openshift · xJustin · Jan 30, 2025
diff --git a/_topic_maps/_topic_map_rosa_hcp.yml b/_topic_maps/_topic_map_rosa_hcp.yml
@@ -267,90 +267,85 @@ Distros: openshift-rosa-hcp
 Topics:
 - Name: Adding additional constraints for IP-based AWS role assumption
   File: rosa-adding-additional-constraints-for-ip-based-aws-role-assumption
-# ---
-# - Name: Security
-#   File: rosa-security
-# - Name: Application and cluster compliance
-#   File: rosa-app-security-compliance
-# ---
-# Name: Authentication and authorization
-# Dir: authentication
-# Distros: openshift-rosa-hcp
-# Topics:
-# - Name: Authentication and authorization overview
-#   File: index
-# - Name: Understanding authentication
-#   File: understanding-authentication
-#  - Name: Configuring the internal OAuth server
-#    File: configuring-internal-oauth
-#  - Name: Configuring OAuth clients
-#    File: configuring-oauth-clients
-# - Name: Managing user-owned OAuth access tokens
-#   File: managing-oauth-access-tokens
-#  - Name: Understanding identity provider configuration
-#    File: understanding-identity-provider
+---
+Name: Authentication and authorization
+Dir: authentication
+Distros: openshift-rosa-hcp
+Topics:
+- Name: Authentication and authorization overview
+  File: index
+- Name: Understanding authentication
+  File: understanding-authentication
+# - Name: Configuring the internal OAuth server
+#   File: configuring-internal-oauth
+# - Name: Configuring OAuth clients
+#   File: configuring-oauth-clients
+- Name: Managing user-owned OAuth access tokens
+  File: managing-oauth-access-tokens
+# - Name: Understanding identity provider configuration
+#   File: understanding-identity-provider
+- Name: Configuring identity providers
+  File: sd-configuring-identity-providers
 # - Name: Configuring identity providers
-#   File: sd-configuring-identity-providers
-#  - Name: Configuring identity providers
-#    Dir: identity_providers
-#    Topics:
-#    - Name: Configuring an htpasswd identity provider
-#      File: configuring-htpasswd-identity-provider
-#    - Name: Configuring a Keystone identity provider
-#      File: configuring-keystone-identity-provider
-#    - Name: Configuring an LDAP identity provider
-#      File: configuring-ldap-identity-provider
-#    - Name: Configuring a basic authentication identity provider
-#      File: configuring-basic-authentication-identity-provider
-#    - Name: Configuring a request header identity provider
-#      File: configuring-request-header-identity-provider
-#    - Name: Configuring a GitHub or GitHub Enterprise identity provider
-#      File: configuring-github-identity-provider
-#    - Name: Configuring a GitLab identity provider
-#      File: configuring-gitlab-identity-provider
-#    - Name: Configuring a Google identity provider
-#      File: configuring-google-identity-provider
-#    - Name: Configuring an OpenID Connect identity provider
-#      File: configuring-oidc-identity-provider
-# - Name: Using RBAC to define and apply permissions
-#   File: using-rbac
-#  - Name: Removing the kubeadmin user
-#    File: remove-kubeadmin
-# - Name: Configuring LDAP failover
-#   File: configuring-ldap-failover
-# - Name: Understanding and creating service accounts
-#   File: understanding-and-creating-service-accounts
-# - Name: Using service accounts in applications
-#   File: using-service-accounts-in-applications
-# - Name: Using a service account as an OAuth client
-#   File: using-service-accounts-as-oauth-client
-# - Name: Assuming an AWS IAM role for a service account
-#   File: assuming-an-aws-iam-role-for-a-service-account
-# - Name: Scoping tokens
-#   File: tokens-scoping
-# - Name: Using bound service account tokens
-#   File: bound-service-account-tokens
-# - Name: Managing security context constraints
-#   File: managing-security-context-constraints
-# - Name: Understanding and managing pod security admission
-#   File: understanding-and-managing-pod-security-admission
-#  - Name: Impersonating the system:admin user
-#    File: impersonating-system-admin
-# - Name: Syncing LDAP groups
-#   File: ldap-syncing
-#  - Name: Managing cloud provider credentials
-#    Dir: managing_cloud_provider_credentials
-#    Topics:
-#    - Name: About the Cloud Credential Operator
-#      File: about-cloud-credential-operator
-#    - Name: Mint mode
-#      File: cco-mode-mint
-#    - Name: Passthrough mode
-#      File: cco-mode-passthrough
-#    - Name: Manual mode with long-term credentials for components
-#      File: cco-mode-manual
-#    - Name: Manual mode with short-term credentials for components
-#      File: cco-short-term-creds
+#   Dir: identity_providers
+#   Topics:
+#   - Name: Configuring an htpasswd identity provider
+#     File: configuring-htpasswd-identity-provider
+#   - Name: Configuring a Keystone identity provider
+#     File: configuring-keystone-identity-provider
+#   - Name: Configuring an LDAP identity provider
+#     File: configuring-ldap-identity-provider
+#   - Name: Configuring a basic authentication identity provider
+#     File: configuring-basic-authentication-identity-provider
+#   - Name: Configuring a request header identity provider
+#     File: configuring-request-header-identity-provider
+#   - Name: Configuring a GitHub or GitHub Enterprise identity provider
+#     File: configuring-github-identity-provider
+#   - Name: Configuring a GitLab identity provider
+#     File: configuring-gitlab-identity-provider
+#   - Name: Configuring a Google identity provider
+#     File: configuring-google-identity-provider
+#   - Name: Configuring an OpenID Connect identity provider
+#     File: configuring-oidc-identity-provider
+- Name: Using RBAC to define and apply permissions
+  File: using-rbac
+# - Name: Removing the kubeadmin user
+#   File: remove-kubeadmin
+#- Name: Configuring LDAP failover
+#  File: configuring-ldap-failover
+- Name: Understanding and creating service accounts
+  File: understanding-and-creating-service-accounts
+- Name: Using service accounts in applications
+  File: using-service-accounts-in-applications
+- Name: Using a service account as an OAuth client
+  File: using-service-accounts-as-oauth-client
+- Name: Assuming an AWS IAM role for a service account
+  File: assuming-an-aws-iam-role-for-a-service-account
+- Name: Scoping tokens
+  File: tokens-scoping
+- Name: Using bound service account tokens
+  File: bound-service-account-tokens
+- Name: Managing security context constraints
+  File: managing-security-context-constraints
+- Name: Understanding and managing pod security admission
+  File: understanding-and-managing-pod-security-admission
+# - Name: Impersonating the system:admin user
+#   File: impersonating-system-admin
+- Name: Syncing LDAP groups
+  File: ldap-syncing
+# - Name: Managing cloud provider credentials
+#   Dir: managing_cloud_provider_credentials
+#   Topics:
+#   - Name: About the Cloud Credential Operator
+#     File: about-cloud-credential-operator
+#   - Name: Mint mode
+#     File: cco-mode-mint
+#   - Name: Passthrough mode
+#     File: cco-mode-passthrough
+#   - Name: Manual mode with long-term credentials for components
+#     File: cco-mode-manual
+#   - Name: Manual mode with short-term credentials for components
+#     File: cco-short-term-creds
 ---
 Name: Upgrading
 Dir: upgrading

