ArgoCD AppProject CRD
Project 概述
Projects负责为Application提供逻辑分组,它主要实现如下功能:
1. 限制可以部署的内容(指定受信任的Git Source仓库)
2. 限制Application可以部署到的目标位置(指定目标Cluster和Namespace)
3. 限制能够及不能够部署的对象类型,例如RBAC、CRD、DeamonSets、NetworkPolicy等
4. 定义Project Role,从而为Application提供RBAC机制,以绑定到OIDC组或JWT token
Default Project
每个应用程序都属于一个项目。如果未指定,应用程序属于default project,该项目是自动创建的,默认情况下允许从任何源存储库部署到任何集群以及所有资源种类。default project可以修改,但不能删除。
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: default
namespace: argocd
spec:
sourceRepos: # 允许从任意SourceRepos获取资源配置
- '*'
destinations: # 允许将Application部署至任意目标Cluster和NameSpace
- namespace: '*'
server: '*'
clusterResourceWhitelist: # 允许部署任意类型的资源
- group: '*'
kind: '*'
AppProject CRD
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: my-project
namespace: argocd
# Finalizer that ensures that project is not deleted until it is not referenced by any application
finalizers: # 删除终结器,当使用此终结器删除应用程序时,Argo CD 应用程序控制器将执行应用程序资源的级联删除。级联删除的默认传播策略是foreground级联删除。
- resources-finalizer.argocd.argoproj.io
# - resources-finalizer.argocd.argoproj.io/background
spec:
description: Example Project # 该Projects的描述信息
# Allow manifests to deploy from any Git repos
sourceRepos: # 可读取资源配置的Repo
- '*'
# Only permit applications to deploy to the guestbook namespace in the same cluster
destinations: # 可部署Application的目标集群和名称空间
- namespace: guestbook
server: https://kubernetes.default.svc
# Deny all cluster-scoped resources from being created, except for Namespace
clusterResourceWhitelist: # 可用的资源类型
- group: ''
kind: Namespace
# Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
namespaceResourceBlacklist:
- group: ''
kind: ResourceQuota
- group: ''
kind: LimitRange
- group: ''
kind: NetworkPolicy
# Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
namespaceResourceWhitelist:
- group: 'apps'
kind: Deployment
- group: 'apps'
kind: StatefulSet
roles: # 该Projects上的可用角色
# A role which provides read-only access to all applications in the project
- name: read-only
description: Read-only privileges to my-project
policies:
- p, proj:my-project:read-only, applications, get, my-project/*, allow
groups:
- my-oidc-group
# A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
# sync privileges to a CI system
- name: ci-role
description: Sync privileges for guestbook-dev
policies:
- p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
# NOTE: JWT tokens can only be generated by the API server and the token is not persisted
# anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
jwtTokens:
- iat: 1535390316
syncWindows: # 该资源的同步窗口
- kind: allow
schedule: '10 1 * * *'
duration: 1h
applications:
- '*-prod'
manualSync: true
- kind: deny
schedule: '0 22 * * *'
duration: 1h
namespaces:
- default
- kind: allow
schedule: '0 23 * * *'
duration: 1h
clusters:
- in-cluster
- cluster1
参考文档
https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#projects