kind: AppProject
Jump to navigation
Jump to search
apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: my-project namespace: argocd # Finalizer that ensures that project is not deleted until it is not referenced by any application finalizers: - resources-finalizer.argocd.argoproj.io spec: description: Example Project # Allow manifests to deploy from any Git repos sourceRepos: - '*' # Only permit applications to deploy to the guestbook namespace in the same cluster destinations: - namespace: guestbook server: https://kubernetes.default.svc # Deny all cluster-scoped resources from being created, except for Namespace clusterResourceWhitelist: - group: '' kind: Namespace # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy namespaceResourceBlacklist: - group: '' kind: ResourceQuota - group: '' kind: LimitRange - group: '' kind: NetworkPolicy # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet namespaceResourceWhitelist: - group: 'apps' kind: Deployment - group: 'apps' kind: StatefulSet roles: # A role which provides read-only access to all applications in the project - name: read-only description: Read-only privileges to my-project policies: - p, proj:my-project:read-only, applications, get, my-project/*, allow groups: - my-oidc-group # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide # sync privileges to a CI system - name: ci-role description: Sync privileges for guestbook-dev policies: - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow # NOTE: JWT tokens can only be generated by the API server and the token is not persisted # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list. jwtTokens: - iat: 1535390316
See also[edit]
Advertising: