Your responsibilities with using Red Hat OpenShift on Satellite

Learn about cluster management responsibilities that you have when you use Red Hat OpenShift on Satellite clusters. For overall terms of use, see Cloud Services terms.

Overview of shared responsibilities

Red Hat OpenShift on IBM Cloud is a managed service in the IBM Cloud shared responsibility model. Review the following table of who is responsible for particular cloud resources when using Red Hat OpenShift on IBM Cloud. Then, you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by area.

If you use other IBM Cloud products such as Object Storage, responsibilities that are marked as yours in the following table, such as disaster recovery for Data, might be IBM's or shared. Consult those products' documentation for your responsibilities.

Responsibilities by resource.
Resource	Incident and operations management	Change management	Identity and access management	Security and regulation compliance	Disaster Recovery
Data	You	You	You	You	You
Applications	You	You	You	You	You
Observability	Shared	IBM	Shared	IBM	IBM
App networking	Shared	IBM	IBM	IBM	IBM
Cluster networking	Shared	IBM	IBM	IBM	IBM
Cluster version	IBM	Shared	IBM	IBM	IBM
Worker nodes	Shared	Shared	IBM	IBM	IBM
Master	IBM	IBM	IBM	IBM	IBM
Service	IBM	IBM	IBM	IBM	IBM
Virtual storage	You	You	You	You	You
Virtual network	You	You	You	You	You
Hypervisor	You	You	You	You	You
Physical servers and memory	You	You	You	You	You
Physical storage	You	You	You	You	You
Physical network and devices	You	You	You	You	You
Facilities and Data Centers	You	You	You	You	You

Tasks for shared responsibilities by area

After reviewing the overview, see what tasks you and IBM share responsibility for each area and resource when you use Red Hat OpenShift on IBM Cloud.

Incident and operations management

You and IBM share responsibilities for the set up and maintenance of your Red Hat OpenShift on IBM Cloud cluster environment for your application workloads. You are responsible for incident and operations management of your application data.

Responsibilities for incident and operations management
Resource	IBM responsibilities	Your responsibilities
Worker nodes	Deploy a fully managed, highly available dedicated management plane in a secured, IBM-owned infrastructure account. Ensure that worker nodes successfully provision when the user account and permissions are correctly set up, and sufficient quota exists. Fulfill requests for more infrastructure, such as adding, reloading, updating, and removing worker nodes. Provide tools, such as the cluster autoscaler, to extend your cluster infrastructure. Fulfill automation requests to help recover worker nodes.	Use the provided API, CLI, or console tools to adjust compute and storage capacity to meet the needs of your workload. Use the provided API, CLI, or console tools to request that worker nodes are rebooted, reloaded, or replaced, and troubleshoot issues such as when the worker nodes are in an unhealthy state.
Cluster networking	Set up cluster management components, such as public or private cloud service endpoints, VLANs, and load balancers. Fulfill requests for more infrastructure, such as attaching worker nodes to existing subnets upon resizing a worker pool. Create clusters with subnet IP addresses reserved to use to expose apps externally. Set up a Konnectivity connection between the master and worker nodes when the cluster is created. Provide the ability to set up a VPN connection with on-premises resources such as through the strongSwan IPSec VPN service or the IBM Cloud VPC VPN. Provide the ability to isolate network traffic with edge nodes.	Use the provided API, CLI, or console tools to adjust cluster networking configuration to meet the needs of your workload, such as configuring service endpoints, adding VLANs to provide IP addresses for more worker nodes, setting up a VPN connection, or edge node worker pools.
App networking	Set up a public application load balancer (ALB) that is multizone, if applicable. Provide the ability to set up private ALBs and public or private network load balancers (NLBs). Support native Kubernetes public and private load balancers and Ingress routes for exposing services externally. Install Calico as the container networking interface, and set up default Calico network policies to control basic cluster traffic.	Set up any additional app networking capabilities that are needed, such as private ALBs, public or private NLBs, or additional Calico network policies.
Observability	Provide Log Analysis and Monitoring as managed add-ons to enable observability of your cluster and container environments. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons. Provide cluster integration with Activity Tracker and send Red Hat OpenShift on IBM Cloud API events for auditability.	Set up and monitor the health of your container logs and cluster metrics. Set up and, if applicable, configure `kube-audit` logs to be sent to Activity Tracker.

Change management

You and IBM share responsibilities for keeping your clusters at the latest container platform and operating system versions, along with recovering infrastructure resources that might require changes. You are responsible for change management of your application data.

Responsibilities for change management
Resource	IBM responsibilities	Your responsibilities
Worker nodes	Provide worker node patch operating system (OS), version, and security updates. Fulfill automation requests to update and recover worker nodes.	Use the API, CLI, or console tools to apply the provided worker node updates that include operating system patches; or to request that worker nodes are rebooted, reloaded, or replaced.
Cluster version	Provide a suite of tools to automate cluster management, such as the Red Hat OpenShift on IBM Cloud API, CLI plug-in, and console. Automatically apply Red Hat OpenShift master patch OS, version, and security updates. Make major and minor updates for master nodes available for you to apply. Provide worker node major, minor, and patch OS, version, and security updates. Fulfill automation requests to update cluster master and worker nodes.	Use the API, CLI, or console tools to apply the provided major and minor Red Hat OpenShift master updates and major, minor, and patch worker node updates.

Identity and access management

You and IBM share responsibilities for controlling access to your Red Hat OpenShift on IBM Cloud instances. For IBM Cloud® Identity and Access Management responsibilities, consult that product's documentation. You are responsible for identity and access management to your application data.

