Red Hat OpenShift on AWS (ROSA), is a fully managed turn-key application platform that's jointly engineered and supported by Red Hat and Amazon Web Services (AWS). A fully integrated and managed application platform like ROSA helps you get faster time to value, allowing you to focus on the things that matter most to your business and your customers without worrying about running a complex platform.
A frequent question we get from customers beginning their ROSA journey is “What does 'managed' mean to me? What will I be responsible for? What are Red Hat and AWS responsible for?"
It's important to understand the responsibility model and how it is shared between the service provider and the customer. While Red Hat and AWS manage the ROSA services, the customer shares responsibility for the functionality of their cluster.
Simplified responsibility model
As seen in the simplified responsibility model below, some responsibilities are fully owned by Red Hat and AWS, some by the customer, and others are shared between the service providers and the customer. This article provides an overview of the ROSA responsibility assignment matrix, outlining the jointly-held responsibilities of Red Hat and AWS, as well as those of the customer.
Red Hat responsibilities
At a high level, Red Hat is primarily responsible for managing and maintaining the ROSA platform. As a complete turn-key application platform, ROSA is integrated with services such as monitoring, logging and networking, as well as developer productivity tools, such as Service Mesh, OpenShift Pipelines, CodeReady workspaces and more.
The Red Hat global Site Reliability Engineering (SRE) team manages the entire platform, and is responsible for cluster availability, performance, security and scalability. Our SREs are not just product engineers developing software or systems engineers running something someone else made—they are a hybrid of the two.
Red Hat SREs are developers with a systems mindset and systems engineers with a development mindset. They answer the questions you have in regard to people and skills such as: “Who will manage the clusters? Is building and managing an application platform our core competence?” “How much experience do we have building an enterprise grade application platform?” “Can we retain experienced staff?” “What happens when there is an ops issue?”
SREs are responsible for automating installation and initial cluster configurations, as well as automating remaining cluster life cycle operations.
Red Hat is also responsible for ensuring that the ROSA platform meets all relevant compliance and regulatory requirements, including those related to data protection, privacy and security.
AWS is responsible for providing the underlying cloud infrastructure. They are responsible for the availability, performance and scalability, as well as managing the physical security of the infrastructure. AWS is also responsible for ensuring that the cloud infrastructure meets all the relevant compliance and regulatory requirements.
The customer’s primary responsibilities are the applications, workloads and data that they deploy to ROSA. This includes configuring and deploying their applications, monitoring their performance and availability, securing their data and managing user access to the platform.
Customers can use the in-built security features in ROSA such as role-based access control (RBAC), network policies and data encryption to help improve the security profile of their applications and data. Customers are also responsible for ensuring that their applications and data meet all relevant compliance and regulatory requirements.
Red Hat classifies customer-owned data at the highest level of sensitivity and handling requirements, which explains why Red Hat doesn’t have access to the customer’s projects, applications or data. However, Red Hat does provide various tools that can help customers manage data and applications on the platform.
The customer, Red Hat and AWS share responsibility for the monitoring and maintenance of the ROSA cluster. This section delineates the areas of shared responsibility.
These are shared responsibility areas because even though being a managed service, ROSA offers a flexible model where the customer can define their cluster specifications and bring their own network design as well as logging and monitoring tools.
When it comes to platform creation, customers get a self-service option to define different parameters to create a customized cluster for their specific needs. For example, customers have the option to define the ROSA version they want, and can install either public or privatelink clusters. They can also define the AWS region and whether they want a single or Multi-AZ cluster deployment.
To get a list of all possible flags to use at cluster creation using the ROSA command line interface, pass the command
rosa create cluster --help. Once you enter the command to create the cluster, the cluster creation is automated in the backend by the Red Hat SRE team.
Cluster management is a shared responsibility between Red Hat and the customer. Red Hat is responsible for enabling changes to the cluster infrastructure and services, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. The customer is responsible for requesting infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.
For example, when it comes to cluster capacity, Red Hat SREs monitor the use of control plane and infrastructure nodes, and will scale and resize these nodes to maintain quality of service. On the other hand, the customer is responsible for monitoring worker node utilization and enabling auto-scaling so resources will automatically scale to meet capacity requirements.
Red Hat also provides customers with a self-serve option to schedule maintenance upgrades and to decide how these upgrades should happen (either automatically or manually).
Monitoring and logging
Red Hat is fully responsible for platform monitoring while the customer’s primary focus will be on application monitoring. Red Hat SREs maintain a centralized monitoring and alerting system for all ROSA cluster components and SRE services.
Red Hat centrally aggregates and monitors platform audit logs for security events. Red Hat also provides and maintains a logging operator which customers can install for default application logging. An optional log forwarding addon is available to customers who want to ship logs to Amazon Cloudwatch. Customers can also forward logs to their own third-party logging and monitoring tools.
Networking includes application, cluster and virtual networking. Red Hat is responsible primarily for the internal platform networking components and provides configurable options for other networking areas. We will examine the different networking components separately
Red Hat provides all the resources the customer needs to manage how to expose their applications running on ROSA such as cloud load balancers, OpenShift router service and OpenShift overlay network for internal pod traffic.
The customer is responsible for defining network policies that restrict traffic to the pods running in their cluster, requesting and configuring additional load balancers, and configuring any necessary DNS forwarding rules.
When it comes to cluster networking, the customer is responsible for providing IP address ranges for machine, service and pod CIDRs, and also for deciding if API and app endpoints be made public or private.
The virtual network is configurable. It is the customer’s responsibility to set up and maintain optional public cloud components such as VPC to VPC connections, VPN connections, Transit gateway connections, or Direct connect.
Getting support for ROSA
ROSA includes Red Hat Premium Support from our highly experienced Customer Experience and Engagement (CEE) and SRE teams. Customers can also get support from AWS as long as they have a valid AWS support contract.
Here we've provided an overview of the ROSA responsibility matrix. As outlined in the article, most of the heavy lifting is done by our industry-leading SRE team so you are able to better focus on your core business needs.
The responsibility matrix is an important aspect of a managed service. It is our recommendation that you familiarize yourself with it before getting started with ROSA to prevent carrying out any unsupported actions on the cluster. For detailed information, read the Overview of responsibilities for Red Hat OpenShift Service on AWS.
Learn more about ROSA responsibility matrix:
About the author
Charlotte is a Manage OpenShift Black Belt focusing on Red Hat Managed OpenShift offerings on AWS, Microsoft Azure and other public clouds. Charlotte has several years of IT experience helping customers build resilient, highly-available and cost-optimized solutions in the cloud. In her current role, Charlotte is focused on removing organizational, technical and competitive blockers of customer’s adoption of Managed OpenShift as a preferred platform for application workload deployments. Charlotte enjoys providing business value as well as having technical deep dive conversations with customers.