ArgoCD Projects and RBAC

You've been deploying your own applications across waves with perfect control. Now imagine a team: frontend engineers deploying to the frontend namespace, backend engineers deploying to the backend namespace. They can't cross boundaries—a frontend engineer must never touch backend deployments.

This is where ArgoCD Projects and RBAC (Role-Based Access Control) become critical. Projects define what repositories your team can deploy from and which clusters/namespaces they can deploy to. RBAC policies define who can do what—read-only viewing, deployment approvals, admin access.

Without Projects and RBAC, one engineer's mistake could deploy malicious code to production. With them, you enforce organizational boundaries and isolate team deployments.

Why Multi-Tenancy Matters for Teams

Consider a team of six engineers:

If ArgoCD had no Projects or RBAC, all six engineers would have access to everything. A misconfiguration by the frontend team could accidentally overwrite the backend database password, breaking production.

Projects solve this: Each team gets a Project that restricts source repositories and destination namespaces.

RBAC solves this: Each engineer gets a Role that defines what actions they can take.

The AppProject Custom Resource Definition (CRD)

An AppProject is a Kubernetes custom resource that acts as a security boundary. It defines:

1. Source repositories: Which Git repositories this project can deploy from
2. Destinations: Which clusters and namespaces this project can deploy to
3. Resource restrictions: Which resource types can be deployed
4. Namespaces: Multitenancy isolation

Let's look at the structure:

Output:

Notice the hierarchy: source repos → destinations → resource restrictions.

Source Repository Restrictions

The first security boundary is the repository. Your Project defines which Git repositories its Applications can deploy from.

Single Repository (Simple Case)

Output:

Multiple Repositories (Team Pattern)

A single project can deploy from multiple repositories. This is useful when your deployment includes both application code and shared infrastructure:

Output:

Destination Restrictions: Clusters and Namespaces

The second security boundary is the destination—where your Application can deploy.

Single Namespace (Frontend Team)

Output:

Multiple Clusters (Multi-Region)

Some organizations deploy to multiple clusters (us-east, eu-west, etc.). You can restrict Projects to specific clusters:

Output:

Resource Whitelists and Blacklists

The third security boundary controls resource types. Some organizations block certain resources from being deployed through ArgoCD.

Blocking System Namespaces

Output:

Whitelisting Only Safe Resources

Some organizations take the opposite approach—whitelist only resources they trust:

Output:

RBAC: Who Can Do What?

Now that you've defined Projects, you need to define which users can access them. RBAC in ArgoCD uses two policy types:

1. p policies (permissions): Define what actions a role can perform
2. g policies (groups): Define which users belong to which roles

RBAC Policy Structure

ArgoCD RBAC is configured in a ConfigMap. The format uses three parts:

Example: Read-Only Role

Create a read-only role that can view but not modify:

Output:

Example: Project-Scoped Deployment Role

Allow a developer to deploy only within their project:

Output:

Understanding the Wildcards

The policy syntax uses * as a wildcard:

• */ = any project
• /* = any application
• * alone = any

Examples:

• frontend-team/* = any app in frontend-team project
• */my-app = my-app in any project (rarely used)
• frontend-team/agent-app = specific project and app

Project-Scoped Repositories

ArgoCD 3.x adds the ability to restrict repositories at the project level, not just globally.

Complete Multi-Tenant Project Example

Combine all three boundaries—repositories, destinations, and RBAC:

Output:

Applying Projects in Your Cluster

Let's apply these projects to your Minikube cluster and verify they work.

Step 1: Create the Projects

Output:

Step 2: Verify Projects Exist

Output:

Step 3: Inspect a Project

Output:

Step 4: Apply RBAC

Output:

Step 5: Create Applications Within Projects

Now create an Application that uses the backend-team project:

Output:

ArgoCD 3.x RBAC Enhancements

ArgoCD 3.x adds fine-grained permission controls that earlier versions lacked.

Example of repository-scoped RBAC:

Output:

Security Best Practices

1. Default Deny: Always set your default policy to deny (policy.default: deny). This means every access is blocked unless explicitly allowed.
2. Least Privilege: Give each role the minimum permissions needed.
3. Separate Admin Accounts: Create a dedicated admin account with strong authentication for maintenance only.
4. Regular Audits: Review RBAC policies quarterly with kubectl get cm argocd-rbac-cm -n argocd -o yaml.

Try With AI

Setup: You have your Minikube cluster running with ArgoCD installed. You want to set up multi-team access control.

Prompt 1: "I have two teams: frontend (3 engineers) and backend (2 engineers). Design an ArgoCD AppProject and RBAC configuration that isolates frontend team to frontend namespaces and backend team to backend namespaces. Include the full YAML and the RBAC ConfigMap."

Prompt 2: "In your RBAC configuration, I want to also allow both teams to read (but not modify) logs and sync status. Add these permissions without allowing cross-team deployment."

Prompt 3: "Give me kubectl commands to apply this setup and verify that a frontend engineer can sync frontend applications but cannot touch backend ones."

---

Reflect on Your Skill

You built a gitops-deployment skill in Chapter 0. Test and improve it based on what you learned.

Test Your Skill

Identify Gaps

Ask yourself:

• Did my skill include RBAC policies for role-based access control?
• Did it handle permission scopes like applications:get vs. applications:sync?

Improve Your Skill

If you found gaps: