

Can I define a custom domain and certificate for my applications?

Yes. See Configuring custom domains for applications for more information.

How are the ROSA domain certificates managed?

Red Hat infrastructure (Hive) manages certificate rotation for default application ingress (apps.*

What features are upcoming for ROSA?

The current ROSA roadmap can be seen at:

What kind of instances are supported for worker nodes?

See AWS compute types in the service definition for the up to date list of supported instance types. Additionally, spot instances are supported.

Does ROSA support an air-gapped, disconnected environment where the ROSA cluster does not have internet access?

No, the ROSA cluster must have egress to the internet to access our registry, S3, send metrics etc. The service requires a number of egress endpoints. Ingress can be limited to PrivateLink (for Red Hat SRE) and VPN or similar for customer access.

Is node autoscaling available?

Yes. Autoscaling allows you to automatically adjust the size of the cluster based on the current workload. See About autoscaling nodes on a cluster in the documentation for more details.

What is the maximum number of worker nodes that a cluster can support?

The maximum number of worker nodes is 180 per ROSA cluster. See here for limits and scalability considerations and more details on node counts.

Learn more about managing worker nodes.

Learn Red Hat OpenShift Service on AWS (ROSA)