- Overview
- Requirements
- Installation
- Prerequisite checks
- Downloading the installation packages
- uipathctl cluster
- uipathctl cluster maintenance
- uipathctl cluster maintenance disable
- uipathctl cluster maintenance enable
- uipathctl cluster maintenance is-enabled
- uipathctl cluster migration
- uipathctl cluster migration export
- uipathctl cluster migration import
- uipathctl cluster migration run
- uipathctl cluster upgrade
- uipathctl config
- uipathctl config add-host-admin
- uipathctl config additional-ca-certificates
- uipathctl config additional-ca-certificates get
- uipathctl config additional-ca-certificates update
- uipathctl config alerts
- uipathctl config alerts add-email
- uipathctl config alerts remove-email
- uipathctl config alerts update-email
- uipathctl config argocd
- uipathctl config argocd ca-certificates
- uipathctl config argocd ca-certificates get
- uipathctl config argocd ca-certificates update
- uipathctl config argocd generate-dex-config
- uipathctl config argocd generate-rbac
- uipathctl config argocd registry
- uipathctl config argocd registry get
- uipathctl config argocd registry update
- uipathctl config enable-basic-auth
- uipathctl config orchestrator
- uipathctl config orchestrator get-config
- uipathctl config orchestrator update-config
- uipathctl config saml-certificates get
- uipathctl config saml-certificates rotate
- uipathctl config saml-certificates update
- uipathctl config tls-certificates
- uipathctl config tls-certificates get
- uipathctl config tls-certificates update
- uipathctl config token-signing-certificates
- uipathctl config token-signing-certificates get
- uipathctl config token-signing-certificates rotate
- uipathctl config token-signing-certificates update
- uipathctl health
- uipathctl health bundle
- uipathctl health check
- uipathctl health diagnose
- uipathctl health test
- uipathctl manifest
- uipathctl manifest apply
- uipathctl manifest diff
- uipathctl manifest get
- uipathctl manifest get-revision
- uipathctl manifest list-applications
- uipathctl manifest list-revisions
- uipathctl manifest render
- uipathctl prereq
- uipathctl prereq create
- uipathctl prereq run
- uipathctl resource
- uipathctl resource report
- uipathctl snapshot
- uipathctl snapshot backup
- uipathctl snapshot backup create
- uipathctl snapshot backup disable
- uipathctl snapshot backup enable
- uipathctl snapshot delete
- uipathctl snapshot list
- uipathctl snapshot restore
- uipathctl snapshot restore create
- uipathctl snapshot restore delete
- uipathctl snapshot restore history
- uipathctl snapshot restore logs
- uipathctl version
- Post-installation
- Migration and upgrade
- Upgrading Automation Suite on EKS/AKS
- Step 1: Moving the Identity organization data from standalone to Automation Suite
- Step 2: Restoring the standalone product database
- Step 3: Backing up the platform database in Automation Suite
- Step 4: Merging organizations in Automation Suite
- Step 5: Updating the migrated product connection strings
- Step 6: Migrating standalone Orchestrator
- Step 7: Migrating standalone Insights
- Step 8: Deleting the default tenant
- B) Single tenant migration
- Migrating from Automation Suite on Linux to Automation Suite on EKS/AKS
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Troubleshooting
Security and compliance
In regard to the security context set specifications for UiPath® services, important information is provided below:
spec
section. The core settings include:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
hostPID: false
hostNetwork: false
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
hostPID: false
hostNetwork: false
Please note, in some instances, the userIDs and GroupIDs can be greater than or equal to 1000 and such values are permissible based on your environment. It's important to configure the user and group IDs according to your security principles and your organization's security guidelines.
Automation Suite is pre-configured with Gatekeeper and OPA policies. If you bring your own Gatekeeper component and OPA policies, you can skip these components from the Automation Suite installation. For details, see Automation Suite stack. In this case, review the OPA policies and the exceptions needed for installing and running Automation Suite.
-uipath
, uipath-installer
, uipath-infra
, airflow
, and argocd
.
Policy |
Enforcement action |
Namespaces/Images to be excluded |
---|---|---|
Controls restricting escalation to root privileges. Corresponds to the
allowPrivilegeEscalation field in a PodSecurityPolicy
|
|
|
Configures an allowlist of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. |
|
|
Controls Linux capabilities on containers. Corresponds to the
allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy.
|
|
|
Controls the allowlist of FlexVolume drivers. Corresponds to the
allowedFlexVolumes field in PodSecurityPolicy.
|
|
|
|
| |
Controls allocating an FSGroup that owns the pod's volumes. Corresponds to the
fsGroup field in a PodSecurityPolicy.
|
|
|
Controls usage of the host filesystem. Corresponds to the
allowedHostPaths field in a PodSecurityPolicy.
|
|
|
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the
hostPID and hostIPC fields in a PodSecurityPolicy.
|
|
|
Controls usage of host network namespace by pod containers. |
|
|
Controls the ability of any container to enable privileged mode. Corresponds to the
privileged field in a PodSecurityPolicy.
|
|
|
Controls the allowed
procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy.
|
|
|
Requires the use of a read-only root file system by pod containers. |
|
|
Controls the seccomp profile used by containers. Corresponds to the
seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation on a PodSecurityPolicy.
|
|
|
Defines an allowlist of seLinuxOptions configurations for pod containers. |
|
|
Controls the user and group IDs of the container and some volumes. |
|
|
Restricts mountable volume types to those specified by the user. |
|
|
-
The
dapr-system
namespace is only needed if you install Process Mining and Task Mining. -
The
airflow
namespace is only needed if you install Process Mining.
Policy |
Enforcement action |
Namespaces/Images to be excluded |
---|---|---|
Controls the ability of any pod to enable
automountServiceAccountToken .
|
|
|
Requires container images to begin with a string from the specified list. |
|
|
|
|
N/A |
Disallows all services of type LoadBalancer. |
|
|
Disallows all Services of type NodePort. |
|
|
Users must not able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they do nto have access to those services. |
|
|
Requires containers to have memory and CPU limits set. Constrains limits to be within the specified maximum values. |
|
|
Requires containers to have memory and CPU requests set. Constrains requests to be within the specified maximum values. |
|
|
Sets a maximum ratio for container resource limits to requests. |
|
|
Requires containers to have defined resources set. |
|
|
Disallows associating ClusterRole and Role resources to the
system:anonymous user and system:unauthenticated group.
|
|
N/A |
Requires container images to have an image tag different from the ones in the specified list. |
|
N/A |
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. |
|
|
|
|
N/A |
Requires Ingress resources to be HTTPS only. Ingress resources must include the
kubernetes.io/ingress.allow-http annotation, set to false . By default a valid TLS {} configuration is required, this can be made optional by setting the tlsOptional parameter to true .
|
|
|
Requires container images to contain a digest. |
|
|
Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode. |
|
N/A |
|
|
|
Requires Pods to have readiness and/or liveness probes. |
|
|
Requires storage classes to be specified when used. |
|
N/A |
Requires all Ingress rule hosts to be unique. |
|
N/A |
Requires Services to have unique selectors within a namespace. Selectors are considered the same if they have identical keys and values. Selectors may share a key/value pair as long as there is at least one distinct key/value pair between them. |
|
N/A |
-
The
dapr-system
namespace is only needed if you install Process Mining and Task Mining. -
The
airflow
namespace is only needed if you install Process Mining. -
prereq**
are temporary namespaces created while running a prerequisite or health check. The namespaces self-delete upon completion.
network-policies
under the exclude components
list in input.json
. To learn more about optional components, see the Automation Suite stack.
uipath
namespace. If you bring your own network policies or if you have a custom CNI (e.g., Cilium Enterprise or Calico Tigera Enterprise),
make sure to update your policies to mirror the network-policies
Helm chart.
network-policies
Helm chart by running the following command.
- You must replace
<automation-suite-version>
with your current Automation Suite version in the following command. - You must unzip the file to extract the Helm chart.
helm pull oci://registry.uipath.com/helm/network-policies --version <automation-suite-version>
helm pull oci://registry.uipath.com/helm/network-policies --version <automation-suite-version>
uipathctl
on your management node to install and manage Automation Suite on your dedicated EKS or AKS cluster. This level of access
is needed for system-level components in Automation Suite, such as Istio (routing / service mesh) and ArgoCD (deployment and
application lifecycle management), and to create Automation Suite-related namespaces.
Federal Information Processing Standards 140-2 (FIPS 140-2) is a security standard that validates the effectiveness of cryptographic modules.
Automation Suite on AKS can run on FIPS 140-2-enabled nodes.
You can enable FIPS 140-2 on the AKS nodes on which you install Automation Suite in the following scenarios:
- Scenario 1: new installations - Enable FIPS 140-2 before performing a clean installation of Automation Suite 2023.4 or later.
- Scenario 2: existing installations - Enable FIPS 140-2 after peforming an Automation Suite installation on a machine with FIPS-140-2 disabled.
To enable FIPS 140-2 on the machines where you plan to perform a fresh installation of Automation Suite, take the following steps:
You can install Automation Suite on machines with FIPS 140-2 disabled, and then enable the security standard on the same machines. This is also possible when you upgrade to a new Automation Suite version.
To enable FIPS 140-2 on the machines where you already performed an Automation Suite installation, take the following steps: