安全性与合规性

UiPath™ 服务的安全上下文

本节提供有关 UiPath™ 服务的安全上下文的详细信息。

All UiPath® services are configured with a security context defined in their spec section.

The following sample shows a typical configuration for UiPath® services:

spec:
  securityContext:
    runAsNonRoot: true
  containers:
    - securityContext:
        allowPrivilegeEscalation: false
        privileged: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
  hostPID: false
  hostNetwork: falsespec:
  securityContext:
    runAsNonRoot: true
  containers:
    - securityContext:
        allowPrivilegeEscalation: false
        privileged: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
  hostPID: false
  hostNetwork: false

For some UiPath® services, there are exceptions from the typical security context configuration:

Insights has multiple features that use the Chromium Linux SUID Sandbox. While elevated access is not required for installing Insights, it is essential for specific feature functionality. For more information, see Configuring the Insights custom security context.

Process Mining uses the following Airflow services whose security context differs from the typical configuration for UiPath® services:

The statsd service, as shown in the following sample:

securityContext:
    runAsUser: 65534
    seLinuxOptions:
      level: s0:c27,c4securityContext:
    runAsUser: 65534
    seLinuxOptions:
      level: s0:c27,c4

The scheduler, webserver, and other Airflow pods, as shown in the following sample:

securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 50000
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000  securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 50000
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000

The dynamic runtime pod, as shown in the following sample:

securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1001
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000  securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1001
    seLinuxOptions:
      level: s0:c27,c4
    supplementalGroups:
      - 1000

In some instances, the user IDs and group IDs can be greater than or equal to 1000, depending on your environment. Make sure you configure the user and group IDs according to your security principles and your organization's security guidelines.

集群权限要求

Automation Suite requires the cluster admin role during the installation to automate the entire installation process. Alternatively, you can install Automation Suite with lower permissions. An installation with lower permissions involves some additional steps. For the permissions that the installation requires, see Step 2: Creating the required roles.

FIPS 140-2

联邦信息处理标准 140-2 (FIPS 140-2) 是用于验证加密模块有效性的安全标准。

Automation Suite on can run on FIPS 140-2-enabled machines.

Enabling FIPS 140-2 for new installations

要在计划执行 Automation Suite 全新安装的计算机上启用 FIPS 140-2，请执行以下步骤：

在开始安装 Automation Suite 之前，请在计算机上启用 FIPS 140-2。
按照本指南中的安装说明执行 Automation Suite 安装。
备注：
- 如果您在启用 FIPS 140-2 的计算机上安装 AI Center，并且还使用 Microsoft SQL Server，则需要完成一些其他配置。有关详细信息，请参阅 AI Center 的 SQL 要求。
- Make sure Insights is disabled, as it is not supported on FIPS 140-2.
Set the fips_enabled_nodes flag to true in the input.json file.
确保您的证书与 FIPS 140-2 兼容。

备注：
默认情况下，Automation Suite 会生成与 FIPS 140-2 兼容的自签名证书，其到期日期取决于您选择的 Automation Suite 安装类型。

We strongly recommend that you replace these self-signed certificates with CA-issued certificates at installation time. To use Automation Suite on FIPS 140-2-enabled machines, the newly provided certificates must be FIPS 140-2-compatible. For a list of eligible ciphers supported by RHEL, see the RHEL documentation.

有关如何添加您自己的符合 FIPS 140-2 的令牌签名证书和 TLS 证书的详细信息，请参阅证书配置。