Granting installation permissions

Importante:

Installation permissions are relevant only if you cannot provide admin privileges to the Automation Suite installer. If you can provide the required admin privileges to the installer, you do not need to follow the instructions in this section.

Automation Suite relies on specific permissions during installation. These permissions are assigned to the service account, which plays a pivotal role in installing the various Automation Suite components.

To configure all the permissions required for installation, take the following steps:

Step 4.1: Creating a service account

Step 4.2: Creating the required roles

Step 4.3: Binding the roles to the uipathadmin service account

Step 4.4: Generating the kubeconfig file

Step 1: Creating a service account

To create a service account, take the following steps:

Create the <uipath> namespace and project:
```
oc get namespace <uipath> || oc new-project <uipath>oc get namespace <uipath> || oc new-project <uipath>
```
Set the default namespace and project to <uipath>:
```
oc project <uipath>oc project <uipath>
```
All subsequent oc commands will operate within the <uipath> namespace.

Create a service account named uipathadmin:

oc create serviceaccount uipathadminoc create serviceaccount uipathadmin

Use the existing admin cluster role to grant admin permissions to the uipathadmin service account in the <uipath> namespace:

oc create rolebinding uipathadmin --clusterrole=admin --serviceaccount=<uipath>:uipathadminoc create rolebinding uipathadmin --clusterrole=admin --serviceaccount=<uipath>:uipathadmin

Step 2: Creating the required roles

The uipathadmin service account requires certain permissions during the Automation Suite installation. You provide the necessary permissions by creating roles. To create each role, save its configuration as a YAML file and run the following command, replacing the <file_name.yaml> placeholder with the actual name of the YAML file:

oc apply -f <file_name.yaml>oc apply -f <file_name.yaml>

You can create the YAML file for each role by copying its corresponding configuration from the following table:

Figure 1. Automation Suite installation permissions

Permissões	Finalidade	Configuração
Query the namespace [read-only]	Required to check whether the namespaces, such as the `<istio-system>` namespace, are available or not.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-reader-clusterrole rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-reader-clusterrole rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"]
List nodes and CRDs [read-only]	The prerequisite check and diagnostic health check tool require this permission to perform the node validations, such as the capacity available on the node.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-nodes-and-crd-clusterrole rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["metrics.k8s.io"] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-nodes-and-crd-clusterrole rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["metrics.k8s.io"] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get"]
`uipath` roles [write]	Most of the Automation Suite installation is performed via ArgoCD; however, the installation of some components is performed via Helm chart. The `uipathctl` tool runs an installation job that executes the installation of the Helm chart. Connecting to the `kube-api-server` and installing the Helm chart in the `<uipath>` namespace require a namespace-level role-creator role.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: uipath-automationsuite-role namespace: <uipath> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["security.istio.io", "networking.istio.io"] resources: [""] verbs: [""]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: uipath-automationsuite-role namespace: <uipath> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["security.istio.io", "networking.istio.io"] resources: [""] verbs: [""]
`<istio-system>` roles [write] Observação: Provide these permissions only if you want the installer to configure the WASM plugin. Otherwise, do not provide the permissions.	The following operations are performed in the `<istio-system>` namespace: The Automation Suite prerequisite check tool reads the pods and services in the `<istio-system>` namespace to validate that Istio is installed and configured properly. Automation Suite installs the WASM plugin in the `<istio-system>` namespace to configure the path-based routing rules. The installation requires the creation of an `imagepullsecret` that will be used in the WASM Helm chart to pull the image from the registry. Additionally, a role creator is required for the `<istio-system>` namespace. Here, `uipathctl` executes a pod that uses the Helm chart to install the WASM plugin for routing.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["networking.istio.io", "extensions.istio.io"] resources: [""] verbs: [""]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["networking.istio.io", "extensions.istio.io"] resources: [""] verbs: [""]
`<istio-system>` roles [read-only] Observação: Provide these permissions if you have already configured Istio and installed the WASM plugin.	The following operations are performed in the `<istio-system>` namespace: The Automation Suite prerequisite check tool reads the pods and services in the `<istio-system>` namespace to validate that Istio is installed and configured properly. The `get secrets` permission is required to copy the certificate file from the `<istio-system>` namespace to the `<uipath>` namespace.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["istio-ingressgateway-certs"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["istio-ingressgateway-certs"] verbs: ["get"]

