automation-suite
2024.10
true
UiPath logo, featuring letters U and I in white
Automation Suite on OpenShift Installation Guide
Last updated 11 de nov de 2024

Segurança e conformidade

Contexto de segurança para serviços da UiPath®

Esta seção fornece detalhes sobre o contexto de segurança dos serviços da UiPath®.

All UiPath® services are configured with a security context defined in their spec section.

The following sample shows a typical configuration for UiPath® services:

spec:
  securityContext:
    runAsNonRoot: true
  containers:
    - securityContext:
        allowPrivilegeEscalation: false
        privileged: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
  hostPID: false
  hostNetwork: falsespec:
  securityContext:
    runAsNonRoot: true
  containers:
    - securityContext:
        allowPrivilegeEscalation: false
        privileged: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
  hostPID: false
  hostNetwork: false

For some UiPath® services, there are exceptions from the typical security context configuration:

  • Insights has multiple features that use the Chromium Linux SUID Sandbox. While elevated access is not required for installing Insights, it is essential for specific feature functionality. For more information, see Configuring the Insights custom security context.

  • Process Mining uses the following Airflow services whose security context differs from the typical configuration for UiPath® services:

    • The statsd service, as shown in the following sample:
      securityContext:
    runAsUser: 65534
    seLinuxOptions:
      level: s0:c27,c4securityContext:
    runAsUser: 65534
    seLinuxOptions:
      level: s0:c27,c4
    • The scheduler, webserver, and other Airflow pods, as shown in the following sample:
      securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 50000
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000  securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 50000
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000
    • The dynamic runtime pod, as shown in the following sample:
      securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1001
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000  securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1001
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000

In some instances, the user IDs and group IDs can be greater than or equal to 1000, depending on your environment. Make sure you configure the user and group IDs according to your security principles and your organization's security guidelines.

Requisitos de privilégio de cluster

Automation Suite requires the cluster admin role during the installation to automate the entire installation process. Alternatively, you can install Automation Suite with lower permissions. An installation with lower permissions involves some additional steps. For the permissions that the installation requires, see Step 2: Creating the required roles.

FIPS 140-2

O Federal Information Processing Standards 140-2 (FIPS 140-2) é um padrão de segurança que valida a eficácia dos módulos de criptografia.

Automation Suite on can run on FIPS 140-2-enabled machines.

Enabling FIPS 140-2 for new installations

Para habilitar o FIPS 140-2 nas máquinas em que planeja realizar uma nova instalação do Automation Suite, siga estas etapas:

  1. Antes de iniciar a instalação do Automation Suite, habilite o FIPS 140-2 em suas máquinas.
  2. Execute a instalação do Automation Suite seguindo as instruções de instalação neste guia.
    Observação:

    • Ao instalar o AI Center em uma máquina habilitada para FIPS 140-2 e utilizar o Microsoft SQL Server em conjunto, algumas configurações adicionais serão necessárias. Para obter detalhes, consulte Requisitos do SQL para o AI Center.

    • Make sure Insights is disabled, as it is not supported on FIPS 140-2.

  3. Set the fips_enabled_nodes flag to true in the input.json file.
  4. Certifique-se de que seus certificados sejam compatíveis com FIPS 140-2.
    Observação:

    Por padrão, o Automation Suite gera certificados autoassinados compatíveis com FIPS 140-2, cuja data de expiração depende do tipo de instalação do Automation Suite que você escolher.

    We strongly recommend that you replace these self-signed certificates with CA-issued certificates at installation time. To use Automation Suite on FIPS 140-2-enabled machines, the newly provided certificates must be FIPS 140-2-compatible. For a list of eligible ciphers supported by RHEL, see the RHEL documentation.

    Para obter detalhes sobre como adicionar sua própria assinatura de token compatível com FIPS 140-2 e certificados TLS, consulte Configuração de certificados.

  • Contexto de segurança para serviços da UiPath®
  • Requisitos de privilégio de cluster
  • FIPS 140-2
  • Enabling FIPS 140-2 for new installations

Esta página foi útil?

Suporte e serviços
Obtenha a ajuda que você precisa
UiPath Academy
Aprendendo RPA - Cursos de automação
Fórum do UiPath
Fórum da comunidade da Uipath
Uipath Logo White
Confiança e segurança
Termos de Uso
Política de Privacidade
Política de cookies
© 2005-2024 UiPath. Todos os direitos reservados.