Responsibilities for identity and access management
Resource	IBM responsibilities	Your responsibilities
Observability	Provide the ability to integrate IBM Cloud Activity Tracker with your cluster to audit the actions that users take in the cluster.	Set up IBM Cloud Activity Tracker or other capabilities to track user activity in the cluster.

Security and regulation compliance

IBM is responsible for the security and compliance of Red Hat OpenShift on IBM Cloud. Compliance to industry standards varies depending on the infrastructure provider that you use for the cluster, such as classic or VPC. You are responsible for the security and compliance of any workloads that run in the cluster and your application data. For more information, see What standards does the service comply to?.

Responsibilities for security and regulation compliance
Resource	IBM responsibilities	Your responsibilities
General	Maintain controls commensurate to various industry compliance standards, such as PCI DSS. Compliance to industry standards varies depending on the infrastructure provider of the cluster, such as classic or VPC. Monitor, isolate, and recover the cluster master. Provide highly available replicas of the Kubernetes master API server, etcd, scheduler, and controller manager components to protect against a master outage. Monitor and report the health of the master and worker nodes in the various interfaces. Automatically apply master security patch updates, and provide worker node security patch updates. Enable certain security settings, such as encrypted disks on worker nodes. Disable certain insecure actions for worker nodes, such as not permitting users to SSH into the host. Encrypt communication between the master and worker nodes with TLS. Provide CIS-compliant Linux images for worker node operating systems. Continuously monitor master and worker node images to detect vulnerability and security compliance issues. Provision worker nodes with two local SSD, AES 256-bit encrypted data partitions. Provide options for cluster network connectivity, such as public and private cloud service endpoints. Provide options for compute isolation, such as dedicated virtual machines or bare metal. Integrate Kubernetes role-based access control (RBAC) with IBM Cloud Identity and Access Management (IAM).	Set up and maintain security and regulation compliance for your apps and data. For example, choose how to set up your cluster network, protect sensitive information such as with IBM Key Protect encryption, and configure further security settings to meet your workload's security and compliance needs. If applicable, configure your firewall. As part of your incident and operations management responsibilities for the worker nodes, apply the provided security patch updates.

Disaster recovery

IBM is responsible for the recovery of Red Hat OpenShift on IBM Cloud components in case of disaster. You are responsible for the recovery of the workloads that run the cluster and your application data. If you integrate with other IBM Cloud services such as file, block, object, cloud database, logging, or audit event services, consult those services' disaster recovery information.

Responsibilities for disaster recovery
Resource	IBM responsibilities	Your responsibilities
General	Maintain service availability across worldwide locations so that customers can deploy clusters across zones and regions for higher DR tolerance. Provision clusters with three replicas of master components for high availability. In multizone regions, automatically spread the master replicas across zones. Continuously monitor to work to ensure the reliability and availability of the service environment by site reliability engineers. Update and recover operational Red Hat OpenShift on IBM Cloud and Kubernetes components within the cluster, such as the Ingress application load balancer and file storage plug-in. Back up and recover data in etcd, such as your Kubernetes workload configuration files Provide the ability to integrate with other IBM Cloud services such as storage providers so that data can be backed up and restored.	Set up and maintain disaster recovery capabilities for your apps and data. For example, to prepare your cluster for HA/DR scenarios, follow the guidance in Creating a highly available cluster strategy for Red Hat OpenShift on IBM Cloud. Note that persistent storage of data such as application logs and cluster metrics are not set up by default.

Applications and data

You are completely responsible for the applications, workloads, and data that you deploy to IBM Cloud. However, IBM provides various tools to help you set up, manage, secure, integrate and optimize your apps as described in the following table.

Applications and data
Resource	How IBM helps	What you can do
Applications	Provision clusters with Red Hat OpenShift components installed so that you can access the Red Hat OpenShift API to deploy and manage your containerized apps. Provide a number of managed add-ons to extend your app's capabilities, such as the Diagnostics and Debug Tool. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons. Provide cluster integration with select third-party partnership technologies, such as Log Analysis, Monitoring, and Portworx. Provide automation to enable service binding to other IBM Cloud services. Create clusters with image pull secrets so that your deployments in the `default` Kubernetes namespace can pull images from IBM Cloud Container Registry. Provide access to Red Hat OpenShift APIs that you can use to set up Operators to add community, third-party, and your own services to your cluster. Note that Operators might not work without manual adjustments such as changes in cluster security policies. Provide storage classes and plug-ins to support persistent volumes for use with your apps. Automatically configure security settings to prevent insecure access, such as disabling SSH into the worker node compute hosts. Automatically integrate IBM Cloud IAM service access roles with Kubernetes RBAC roles in the cluster. Generate an API key that is used to access infrastructure permissions for each resource group and region.	Maintain responsibility for your apps, data, and their complete lifecycle. If you add community, third-party, your own, or other services to your cluster such as by using Operators, you are responsible for these services and for working with the appropriate provider to troubleshoot any issues. Use the provided tools and features to configure and deploy; keep up-to-date; set up resource requests and limits; size your worker pool to have enough resources to run your apps; set up permissions; integrate with other services; manage any operators or templates that you deploy; externally serve; save, back up, and restore data; and otherwise manage your highly available and resilient workloads.
Data	Maintain platform-level standards so that your data can be stored with controls commensurate to leading international security compliance standards. Provision clusters with Red Hat OpenShift components installed so that you can access the Red Hat OpenShift API to help manage your app data, such as with secrets and configmaps. Integrate with IBM Cloud services that you can use to store and manage your data, such as IBM Cloud Databases or Object Storage. Integrate with IBM Watson services that you can use to maximize the insights and use of your data with the latest artificial intelligence technology.	Maintain responsibility for your data and how your apps consume the data.