How manual creation of Kargo Projects can be restricted from deploying them using ArgoCD
Manual creation of Kargo Projects can be restricted by leveraging the resource deny list entry in the Argo CD AppProject configuration.
Kargo currently supports only basic viewer and admin roles without granular access control. To prevent users from manually creating Kargo Projects while still using Argo CD for GitOps-driven workflows, a clusterResourceBlacklist spec object can be added to an AppProject.
This can be achieved by denying access to the Project resource in the kargo.akuity.io API group.
Example Configuration:
apiVersion: argoproj.io/v1alpha1kind: AppProjectmetadata: name: restricted-kargo namespace: argocdspec: description: AppProject with restricted Kargo Project creation sourceRepos: - '*' destinations: - namespace: '*' server: '*' clusterResourceBlacklist: - group: kargo.akuity.io kind: Project
This configuration blocks the creation or management of Kargo Project resources through Argo CD within the defined AppProject scope.
Reference: https://argo-cd.readthedocs.io/en/stable/user-guide/projects