argoproj/argo-cd
AppProject
AppProject is Argo CD's multi-tenant boundary. It restricts which sources an Application can pull from, which clusters it can deploy to, which Kubernetes resources it can touch, and who can manage it.
Schema (selected fields)
The Go type is in pkg/apis/application/v1alpha1/app_project_types.go. Major fields:
| Field | Purpose |
|---|---|
spec.sourceRepos[] |
Globs of allowed source repositories. |
spec.destinations[] |
Allowed destination clusters/namespaces (matched as globs). |
spec.clusterResourceWhitelist[], spec.clusterResourceBlacklist[] |
Allowed/disallowed cluster-scoped resource kinds. |
spec.namespaceResourceWhitelist[], spec.namespaceResourceBlacklist[] |
Allowed/disallowed namespace-scoped resource kinds. |
spec.roles[] |
Project-scoped Casbin policies and JWT tokens. |
spec.signatureKeys[] |
GPG keys whose signatures must match a commit before sync is allowed. |
spec.syncWindows[] |
Time-based sync allow/deny windows. |
spec.orphanedResources |
Whether to flag resources in the destination that are not in any Application. |
spec.permitOnlyProjectScopedClusters |
Restrict to clusters owned by this project. |
Built-in default project
If you do not specify spec.project, your Application lands in the default AppProject. The default project allows all sources, destinations, and resource kinds — it is permissive by design. Production setups always create stricter projects.
Roles and tokens
spec.roles[].policies is a list of Casbin policy lines scoped to this project. Each role can have JWT tokens. Tokens are issued via the API server (server/project/) or the CLI (argocd proj role create-token in cmd/argocd/commands/project_role.go).
Sample:
spec:
roles:
- name: ci-deployer
description: CI deploys apps in this project
policies:
- p, proj:my-project:ci-deployer, applications, sync, my-project/*, allow
- p, proj:my-project:ci-deployer, applications, get, my-project/*, allow
jwtTokens:
- iat: 1700000000The Casbin enforcer that consumes these is util/rbac/rbac.go plus server/rbacpolicy/.
Sync windows
A sync window is a cron-style time block during which sync is either allowed or denied. The fields kind, schedule, duration, applications, namespaces, clusters, manualSync set scope. Implementation: cmd/argocd/commands/projectwindows.go, with controller-side enforcement in the sync evaluation paths (controller/sync.go, controller/state.go).
Cluster scoping
When spec.permitOnlyProjectScopedClusters: true is set on a project, only clusters that have the same project name in their cluster Secret label are addressable by Applications in that project. Implemented in util/db/cluster.go and the cluster service in server/cluster/.
Code paths
| Concern | Where |
|---|---|
| CRUD API | server/project/ |
| CLI | cmd/argocd/commands/project.go, project_role.go, projectwindows.go, admin/project.go, admin/project_allowlist.go |
| Validation / enforcement | util/argo/argo.go, util/security/jwt.go, controller/state.go |
See also
- features/sso-and-rbac — the layered authorization model.
- primitives/application — what AppProjects govern.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.