marcel/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd.git synced 2026-02-20 01:28:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
argo-cd/docs/operator-manual/project.yaml
Michael Crenshaw e77acec858 feat: allow limiting clusterResourceWhitelist by resource name (#12208) (#24674) 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
2025-12-03 20:55:28 +00:00

113 lines
3.7 KiB
YAML
Raw Permalink Blame History

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: my-project
namespace: argocd
# Finalizer that ensures that project is not deleted until it is not referenced by any application
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
# Project description
description: Example Project
# Allow manifests to deploy from any Git repos
sourceRepos:
- '*'
# Only permit applications to deploy to the 'guestbook' namespace or any namespace starting with 'guestbook-' in the same cluster
# Destination clusters can be identified by 'server', 'name', or both.
destinations:
- namespace: guestbook
server: https://kubernetes.default.svc
name: in-cluster
# Destinations also allow wildcard globbing
- namespace: guestbook-*
server: https://kubernetes.default.svc
name: in-cluster
# Deny all cluster-scoped resources from being created, except for Namespace
clusterResourceWhitelist:
- group: ''
kind: Namespace
# Name is optional. If specified, only resources with a matching name will be allowed.
# Globs in Go's filepath.Match syntax are supported. Example: "team1-*".
name: ''
# Deny all Namespace resources from being created if their name starts with 'kube-'
clusterResourceBlacklist:
- group: ''
kind: Namespace
# Name is optional. If specified, only resources with a matching name will be denied.
name: 'kube-*'
# Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
namespaceResourceBlacklist:
- group: ''
kind: ResourceQuota
- group: ''
kind: LimitRange
- group: ''
kind: NetworkPolicy
# Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
namespaceResourceWhitelist:
- group: 'apps'
kind: Deployment
- group: 'apps'
kind: StatefulSet
# Enables namespace orphaned resource monitoring.
orphanedResources:
warn: false
roles:
# A role which provides read-only access to all applications in the project
- name: read-only
description: Read-only privileges to my-project
policies:
- p, proj:my-project:read-only, applications, get, my-project/*, allow
groups:
- my-oidc-group
# A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
# sync privileges to a CI system
- name: ci-role
description: Sync privileges for guestbook-dev
policies:
- p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
# NOTE: JWT tokens can only be generated by the API server and the token is not persisted
# anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
jwtTokens:
- iat: 1535390316
# Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/
syncWindows:
- kind: allow
schedule: '10 1 * * *'
duration: 1h
applications:
- '*-prod'
manualSync: true
- kind: deny
schedule: '0 22 * * *'
duration: 1h
namespaces:
- default
- kind: allow
schedule: '0 23 * * *'
duration: 1h
clusters:
- in-cluster
- cluster1
# By default, apps may sync to any cluster specified under the `destinations` field, even if they are not
# scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters
# scoped to this project.
permitOnlyProjectScopedClusters: false
# When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits
# Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/
sourceNamespaces:
- "argocd-apps-*"
Reference in New Issue View Git Blame Copy Permalink