diff --git a/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc b/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
@@ -2,17 +2,17 @@
 [id="assuming-an-aws-iam-role-for-a-service-account"]
 = Assuming an AWS IAM role for a service account
 include::_attributes/common-attributes.adoc[]
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
 include::_attributes/attributes-openshift-dedicated.adoc[]
-endif::openshift-rosa,openshift-dedicated[]
+endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
 :context: assuming-an-aws-iam-role-for-a-service-account
 
 toc::[]
 
 [role="_abstract"]
-ifdef::openshift-rosa[]
+ifdef::openshift-rosa,openshift-rosa-hcp[]
 In {product-title} clusters that use the AWS Security Token Service (STS), the OpenShift API server can be enabled to project signed service account tokens that can be used to assume an AWS Identity and Access Management (IAM) role in a pod. If the assumed IAM role has the required AWS permissions, the pods can authenticate against the AWS API using temporary STS credentials to perform AWS operations.
-endif::openshift-rosa[]
+endif::openshift-rosa,openshift-rosa-hcp[]
 
 You can use the pod identity webhook to project service account tokens to assume an AWS Identity and Access Management (IAM) role for your own workloads. If the assumed IAM role has the required AWS permissions, the pods can run AWS SDK operations by using temporary STS credentials.
 
@@ -37,6 +37,6 @@ include::modules/verifying-the-assumed-iam-role-in-your-pod.adoc[leveloffset=+2]
 
 * For more information about installing and using the AWS Boto3 SDK for Python, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation].
 
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
 * For general information about webhook admission plugins for OpenShift, see link:https://docs.openshift.com/container-platform/4.17/architecture/admission-plug-ins.html#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] in the OpenShift Container Platform documentation.
-endif::openshift-rosa,openshift-dedicated[]
+endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
diff --git a/authentication/bound-service-account-tokens.adoc b/authentication/bound-service-account-tokens.adoc
@@ -21,9 +21,9 @@ include::modules/bound-sa-tokens-configuring-externally.adoc[leveloffset=+1]
 .Additional resources
 
 // This xref target does not exist in the OSD/ROSA docs.
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 * xref:../nodes/nodes/nodes-nodes-rebooting.adoc#nodes-nodes-rebooting-gracefully_nodes-nodes-rebooting[Rebooting a node gracefully]
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 * xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-managing_understanding-service-accounts[Creating service accounts]
 

diff --git a/authentication/index.adoc b/authentication/index.adoc
@@ -10,12 +10,12 @@ include::modules/authentication-authorization-common-terms.adoc[leveloffset=+1]
 [id="authentication-overview"]
 == About authentication in {product-title}
 To control access to an {product-title} cluster,
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 a cluster administrator
-endif::openshift-dedicated,openshift-rosa[]
-ifdef::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 an administrator with the `dedicated-admin` role
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 can configure xref:../authentication/understanding-authentication.adoc#understanding-authentication[user authentication] and ensure only approved users access the cluster.
 
 To interact with an {product-title} cluster, users must first authenticate to the {product-title} API in some way. You can authenticate by providing an xref:../authentication/understanding-authentication.adoc#rbac-api-authentication_understanding-authentication[OAuth access token or an X.509 client certificate] in your requests to the {product-title} API.
@@ -25,11 +25,11 @@ To interact with an {product-title} cluster, users must first authenticate to th
 If you do not present a valid access token or certificate, your request is unauthenticated and you receive an HTTP 401 error.
 ====
 
-ifdef::openshift-dedicated,openshift-rosa[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 An administrator can configure authentication by configuring an identity provider. You can define any xref:../authentication/sd-configuring-identity-providers.adoc#understanding-idp-supported_sd-configuring-identity-providers[supported identity provider in {product-title}] and add it to your cluster.
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 An administrator can configure authentication through the following tasks:
 
 * Configuring an identity provider: You can define any xref:../authentication/understanding-identity-provider.adoc#supported-identity-providers[supported identity provider in {product-title}] and add it to your cluster.
@@ -50,7 +50,7 @@ When users send a request for an OAuth token, they must specify either a default
 
 * Managing cloud provider credentials using the xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[Cloud Credentials Operator]: Cluster components use cloud provider credentials to get permissions required to perform cluster-related tasks.
 * Impersonating a system admin user: You can grant cluster administrator permissions to a user by xref:../authentication/impersonating-system-admin.adoc#impersonating-system-admin[impersonating a system admin user].
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 [id="authorization-overview"]
 == About authorization in {product-title}
@@ -68,25 +68,25 @@ You can manage authorization for {product-title} through the following tasks:
 
