Red Hat SummitChapter 1. Getting started with Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud
This service is for use by federal and government agencies, or by commercial organizations and Federal Information Security Modernization Act (FISMA) R&D Universities supporting a government contract or in the process of bidding on a government contract such as a request for proposal (RFP) or request for information (RFI) pre-bid stage.
Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud, carries the following requirements:
- Red Hat OpenShift Service on AWS classic architecture FedRAMP can only be deployed into an existing VPC. See Create Amazon VPC architecture for the AWS PrivateLink use case for instructions on setting up a VPC.
- Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud only supports the use of the AWS STS credentials method.
- Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud only uses Federal Information Processing Standards (FIPS) validated modules in process cryptographic libraries.
Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud requires a separate Red Hat account for use with FedRAMP, even if you already have an existing Red Hat account for Red Hat OpenShift Service on AWS classic architecture clusters in commercial regions.
- Each person who needs to be able to create, modify, or delete clusters must have their own Red Hat FedRAMP account.
- Access to an existing cluster, to use that cluster, does not require a Red Hat FedRAMP account.
- You can use your Red Hat FedRAMP account to deploy to multiple AWS GovCloud accounts.
1.1. Signing up for a Red Hat FedRAMP account
To access Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud, you must sign up for a Red Hat FedRAMP account.
Procedure
- Navigate to https://console.redhat.com/openshift/create/rosa/govcloud.
- Complete the access request form.
Click Submit to sign up.
You will receive a Submission confirmation.
Red Hat’s confirmed stateside support team will contact you through email for the following information:
- Admin details to include your organization name, administrator first and last name and administrator email.
User authentication option to the FedRAMP Hybrid Cloud Console from one of the following two options:
Local group in a Red Hat managed Keycloak instance, where users will be required to setup multi-factor authentication (MFA) with an approved device.
NoteOnly device YubiKEY 5C NFC FIPS currently accepted.
Customer managed Identity Provider (IdP), integrated via OpenID Connect (OIDC), where you will need to provide the following:
- Discovery Endpoint: The IdP’s OIDC discovery URL (typically ending in /.well-known/openid-configuration). This allows Keycloak to automatically fetch most of the IdP’s settings.
- Client ID and secret: Credentials that allow Keycloak to authenticate with the customer’s IdP.
- Email domain(s): A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.
Essential claim: A specific key-value pair (e.g., "rh-approved": "true") that must be present in a user’s token from the IdP to grant them access.
In this configuration, the customer takes on the responsibility for implementing FIPS 140-2 validated MFA.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}