- Overview
- Requirements
- Pre-installation
- Preparing the installation
- Installing and configuring the service mesh
- Downloading the installation packages
- Configuring the OCI-compliant registry
- Granting installation permissions
- Installing and configuring the GitOps tool
- Deploying Redis through OperatorHub
- Applying miscellaneous configurations
- Running uipathctl
- Installation
- Post-installation
- Migration and upgrade
- Upgrading Automation Suite
- Migrating standalone products to Automation Suite
- Step 1: Restoring the standalone product database
- Step 2: Updating the schema of the restored product database
- Step 3: Moving the Identity organization data from standalone to Automation Suite
- Step 4: Backing up the platform database in Automation Suite
- Step 5: Merging organizations in Automation Suite
- Step 6: Updating the migrated product connection strings
- Step 7: Migrating standalone Orchestrator
- Step 8: Migrating standalone Insights
- Step 9: Migrating standalone Test Manager
- Step 10: Deleting the default tenant
- Performing a single tenant migration
- Migrating between Automation Suite clusters
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Orchestrator advanced configuration
- Configuring Orchestrator parameters
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring NLog
- Saving robot logs to Elasticsearch
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Skipping host library creation
- Troubleshooting
Automation Suite on OpenShift installation guide
Security and compliance
Security context for UiPath® services
This section provides details on the security context of the UiPath® services.
All UiPath® services are configured with a security context defined in their spec section.
The following sample shows a typical configuration for UiPath® services:
spec:
securityContext:
runAsNonRoot: true
containers:
- securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
hostPID: false
hostNetwork: false
spec:
securityContext:
runAsNonRoot: true
containers:
- securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
hostPID: false
hostNetwork: false
For some UiPath® services, there are exceptions from the typical security context configuration:
- Insights has multiple features that use the Chromium Linux SUID Sandbox. While elevated access is not required for installing Insights, it is essential for specific feature functionality. For more information, see Configuring the Insights custom security context.
- Process Mining uses the following Airflow services whose security context differs from the typical configuration for UiPath® services:
- The
statsdservice, as shown in the following sample:securityContext: runAsUser: 65534 seLinuxOptions: level: s0:c27,c4securityContext: runAsUser: 65534 seLinuxOptions: level: s0:c27,c4 - The
scheduler,webserver, and other Airflow pods, as shown in the following sample:securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 50000 seLinuxOptions: level: s0:c27,c4 supplementalGroups: - 1000securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 50000 seLinuxOptions: level: s0:c27,c4 supplementalGroups: - 1000 - The dynamic runtime pod, as shown in the following sample:
securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 1001 seLinuxOptions: level: s0:c27,c4 supplementalGroups: - 1000securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 1001 seLinuxOptions: level: s0:c27,c4 supplementalGroups: - 1000
- The
In some instances, the user IDs and group IDs can be greater than or equal to 1000, depending on your environment. Make sure you configure the user and group IDs according to your security principles and your organization's security guidelines.
Networking policies
The following table provides a general guideline for network policies. It includes a list of routes needed for configuring the <uipath> namespace.
| Source | Destination | Direction | Ports | Policy type | Conditions |
|---|---|---|---|---|---|
All pods in uipath | All external | Deny | All | NetworkPolicy | Default deny-all policy |
All pods in uipath | All pods in uipath | Allow | All | NetworkPolicy | Internal namespace communication |
All pods in uipath | Kube System DNS | Egress | 53 TCP/UDP | NetworkPolicy | DNS resolution |
All pods in uipath | External IPs | Egress | All | NetworkPolicy | External communication |
All pods in uipath | Istiod | Egress | All | NetworkPolicy | Service mesh control |
| Prometheus | All pods in uipath | Ingress | Custom scrape ports | NetworkPolicy | Monitoring access |
| Istio Gateway | All pods in uipath | Ingress | All | NetworkPolicy | Gateway traffic |
| Kube System | All pods in uipath | Ingress | All | NetworkPolicy | System access |
| Redis System | All pods in uipath | Ingress | 9091/TCP | NetworkPolicy | Redis monitoring |
| Listed Services | Redis Namespace | Egress | All | NetworkPolicy | Redis access |
Cluster privilege requirements
Automation Suite requires the cluster admin role during the installation to automate the entire installation process. Alternatively, you can install Automation Suite with lower permissions. An installation with lower permissions involves some additional steps. For the permissions that the installation requires, see Step 2: Creating the required roles.
FIPS 140-2
Federal Information Processing Standards 140-2 (FIPS 140-2) is a security standard that validates the effectiveness of cryptographic modules.
Automation Suite on can run on FIPS 140-2-enabled machines.
Enabling FIPS 140-2 for new installations
To enable FIPS 140-2 on the machines where you plan to perform a fresh installation of Automation Suite, take the following steps:
-
Before starting the Automation Suite installation, enable FIPS 140-2 on your machines.
-
Perform the Automation Suite installation by following the installation instructions in this guide.
Note:- If you install AI Center on a FIPS 140-2-enabled machine and also use Microsoft SQL Server, some additional configuration is required. For details, see SQL requirements for AI Center.
- Make sure Insights is disabled, as it is not supported on FIPS 140-2. If you need to use Insights, you can deploy it on a dedicated non-FIPS node. For details, refer to How to deploy Insights in a FIPS-enabled cluster.
-
Set the
fips_enabled_nodesflag totruein theinput.jsonfile. -
Make sure your certificates are FIPS 140-2-compatible.
Note:By default, Automation Suite generates self-signed FIPS 140-2-compatible certificates whose expiry date depends on the type of Automation Suite installation you choose.
We strongly recommend that you replace these self-signed certificates with CA-issued certificates at installation time. To use Automation Suite on FIPS 140-2-enabled machines, the newly provided certificates must be FIPS 140-2-compatible. For a list of eligible ciphers supported by RHEL, see the RHEL documentation.
For details on how to add your own FIPS 140-2-compliant token-signing and TLS certificates, see Certificate configuration.