Cluster-level permissions FAQs

Why do you need cluster-level permissions?: A third party Kubernetes library called Argo is used to dynamically manage plugins or integration pods that HCL DevOps Velocity (Velocity) uses to link with external tools. For running integrations on Velocity, a pod is provisioned dynamically at runtime for each execution. Plugins are programming language independent and securely isolated while accessing resources on the pod without interfering with any core services.

What service creates pods dynamically and how is it accomplished?: The Argo workflow-controller creates pods dynamically when it detects the creation of a workflow that is a Custom resource definition (CRD).

What resources are added to the Velocity installation to support integration executions?

Resources are detailed in the following table.

Table 1. Argo resources
Resource	Name	Description
`CustomResourceDefinition`	`cronworkflows.argoproj.io`	This workflow control tracks the call of a plugin execution.
`CustomResourceDefinition`	`workflows.argoproj.io`	Provisions pods for plugin execution
`CustomResourceDefinition`	`workfloweventbindings.argoproj.io`	Informs calling workflows of provisioned pod status
`CustomResourceDefinition`	`clusterworkflowtemplates.argoproj.io`	Cluster scoped templates defining instructions for running workflows
`CustomResourceDefinition`	`workflowtemplates.argoproj.io`	Namespace scoped templates defining instructions for running workflows
`ServiceAccount`	`argo`	New service account used by both the workflow controller and the Velocity `reporting-consumer` micro-service to interact with specific resources scoped to the namespace.
`Role`	`argo-role`	Special role to retrieve, create and delete pods, execute pods, and generate pod logs consisting of workflow CRDs bound to the Argo `ServiceAccount` only.
`RoleBinding`	`argo-binding`	The binding for the `ServiceAccount` and the `argo-role`.
`ConfigMap`	`workflow-controller-configmap`	Configuration for the Argo `workflow-controller`.
`Deployment`	`workflow-controller`	Deployment for the main Argo `workflow-controller`.

How long are cluster-level permissions required?: The time required for a successful installation of Velocity. Also, temporary cluster-level permissions may be required in specific upgrade scenarios. Contact either your Kubernetes or OpenShift administrator beforehand to ensure an efficient installation or upgrade process.