Step 3: Binding the roles

You must bind the roles that you created in the previous step to the uipathadmin service account, by running the following commands:

oc project <istio-system>
oc create rolebinding istio-system-automationsuite-rolebinding \
  --role=istio-system-automationsuite-role --serviceaccount=<uipath>:uipathadmin
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
oc project <uipath>
oc create clusterrolebinding list-nodes-and-crd-rolebinding \
  --clusterrole=list-nodes-and-crd-clusterrole --serviceaccount=<uipath>:uipathadmin
oc create rolebinding uipath-automationsuite-rolebinding \
  --role=uipath-automationsuite-role --serviceaccount=<uipath>:uipathadmin

## This step is needed only if you want installer to configure the WASM Plugin. Otherwise skip it.
oc -n <istio-system> create rolebinding uipadmin-istio-system \
  --clusterrole=admin --serviceaccount=<uipath>:uipathadminoc project <istio-system>
oc create rolebinding istio-system-automationsuite-rolebinding \
  --role=istio-system-automationsuite-role --serviceaccount=<uipath>:uipathadmin
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
oc project <uipath>
oc create clusterrolebinding list-nodes-and-crd-rolebinding \
  --clusterrole=list-nodes-and-crd-clusterrole --serviceaccount=<uipath>:uipathadmin
oc create rolebinding uipath-automationsuite-rolebinding \
  --role=uipath-automationsuite-role --serviceaccount=<uipath>:uipathadmin

## This step is needed only if you want installer to configure the WASM Plugin. Otherwise skip it.
oc -n <istio-system> create rolebinding uipadmin-istio-system \
  --clusterrole=admin --serviceaccount=<uipath>:uipathadmin

Step 4: Generating the kubeconfig file

After you assign all the permissions to the service account, you must create a kubeconfig file to pass to the uipathctl tool for the installation.

Generating the kubeconfig file on Linux or Mac

To generate the kubeconfig file on Linux or Mac, run the following commands:

# For generating kubeconfig
# Creates the token for uipathadmin service account
token=$(oc -n <uipath> create token uipathadmin --duration=8760h)
# Getting api-server details
server=$(oc config view -o jsonpath="{.clusters[]..server}")
# Login logs on using the provided token and server and outputs kubeconfig at the provided path.
oc login --server=$server --token=$token --kubeconfig=uipathadminkubeconfig --insecure-skip-tls-verify=true# For generating kubeconfig
# Creates the token for uipathadmin service account
token=$(oc -n <uipath> create token uipathadmin --duration=8760h)
# Getting api-server details
server=$(oc config view -o jsonpath="{.clusters[]..server}")
# Login logs on using the provided token and server and outputs kubeconfig at the provided path.
oc login --server=$server --token=$token --kubeconfig=uipathadminkubeconfig --insecure-skip-tls-verify=true

If the operation was successful, you should see a kubeconfig file named uipathadminkubeconfig.

Generating the kubeconfig file on Windows

Note: You must perform this step using Windows Powershell.

To generate the kubeconfig file on Windows, run the following commands:

# For generating kubeconfig
# Creates the token for uipathadmin service account
$token = oc -n <uipath> create token uipathadmin --duration=8760h
# Getting api-server details
$server = oc config view -o jsonpath="{.clusters[]..server}"
# Login logs on using the provided token and server and outputs kubeconfig at the provided path.
oc login --server=$server --token=$token --kubeconfig=uipathadminkubeconfig --insecure-skip-tls-verify=true# For generating kubeconfig
# Creates the token for uipathadmin service account
$token = oc -n <uipath> create token uipathadmin --duration=8760h
# Getting api-server details
$server = oc config view -o jsonpath="{.clusters[]..server}"
# Login logs on using the provided token and server and outputs kubeconfig at the provided path.
oc login --server=$server --token=$token --kubeconfig=uipathadminkubeconfig --insecure-skip-tls-verify=true