- Overview
- Requirements
- Pre-installation
- Preparing the installation
- Installing and configuring the service mesh
- Downloading the installation packages
- Configuring the OCI-compliant registry
- Granting installation permissions
- Installing and configuring the GitOps tool
- Deploying Redis through OperatorHub
- Applying miscellaneous configurations
- Running uipathctl
- Installation
- Post-installation
- Migration and upgrade
- Upgrading Automation Suite
- Migrating standalone products to Automation Suite
- Step 1: Restoring the standalone product database
- Step 2: Updating the schema of the restored product database
- Step 3: Moving the Identity organization data from standalone to Automation Suite
- Step 4: Backing up the platform database in Automation Suite
- Step 5: Merging organizations in Automation Suite
- Step 6: Updating the migrated product connection strings
- Step 7: Migrating standalone Orchestrator
- Step 8: Migrating standalone Insights
- Step 9: Migrating standalone Test Manager
- Step 10: Deleting the default tenant
- Performing a single tenant migration
- Migrating between Automation Suite clusters
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Remapping the organization IDs
- Migrating Looker data to Automation Suite
- Performing Insights database maintenance
- Configuring the Insights custom security context
- Configuring log rules
- Orchestrator advanced configuration
- Configuring Orchestrator parameters
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring NLog
- Saving robot logs to Elasticsearch
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Skipping host library creation
- Troubleshooting
Automation Suite on OpenShift installation guide
Configuring the Insights custom security context
The Insights application has multiple features that use the Chromium Linux SUID Sandbox. Thus, while the elevated access is not required for the installation of the Insights application itself, it is essential for specific feature functionality.
-
Save the configuration file as a YAML file and execute the following command. Make sure to replace the
<file_name.yaml>placeholder with the actual name used for your YAML file:oc apply -f <file_name.yaml>.allowedCapabilities: - SETUID apiVersion: security.openshift.io/v1 fsGroup: type: MustRunAs groups: [] kind: SecurityContextConstraints metadata: name: insights-scc readOnlyRootFilesystem: false runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - csi - downwardAPI - emptyDir - ephemeral - persistentVolumeClaim - projected - secretallowedCapabilities: - SETUID apiVersion: security.openshift.io/v1 fsGroup: type: MustRunAs groups: [] kind: SecurityContextConstraints metadata: name: insights-scc readOnlyRootFilesystem: false runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - csi - downwardAPI - emptyDir - ephemeral - persistentVolumeClaim - projected - secret -
Save the following in a file named
<file_name.yaml>to create a role to access the Security Context Constraint:kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: insights-scc-role namespace: <uipath> rules: - verbs: - use apiGroups: - security.openshift.io resources: - securitycontextconstraints resourceNames: - insights-scckind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: insights-scc-role namespace: <uipath> rules: - verbs: - use apiGroups: - security.openshift.io resources: - securitycontextconstraints resourceNames: - insights-sccCreate a role to access the Security Context Constraint by executing the following command:
oc apply -f <file_name.yaml>. Make sure to replace the<file_name.yaml>placeholder with the actual name used for your YAML file. -
Save the following in a file named
<file_name.yaml>to create a role-binding to bind the previously defined role to the Insights service account:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: insights-scc-rolebinding namespace: <uipath> subjects: - kind: ServiceAccount name: insightslooker-sa namespace: <uipath> roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: insights-scc-rolekind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: insights-scc-rolebinding namespace: <uipath> subjects: - kind: ServiceAccount name: insightslooker-sa namespace: <uipath> roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: insights-scc-roleCreate a role-binding to bind the previously defined role to the Insights service account by executing the following command:
oc apply -f <file_name.yaml>. Make sure to replace the<file_name.yaml>placeholder with the actual name used for your YAML file. -
Navigate to ArgoCD and disable Auto sync for Insights.
-
Update the security context for the Insights Looker, located within the Insights Looker statefulset. Add the
SETUIDcapabilities:capabilities: add: - SETUID drop: - ALLcapabilities: add: - SETUID drop: - ALL -
Rollout
restart statefulset:oc -n <uipath> rollout restart statefulset/insights-insightslookeroc -n <uipath> rollout restart statefulset/insights-insightslooker