Configuring the Insights custom security context

The Insights application has multiple features that use the Chromium Linux SUID Sandbox. Thus, while the elevated access is not required for the installation of the Insights application itself, it is essential for specific feature functionality.

Save the configuration file as a YAML file and execute the following command. Make sure to replace the <file_name.yaml> placeholder with the actual name used for your YAML file: oc apply -f <file_name.yaml>.
```
allowedCapabilities:
  - SETUID
apiVersion: security.openshift.io/v1
fsGroup:
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: insights-scc
readOnlyRootFilesystem: false
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
  - configMap
  - csi
  - downwardAPI
  - emptyDir
  - ephemeral
  - persistentVolumeClaim
  - projected
  - secretallowedCapabilities:
  - SETUID
apiVersion: security.openshift.io/v1
fsGroup:
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: insights-scc
readOnlyRootFilesystem: false
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
  - configMap
  - csi
  - downwardAPI
  - emptyDir
  - ephemeral
  - persistentVolumeClaim
  - projected
  - secret
```

Save the following in a file named <file_name.yaml> to create a role to access the Security Context Constraint:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: insights-scc-role
  namespace: <uipath>
rules:
  - verbs:
      - use
    apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    resourceNames:
      - insights-scckind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: insights-scc-role
  namespace: <uipath>
rules:
  - verbs:
      - use
    apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    resourceNames:
      - insights-scc

Create a role to access the Security Context Constraint by executing the following command: oc apply -f <file_name.yaml>. Make sure to replace the <file_name.yaml> placeholder with the actual name used for your YAML file.

Save the following in a file named <file_name.yaml> to create a role-binding to bind the previously defined role to the Insights service account:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: insights-scc-rolebinding
  namespace: <uipath>
subjects:
  - kind: ServiceAccount
    name: insightslooker-sa
    namespace: <uipath>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: insights-scc-rolekind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: insights-scc-rolebinding
  namespace: <uipath>
subjects:
  - kind: ServiceAccount
    name: insightslooker-sa
    namespace: <uipath>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: insights-scc-role

Create a role-binding to bind the previously defined role to the Insights service account by executing the following command:

oc apply -f
                        <file_name.yaml>

. Make sure to replace the <file_name.yaml> placeholder with the actual name used for your YAML file

Navigate to ArgoCD and disable Auto sync for Insights.
Update the security context for the Insights Looker, located within the Insights Looker statefulset. Add the SETUID capabilities:
```
capabilities:
 add:
  - SETUID
 drop:
  - ALLcapabilities:
 add:
  - SETUID
 drop:
  - ALL
```

Rollout restart statefulset:

oc -n <uipath> rollout restart statefulset/insights-insightslookeroc -n <uipath> rollout restart statefulset/insights-insightslooker

Was this page helpful?

PREVIOUSPerforming Insights database maintenance

NEXTOrchestrator

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy