Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Security and compliance

Red Hat OpenShift Service on AWS 4

Configuring security context constraints on AWS clusters

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for configuring security context constraints.

Chapter 1. Specifying the TLS for your cluster
Copy link

Red Hat OpenShift Service on AWS supports the Modern Transport Layer Security (TLS) 1.3 security profile, allowing you to use TLS 1.3 for enhanced security of your client-facing ingress endpoint.

1.1. TLS support for your clusters
Copy link

With Red Hat OpenShift Service on AWS, you can use the Modern Transport Layer Security (TLS) 1.3 security profile for managed endpoints, giving you authority over the API server and OAuth endpoints. Even when Red Hat manages the underlying control plane infrastructure, you still have control. By using this TLS 1.3profile, you ensure that administrative and automation tools, such as the oc command line tool and the CI/CD integration, use TLS 1.3 for all communications.

Create an identity-based policy that denies requests from non-allowlisted IP addresses. Restricting role access can improve your AWS account security.

2.1. Creating an identity-based IAM policy
Copy link

Create an Identity and Access Management (IAM) policy that denies access to all AWS actions if the request is made from an IP address not provided by Red Hat.

Prerequisites

  • You have access to the AWS Management Console with the permissions required to create and modify IAM policies.

Procedure

  1. Sign in to the AWS Management Console using your AWS account credentials.
  2. Navigate to the IAM service.
  3. In the IAM console, select Policies from the left navigation menu.
  4. Click Create policy.
  5. Select the JSON tab to define the policy using JSON format.

  6. To get the IP addresses required for the JSON policy document, run the following command: 

    $ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses
    Note

    These IP addresses are not permanent and can change. Regularly review the API output and update the JSON policy document.

  7. Copy and paste the following policy_document.json file into the editor: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": []
                },
                "Bool": {
                    "aws:ViaAWSService": "false"
                }
            }
        }
    ]
}
  8. Copy and paste all of the IP addresses, which you got in Step 6, into the "aws:SourceIp": [] array in your policy_document.json file.
  9. Click Review and create.
  10. Provide a name and description for the policy, and review the details for accuracy.

  11. Click Create policy to save the policy.

    Note

    Set the aws:ViaAWSService condition key to false to ensure that subsequent calls succeed after your initial call. For example, if you do not set aws:ViaAWSService to false and run aws ec2 describe-instances, some follow-up calls can fail. It applies to subsequent calls that you make within the AWS API server to retrieve information about the Elastic Block Store (EBS) volumes attached to the EC2 instance. The subsequent calls fail because they originate from AWS IP addresses that are not included in the AllowList.

2.2. Attaching the identity-based IAM policy
Copy link

After you create an Identity and Access Management (IAM) policy, attach it to the relevant IAM users, groups, or roles in your AWS account. The policy prevents IP-based role assumption for these entities.

Procedure

  1. Navigate to the IAM console in the AWS Management Console.

  2. Select the default IAM ManagedOpenShift-Support-Role role to attach the policy.

    Note

    You can change the default IAM ManagedOpenShift-Support-Role role. For more information about roles, see Red Hat support access.

  3. In the Permissions tab, select Add Permissions or Create inline policy from the Add Permissions drop-down list.

  4. Search for the policy you created earlier by:

    1. Entering the policy name.
    2. Filtering by the appropriate category.

  5. Select the policy and click Attach policy.

    Important

    To prevent IP-based role assumption, keep the allowlisted IPs up-to-date. Outdated IPs can block Red Hat site reliability engineering (SRE) from accessing your account and affect your Service Level Agreement (SLA).

Legal Notice
Copy link

Copyright © Red Hat

OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

Modified versions must remove all Red Hat trademarks.

Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.

Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of the OpenJS Foundation.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top