7. Projects

Argo CD applications can be linked to a project which provides a logical grouping of applications. The following configurations can be made on a project:

Source repositories: Git repositories where application manifests are permitted to be retrieved from
Destination Clusters: Permitted destination Kubernetes or OpenShift clusters
Destination Namespaces: Destination namespaces where the manifests are permitted to be deployed to
Permitted resource kinds to be synced (e.g. ConfigMap)
Sync windows: Time windows when an application is permitted to be synced by Argo CD.
Roles: Roles and policies assigned to the project. The roles are bound to OIDC groups and/or JWT tokens)
GPG Signature Keys: GnuPG keys that commits must be signed with in order to be allowed to sync them
Resource Monitoring: Visualization and monitoring of orphaned resources

In summary, a project defines who can deploy what to which destination. This is very useful to keep the isolation between different user groups working on the same Argo CD instance and enables the capability of multi tenancy.

Task 7.1: Create a new empty project

Now we want to create a new empty Argo CD project.

Create a file appproject.yaml with the following content and apply it:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: project-$USER
  namespace: openshift-gitops
spec:
  sourceRepos: []
  destinations: []

oc apply -f appproject.yaml
oc get appproject -n openshift-gitops

Task 7.2: Define permitted sources and destinations

The next step is to deploy a new application and assign it to the created project project-<username> by using the flag --project

Update appproject.yaml to add the permitted sources and destinations, then re-apply:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: project-$USER
  namespace: openshift-gitops
spec:
  sourceRepos:
    - '*'
  destinations:
    - server: https://kubernetes.default.svc
      namespace: 'user*'

oc apply -f appproject.yaml

Now create a file application.yaml with the following content and apply it:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: project-app-$USER
  namespace: openshift-gitops
spec:
  project: project-$USER
  source:
    repoURL: https://github.com/acend/argocd-training-examples.git
    targetRevision: HEAD
    path: example-app
  destination:
    server: https://kubernetes.default.svc
    namespace: $USER

oc apply -f application.yaml

Open the Argo CD UI and click Sync on the project-app-$USER application.

Note

The feature of limiting source repositories and destination clusters/namespaces is a powerful construct of Argo CD as roles and policies can be assigned to projects. With this tool you can enforce a fine grained permission model to control the access of the users to the different clusters and namespaces.

Task 7.3: Deny resources by kind

On a project there is the possibility to restrict the kind of resources that can be synchronized. The restrictions are defined by whitelisting for cluster scoped resources and blacklisted for namespace scoped resources.

Let’s extend our existing project and deny the synchronization of Services.

Update appproject.yaml to add a namespace resource blacklist, then re-apply:

spec:
  # ... existing fields ...
  namespaceResourceBlacklist:
    - group: ''
      kind: Service

oc apply -f appproject.yaml

Open the Argo CD UI and click Sync on project-app-$USER. The sync will fail because Service is now blocked.

To allow Service again, remove the namespaceResourceBlacklist entry from appproject.yaml and re-apply:

oc apply -f appproject.yaml

Sync the application again in the UI.

Task 7.4: Cleanup

Delete the resources created in this chapter by running the following commands:

oc delete application project-app-$USER -n openshift-gitops
oc delete appproject project-$USER -n openshift-gitops

Last modified May 12, 2026: Merge 4f8326993bbb66727811167635d136b136f2dba1 into d2284b53a1793fc3b470cc87611f5d748187ef4a (b2d8c22)