github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/project.yaml (about) 1 apiVersion: argoproj.io/v1alpha1 2 kind: AppProject 3 metadata: 4 name: my-project 5 namespace: argocd 6 # Finalizer that ensures that project is not deleted until it is not referenced by any application 7 finalizers: 8 - resources-finalizer.argocd.argoproj.io 9 spec: 10 # Project description 11 description: Example Project 12 13 # Allow manifests to deploy from any Git repos 14 sourceRepos: 15 - '*' 16 17 # Only permit applications to deploy to the 'guestbook' namespace or any namespace starting with 'guestbook-' in the same cluster 18 # Destination clusters can be identified by 'server', 'name', or both. 19 destinations: 20 - namespace: guestbook 21 server: https://kubernetes.default.svc 22 name: in-cluster 23 # Destinations also allow wildcard globbing 24 - namespace: guestbook-* 25 server: https://kubernetes.default.svc 26 name: in-cluster 27 28 # Deny all cluster-scoped resources from being created, except for Namespace 29 clusterResourceWhitelist: 30 - group: '' 31 kind: Namespace 32 33 # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy 34 namespaceResourceBlacklist: 35 - group: '' 36 kind: ResourceQuota 37 - group: '' 38 kind: LimitRange 39 - group: '' 40 kind: NetworkPolicy 41 42 # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet 43 namespaceResourceWhitelist: 44 - group: 'apps' 45 kind: Deployment 46 - group: 'apps' 47 kind: StatefulSet 48 49 # Enables namespace orphaned resource monitoring. 50 orphanedResources: 51 warn: false 52 53 roles: 54 # A role which provides read-only access to all applications in the project 55 - name: read-only 56 description: Read-only privileges to my-project 57 policies: 58 - p, proj:my-project:read-only, applications, get, my-project/*, allow 59 groups: 60 - my-oidc-group 61 62 # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide 63 # sync privileges to a CI system 64 - name: ci-role 65 description: Sync privileges for guestbook-dev 66 policies: 67 - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow 68 69 # NOTE: JWT tokens can only be generated by the API server and the token is not persisted 70 # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list. 71 jwtTokens: 72 - iat: 1535390316 73 74 # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/ 75 syncWindows: 76 - kind: allow 77 schedule: '10 1 * * *' 78 duration: 1h 79 applications: 80 - '*-prod' 81 manualSync: true 82 - kind: deny 83 schedule: '0 22 * * *' 84 duration: 1h 85 namespaces: 86 - default 87 - kind: allow 88 schedule: '0 23 * * *' 89 duration: 1h 90 clusters: 91 - in-cluster 92 - cluster1 93 94 # By default, apps may sync to any cluster specified under the `destinations` field, even if they are not 95 # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters 96 # scoped to this project. 97 permitOnlyProjectScopedClusters: false 98 99 # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits 100 # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/ 101 sourceNamespaces: 102 - "argocd-apps-*"