Granting installation permissions

重要:

Installation permissions are relevant only if you cannot provide admin privileges to the Automation Suite installer. If you can provide the required admin privileges to the installer, you do not need to follow the instructions in this section.

Automation Suite relies on specific permissions during installation. These permissions are assigned to the service account, which plays a pivotal role in installing the various Automation Suite components.

To configure all the permissions required for installation, take the following steps:

Step 4.1: Creating a service account

Step 4.2: Creating the required roles

Step 4.3: Binding the roles to the uipathadmin service account

Step 4.4: Generating the kubeconfig file

Step 1: Creating a service account

To create a service account, take the following steps:

名前空間 <uipath> を作成します。
```
kubectl create namespace <uipath>kubectl create namespace <uipath>
```

Create a service account named uipathadmin:

kubectl create serviceaccount uipathadmin -n <uipath> kubectl create serviceaccount uipathadmin -n <uipath>

Use the existing admin cluster role to grant admin permissions to the uipathadmin service account in the <uipath> namespace:

kubectl create rolebinding uipathadmin --clusterrole=admin --serviceaccount=<uipath>:uipathadmin -n <uipath>kubectl create rolebinding uipathadmin --clusterrole=admin --serviceaccount=<uipath>:uipathadmin -n <uipath>

Step 2: Creating the required roles

The uipathadmin service account requires certain permissions during the Automation Suite installation. You provide the necessary permissions by creating roles. To create each role, save its configuration as a YAML file and run the following command, replacing the <file_name.yaml> placeholder with the actual name of the YAML file:

kubectl apply -f <file_name.yaml>kubectl apply -f <file_name.yaml>

You can create the YAML file for each role by copying its corresponding configuration from the following table:

Figure 1. Automation Suite installation permissions

権限	目的	構成
Query the namespace [read-only]	Required to check whether the namespaces, such as the `<istio-system>` namespace, are available or not.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-reader-clusterrole rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-reader-clusterrole rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"]
List nodes and CRDs [read-only]	The prerequisite check and diagnostic health check tool require this permission to perform the node validations, such as the capacity available on the node.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-nodes-and-crd-clusterrole rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["metrics.k8s.io"] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-nodes-and-crd-clusterrole rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["metrics.k8s.io"] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get"]
Get storage classes [read-only]	The prerequisite check and diagnostic health check tool require this permission to perform the validations.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-class-reader rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-class-reader rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get"]
`uipath` roles [write]	Most of the Automation Suite installation is performed via ArgoCD; however, the installation of some components is performed via Helm chart. The `uipathctl` tool runs an installation job that executes the installation of the Helm chart. Connecting to the `kube-api-server` and installing the Helm chart in the `<uipath>` namespace require a namespace-level role-creator role.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: uipath-automationsuite-role namespace: <uipath> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["security.istio.io", "networking.istio.io"] resources: [""] verbs: [""]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: uipath-automationsuite-role namespace: <uipath> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["security.istio.io", "networking.istio.io"] resources: [""] verbs: [""]
`<istio-system>` roles [write] 注: Provide these permissions only if you want the installer to configure the WASM plugin. Otherwise, do not provide the permissions.	The following operations are performed in the `<istio-system>` namespace: The Automation Suite prerequisite check tool reads the pods and services in the `<istio-system>` namespace to validate that Istio is installed and configured properly. Automation Suite installs the WASM plugin in the `<istio-system>` namespace to configure the path-based routing rules. The installation requires the creation of an `imagepullsecret` that will be used in the WASM Helm chart to pull the image from the registry. Additionally, a role creator is required for the `<istio-system>` namespace. Here, `uipathctl` executes a pod that uses the Helm chart to install the WASM plugin for routing.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["networking.istio.io", "extensions.istio.io"] resources: [""] verbs: [""]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["networking.istio.io", "extensions.istio.io"] resources: [""] verbs: [""]
`<istio-system>` roles [read-only] 注: Provide these permissions if you have already configured Istio and installed the WASM plugin.	The following operations are performed in the `<istio-system>` namespace: The Automation Suite prerequisite check tool reads the pods and services in the `<istio-system>` namespace to validate that Istio is installed and configured properly. The `get secrets` permission is required to copy the certificate file from the `<istio-system>` namespace to the `<uipath>` namespace.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["istio-ingressgateway-certs"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["istio-ingressgateway-certs"] verbs: ["get"]

Step 3: Binding the roles

You must bind the roles that you created in the previous step to the uipathadmin service account, by running the following commands:

kubectl -n <istio-system> create rolebinding istio-system-automationsuite-rolebinding \
  --role=istio-system-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <istio-system> create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding list-nodes-and-crd-rolebinding \
  --clusterrole=list-nodes-and-crd-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create rolebinding uipath-automationsuite-rolebinding \
  --role=uipath-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding storage-class-reader-binding \
  --clusterrole=storage-class-reader --serviceaccount=<uipath>:uipathadmin

## This step is needed only if you want installer to configure the WASM Plugin. Otherwise skip it.
kubectl -n <istio-system> create rolebinding uipadmin-istio-system \
  --clusterrole=admin --serviceaccount=<uipath>:uipathadminkubectl -n <istio-system> create rolebinding istio-system-automationsuite-rolebinding \
  --role=istio-system-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <istio-system> create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding list-nodes-and-crd-rolebinding \
  --clusterrole=list-nodes-and-crd-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create rolebinding uipath-automationsuite-rolebinding \
  --role=uipath-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding storage-class-reader-binding \
  --clusterrole=storage-class-reader --serviceaccount=<uipath>:uipathadmin

## This step is needed only if you want installer to configure the WASM Plugin. Otherwise skip it.
kubectl -n <istio-system> create rolebinding uipadmin-istio-system \
  --clusterrole=admin --serviceaccount=<uipath>:uipathadmin

Step 4: Generating the kubeconfig file

After you assign all the permissions to the service account, you must create a kubeconfig file to pass to the uipathctl tool for the installation.

Generating the kubeconfig file on Linux or Mac

To generate the kubeconfig file on Linux or Mac, run the following commands:

# Create a token
token="$(kubectl -n <uipath> create token uipathadmin --duration=8760h)"
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
kube_user_name="$(kubectl config view -o jsonpath="{.users[0].name}")"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig# Create a token
token="$(kubectl -n <uipath> create token uipathadmin --duration=8760h)"
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
kube_user_name="$(kubectl config view -o jsonpath="{.users[0].name}")"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig

If the operation was successful, you should see a kubeconfig file named uipathadminkubeconfig.

Generating the kubeconfig file on Windows

Note: You must perform this step using Windows Powershell.

To generate the kubeconfig file on Windows, run the following commands:

# Create a token
$token = kubectl -n <uipath> create token uipathadmin --duration=8760h
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
$kube_user_name = kubectl config view -o jsonpath="{.users[0].name}"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig# Create a token
$token = kubectl -n <uipath> create token uipathadmin --duration=8760h
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
$kube_user_name = kubectl config view -o jsonpath="{.users[0].name}"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig