github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/project.yaml (about)

     1  apiVersion: argoproj.io/v1alpha1
     2  kind: AppProject
     3  metadata:
     4    name: my-project
     5    namespace: argocd
     6    # Finalizer that ensures that project is not deleted until it is not referenced by any application
     7    finalizers:
     8      - resources-finalizer.argocd.argoproj.io
     9  spec:
    10    # Project description
    11    description: Example Project
    12  
    13    # Allow manifests to deploy from any Git repos
    14    sourceRepos:
    15    - '*'
    16  
    17    # Only permit applications to deploy to the guestbook namespace in the same cluster
    18    # Destination clusters can be identified by 'server', 'name', or both.
    19    destinations:
    20    - namespace: guestbook
    21      server: https://kubernetes.default.svc
    22      name: in-cluster
    23  
    24    # Deny all cluster-scoped resources from being created, except for Namespace
    25    clusterResourceWhitelist:
    26    - group: ''
    27      kind: Namespace
    28  
    29    # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
    30    namespaceResourceBlacklist:
    31    - group: ''
    32      kind: ResourceQuota
    33    - group: ''
    34      kind: LimitRange
    35    - group: ''
    36      kind: NetworkPolicy
    37  
    38    # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
    39    namespaceResourceWhitelist:
    40    - group: 'apps'
    41      kind: Deployment
    42    - group: 'apps'
    43      kind: StatefulSet
    44  
    45    # Enables namespace orphaned resource monitoring.
    46    orphanedResources:
    47      warn: false
    48  
    49    roles:
    50    # A role which provides read-only access to all applications in the project
    51    - name: read-only
    52      description: Read-only privileges to my-project
    53      policies:
    54      - p, proj:my-project:read-only, applications, get, my-project/*, allow
    55      groups:
    56      - my-oidc-group
    57  
    58    # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
    59    # sync privileges to a CI system
    60    - name: ci-role
    61      description: Sync privileges for guestbook-dev
    62      policies:
    63      - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
    64  
    65      # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
    66      # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
    67      jwtTokens:
    68      - iat: 1535390316
    69  
    70    # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/
    71    syncWindows:
    72    - kind: allow
    73      schedule: '10 1 * * *'
    74      duration: 1h
    75      applications:
    76        - '*-prod'
    77      manualSync: true
    78    - kind: deny
    79      schedule: '0 22 * * *'
    80      duration: 1h
    81      namespaces:
    82        - default
    83    - kind: allow
    84      schedule: '0 23 * * *'
    85      duration: 1h
    86      clusters:
    87        - in-cluster
    88        - cluster1
    89  
    90    # By default, apps may sync to any cluster specified under the `destinations` field, even if they are not
    91    # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters
    92    # scoped to this project.
    93    permitOnlyProjectScopedClusters: false
    94  
    95    # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits
    96    # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/
    97    sourceNamespaces:
    98    - "argocd-apps-*"