argocd configuring policies for application teams

 We can define rules of what can be deploy to a kubernetes cluster. This is an example of what we can do 


apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: engineering-team-alpha
  namespace: argocd
spec:
  description: "Restricted project for Team Alpha development work"
 
  # 1. Restrict which repositories apps in this project can pull from
  sourceRepos:
    - "https://github.com/my-org/alpha-apps.git"

  # 2. Restrict where these apps can be deployed (Cluster & Namespace)
  destinations:
    - server: https://kubernetes.default.svc
      namespace: alpha-dev
    - server: https://kubernetes.default.svc
      namespace: alpha-staging

  # 3. Whitelist: Only allow specific Namespaced resources
  # This blocks ClusterRoles, CustomResourceDefinitions, etc.
  clusterResourceWhitelist: [] # Empty means NO cluster-scoped resources allowed
 
  namespaceResourceWhitelist:
    - group: 'apps'
      kind: Deployment
    - group: ''
      kind: Service
    - group: 'networking.k8s.io'
      kind: Ingress

  # 4. Sync Windows: Only allow changes during business hours
  syncWindows:
    - kind: allow
      schedule: "0 9 * * 1-5"
      duration: "8h"
      applications:
        - "*"


Example of fail yaml  (Please note this will create an application but it won't appear in the UI)

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace:  alpha-dev-fake
spec:
  project: engineering-team-alpha
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: HEAD
    path: guestbook
  destination:
    server: https://kubernetes.default.svc
    namespace: guestbook


From the UI point of view, you will get some validation  



Minimal successfully app

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook-ok
  namespace:  argocd
spec:
  project: engineering-team-alpha
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: HEAD
    path: guestbook
  destination:
    server: https://kubernetes.default.svc
    namespace: alpha-dev

And it appears in your UI 






Comments

Post a Comment

Popular posts from this blog

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more

android studio kotlin source is null error

Image
This org.jetbrains.kotlin.util.FileAnalysisException with a java.lang.IllegalArgumentException: source must not be null is a known issue that can sometimes occur with the Kotlin compiler. It seems to be related to how the compiler analyzes certain source code structures. When this happens, you need to go clean your project and do another rebuild.  For my case, I was trying to test out the databinding = true feature. 
Read more

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more