 * Creating a xref:../authentication/using-rbac.adoc#creating-local-role_using-rbac[local role] and assigning it to a user or group.
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 * Creating a cluster role and assigning it to a user or group: {product-title} includes a set of xref:../authentication/using-rbac.adoc#default-roles_using-rbac[default cluster roles]. You can create additional xref:../authentication/using-rbac.adoc#creating-cluster-role_using-rbac[cluster roles] and xref:../authentication/using-rbac.adoc#adding-roles_using-rbac[add them to a user or group].
-endif::openshift-dedicated,openshift-rosa[]
-ifdef::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 * Assigning a cluster role to a user or group: {product-title} includes a set of xref:../authentication/using-rbac.adoc#default-roles_using-rbac[default cluster roles]. You can xref:../authentication/using-rbac.adoc#adding-roles_using-rbac[add them to a user or group].
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 * Creating a cluster-admin user: By default, your cluster has only one cluster administrator called `kubeadmin`. You can xref:../authentication/using-rbac.adoc#creating-cluster-admin_using-rbac[create another cluster administrator]. Before creating a cluster administrator, ensure that you have configured an identity provider.
 +
 [NOTE]
 ====
 After creating the cluster admin user, xref:../authentication/remove-kubeadmin.adoc#removing-kubeadmin_removing-kubeadmin[delete the existing kubeadmin user] to improve cluster security.
 ====
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
-ifdef::openshift-rosa[]
+ifdef::openshift-rosa,openshift-rosa-hcp[]
 * Creating cluster-admin and dedicated-admin users: The user who created the {product-title} cluster can grant access to other xref:../authentication/using-rbac.adoc#rosa-create-cluster-admins_using-rbac[`cluster-admin`] and xref:../authentication/using-rbac.adoc#rosa-create-dedicated-cluster-admins_using-rbac[`dedicated-admin`] users.
-endif::openshift-rosa[]
+endif::openshift-rosa,openshift-rosa-hcp[]
 
 ifdef::openshift-dedicated[]
 * Granting administrator privileges to users: You can xref:../authentication/using-rbac.adoc#osd-grant-admin-privileges_using-rbac[grant `dedicated-admin` privileges to users].

diff --git a/authentication/ldap-syncing.adoc b/authentication/ldap-syncing.adoc
@@ -9,9 +9,9 @@ toc::[]
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 As an administrator,
 endif::[]
-ifdef::openshift-dedicated,openshift-rosa[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 As an administrator with the `dedicated-admin` role,
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 you can use groups to manage users, change
 their permissions, and enhance collaboration. Your organization may have already
 created user groups and stored them in an LDAP server. {product-title} can sync
@@ -20,28 +20,28 @@ your groups in one place. {product-title} currently supports group sync with
 LDAP servers using three common schemas for defining group membership: RFC 2307,
 Active Directory, and augmented Active Directory.
 
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 For more information on configuring LDAP, see
 xref:../authentication/identity_providers/configuring-ldap-identity-provider.adoc#configuring-ldap-identity-provider[Configuring an LDAP identity provider].
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
-ifdef::openshift-dedicated,openshift-rosa[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 For more information on configuring LDAP, see
 xref:../authentication/sd-configuring-identity-providers.adoc#config-ldap-idp_sd-configuring-identity-providers[Configuring an LDAP identity provider].
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 [NOTE]
 ====
 You must have `cluster-admin` privileges to sync groups.
 ====
 endif::[]
-ifdef::openshift-dedicated,openshift-rosa[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 [NOTE]
 ====
 You must have `dedicated-admin` privileges to sync groups.
 ====
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 include::modules/ldap-syncing-about.adoc[leveloffset=+1]
 include::modules/ldap-syncing-config-rfc2307.adoc[leveloffset=+2]
@@ -54,7 +54,7 @@ include::modules/ldap-syncing-running-subset.adoc[leveloffset=+2]
 include::modules/ldap-syncing-pruning.adoc[leveloffset=+1]
 
 // OSD and ROSA dedicated-admins cannot create the cluster roles and cluster role bindings required for this procedure.
-ifndef::openshift-dedicated,openshift-rosa[]
+ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 // Automatically syncing LDAP groups
 include::modules/ldap-auto-syncing.adoc[leveloffset=+1]
 
@@ -63,7 +63,7 @@ include::modules/ldap-auto-syncing.adoc[leveloffset=+1]
 
 * xref:../authentication/identity_providers/configuring-ldap-identity-provider.adoc#configuring-ldap-identity-provider[Configuring an LDAP identity provider]
 * xref:../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs-creating-cron_nodes-nodes-jobs[Creating cron jobs]
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 
 include::modules/ldap-syncing-examples.adoc[leveloffset=+1]
 include::modules/ldap-syncing-rfc2307.adoc[leveloffset=+2]