Argo CD project per namespace in a cluster

[cnukwas]

Hello All,

I am new to Argo CD and we're setting up Argo CD in our environments and wanted to clarify few things.
Our developers are restricted to a single namespace in Dev and production environments, with more access in Dev than in production cluster(Kubernetes RBAC in place).
We use LDAP groups to restrict access to OpenShift web and oc CLI for authentication & authorization to assigned namespace(s). Wondering if we could use similar approach for configuring SSO and control Developers access to Argo CD web UI and CLI, not to allow Kubernetes deployments and Applications set up into assigned namespace only.
Based on my limited knowledge it appears to be possible, but haven't tried worked on that yet.
Please correct me if my understanding is incorrect or this is not a recommended practice for Argo CD.
This approach would help us to have a single Argo CD set up per cluster, to avoid setting it up for each namespace.

Please provide any insight on this if anyone has done similar set up.

Thanks

[jessesuen]

If I understand your use case correctly, yes this is possible. Namespace isolation is a very common practice and Argo CD was designed to accommodate this as a pattern. Argo has a feature called projects, which are provisioned for developers by cluster operators. See: https://argoproj.github.io/argo-cd/user-guide/projects/.

The idea is that a cluster operator will create a project for a development team and do the following:

• create a role in the project suitable for desired developer permissions (e.g. sync, view)
• bind the role to an OIDC group (you can use the LDAP connector with dex)
• restrict the project capabilities by restricting it to specific clusters/namespace
• also restrict what resource kinds are allowed to be deployed in the project

[cnukwas]

This is exactly what I am trying to set up, thanks for the response. I also see few examples at argo_blog and Argo CD LDAP set up. Will try to set up a sample project and go from there.