Skip to content
English
  • There are no suggestions because the search field is empty.

Restricting Kargo Projects using GitOps via ArgoCD

How manual creation of Kargo Projects can be restricted from deploying them using ArgoCD

Manual creation of Kargo Projects can be restricted by leveraging the resource deny list entry in the Argo CD AppProject configuration.

Kargo currently supports only basic viewer and admin roles without granular access control. To prevent users from manually creating Kargo Projects while still using Argo CD for GitOps-driven workflows, a clusterResourceBlacklist spec object can be added to an AppProject.

This can be achieved by denying access to the Project resource in the kargo.akuity.io API group.

Example Configuration:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: restricted-kargo
  namespace: argocd
spec:
  description: AppProject with restricted Kargo Project creation
  sourceRepos:
    - '*'
  destinations:
    - namespace: '*'
      server: '*'
  clusterResourceBlacklist:
    - group: kargo.akuity.io
      kind: Project

This configuration blocks the creation or management of Kargo Project resources through Argo CD within the defined AppProject scope.

Reference: https://argo-cd.readthedocs.io/en/stable/user-guide/projects