Cluster-level permissions FAQs

Why do you need cluster-level permissions?
A third party Kubernetes library called Argo is used to dynamically manage plugins or integration pods that HCL DevOps Velocity (Velocity) uses to link with external tools. For running integrations on Velocity, a pod is provisioned dynamically at runtime for each execution. Plugins are programming language independent and securely isolated while accessing resources on the pod without interfering with any core services.
What service creates pods dynamically and how is it accomplished?
The Argo workflow-controller creates pods dynamically when it detects the creation of a workflow that is a Custom resource definition (CRD).
What resources are added to the Velocity installation to support integration executions?
Resources are detailed in the following table.
Table 1. Argo resources
Resource Name Description
CustomResourceDefinition cronworkflows.argoproj.io This workflow control tracks the call of a plugin execution.
CustomResourceDefinition workflows.argoproj.io Provisions pods for plugin execution
CustomResourceDefinition workfloweventbindings.argoproj.io Informs calling workflows of provisioned pod status
CustomResourceDefinition clusterworkflowtemplates.argoproj.io Cluster scoped templates defining instructions for running workflows
CustomResourceDefinition workflowtemplates.argoproj.io Namespace scoped templates defining instructions for running workflows
ServiceAccount argo New service account used by both the workflow controller and the Velocity reporting-consumer micro-service to interact with specific resources scoped to the namespace.
Role argo-role Special role to retrieve, create and delete pods, execute pods, and generate pod logs consisting of workflow CRDs bound to the Argo ServiceAccount only.
RoleBinding argo-binding The binding for the ServiceAccount and the argo-role.
ConfigMap workflow-controller-configmap Configuration for the Argo workflow-controller.
Deployment workflow-controller Deployment for the main Argo workflow-controller.
How long are cluster-level permissions required?
The time required for a successful installation of Velocity. Also, temporary cluster-level permissions may be required in specific upgrade scenarios. Contact either your Kubernetes or OpenShift administrator beforehand to ensure an efficient installation or upgrade process.