automation-suite
2023.4
false
UiPath logo, featuring letters U and I in white
OUT OF SUPPORT

Automation Suite on EKS/AKS Installation Guide

Last updated Nov 21, 2024

Security and compliance

Gatekeeper and OPA policies

Automation Suite is pre-configured with Gatekeeper and OPA policies. If you bring your own Gatekeeper component and OPA policies, you can skip these components from the Automation Suite installation. For details, see Automation Suite stack. In this case, review the OPA policies and the exceptions needed for installing and running Automation Suite.

OPA policies

Policy

Enforcement action

Namespaces/Images to be excluded

Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

Configures an allowlist of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy.

deny

  • kube-system

Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy.

deny

N/A

deny

  • istio-system

Controls allocating an FSGroup that owns the pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy.

deny

  • kube-system

  • monitoring

Controls usage of host network namespace by pod containers.

deny

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Controls the ability of any container to enable privileged mode. Corresponds to the privileged field in a PodSecurityPolicy.

deny

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy.

deny

N/A

Requires the use of a read-only root file system by pod containers.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Controls the seccomp profile used by containers. Corresponds to the seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation on a PodSecurityPolicy.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

Defines an allowlist of seLinuxOptions configurations for pod containers.

deny

N/A

Controls the user and group IDs of the container and some volumes.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • velero

Restricts mountable volume types to those specified by the user.

deny

  • monitoring

  • logging

Note:
  • The dapr-system namespace is only needed if you install Process Mining and Task Mining.
  • The airflow namespace is only needed if you install Process Mining.
  • prereq** are temporary namespaces created while running a prerequisite or health check. The namespaces self-delete upon completion.

Other OPA policies

Policy

Enforcement action

Namespaces/Images to be excluded

Controls the ability of any pod to enable automountServiceAccountToken.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Requires container images to begin with a string from the specified list.

dryrun

  • registry.uipath.com

  • registry-data.uipath.com

deny

N/A

Disallows all services of type LoadBalancer.

deny

  • kube-system

Disallows all Services of type NodePort.

deny

  • istio-system

  • network-prereq-checks

Users must not able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they do nto have access to those services.

deny

N/A

Requires containers to have memory and CPU limits set. Constrains limits to be within the specified maximum values.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Requires containers to have memory and CPU requests set. Constrains requests to be within the specified maximum values.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**"

Sets a maximum ratio for container resource limits to requests.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Requires containers to have defined resources set.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.

deny

N/A

Requires container images to have an image tag different from the ones in the specified list.

deny

N/A

Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.

dryrun

  • gatekeeper

  • logging

  • dapr-system

  • uipath-installer

  • kube-system

  • uipath

  • argocd

  • default

  • istio-system

  • cert-manager

  • monitoring

  • airflow

  • prereq**

deny

N/A

Requires Ingress resources to be HTTPS only. Ingress resources must include the kubernetes.io/ingress.allow-http annotation, set to false. By default a valid TLS {} configuration is required, this can be made optional by setting the tlsOptional parameter to true.

dryrun

  • monitoring

Requires container images to contain a digest.

dryrun

  • uipath

Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode.

dryrun

N/A

deny

  • airflow

Requires Pods to have readiness and/or liveness probes.

dryrun

  • uipath

Requires storage classes to be specified when used.

dryrun

N/A

Requires all Ingress rule hosts to be unique.

dryrun

N/A

Requires Services to have unique selectors within a namespace. Selectors are considered the same if they have identical keys and values. Selectors may share a key/value pair as long as there is at least one distinct key/value pair between them.

dryrun

N/A

Note:
  • The dapr-system namespace is only needed if you install Process Mining and Task Mining.
  • The airflow namespace is only needed if you install Process Mining.
  • prereq** are temporary namespaces created while running a prerequisite or health check. The namespaces self-delete upon completion.

Networking policies

Automation Suite is pre-configured with standard Kubernetes Network Policies to follow the principle of least privilege network access. You can choose to skip installing UiPath-provided network policies by adding network-policies under the exclude components list in input.json. To learn more about optional components, see the Automation Suite stack.
Automation Suite enforces the network from, to, and within the uipath namespace. If you bring your own network policies or if you have a custom CNI (e.g., Cilium Enterprise or Calico Tigera Enterprise), make sure to update your policies to mirror the network-policies Helm chart.
You can find the Automation Suite network-policies Helm chart by running the following command.
Note:
  • You must replace <automation-suite-version> with your current Automation Suite version in the following command.
  • You must unzip the file to extract the Helm chart.
helm pull oci://registry.uipath.com/helm/network-policies --version <automation-suite-version>helm pull oci://registry.uipath.com/helm/network-policies --version <automation-suite-version>

Cluster privilege requirements

Cluster admin access is required for uipathctl on your management node to install and manage Automation Suite on your dedicated cluster. This level of access is needed for system-level components in Automation Suite, such as Istio (routing / service mesh) and ArgoCD (deployment and application lifecycle management), and to create Automation Suite-related namespaces.
  • Gatekeeper and OPA policies
  • OPA policies
  • Other OPA policies
  • Networking policies
  • Cluster privilege requirements

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2025 UiPath. All rights reserved.