diff --git a/platform/bootstrap/root-app-project.yaml b/platform/bootstrap/root-app-project.yaml
index 7969369..23af588 100644
--- a/platform/bootstrap/root-app-project.yaml
+++ b/platform/bootstrap/root-app-project.yaml
@@ -13,9 +13,7 @@ spec:
     - namespace: "*"
       server: https://kubernetes.default.svc
   clusterResourceWhitelist:
-    # Broad allow; some Argo CD builds still reject certain cluster kinds unless named explicitly.
-    - group: "*"
-      kind: "*"
+    # Avoid group/kind "*" alone on some Argo CD 3.x builds (can block webhooks); list common cluster-scoped kinds.
     - group: admissionregistration.k8s.io
       kind: MutatingWebhookConfiguration
     - group: admissionregistration.k8s.io
@@ -26,6 +24,18 @@ spec:
       kind: ClusterRole
     - group: rbac.authorization.k8s.io
       kind: ClusterRoleBinding
+    - group: rbac.authorization.k8s.io
+      kind: Role
+    - group: rbac.authorization.k8s.io
+      kind: RoleBinding
+    - group: storage.k8s.io
+      kind: StorageClass
+    - group: scheduling.k8s.io
+      kind: PriorityClass
+    - group: networking.k8s.io
+      kind: IngressClass
+    - group: cilium.io
+      kind: CiliumClusterwideNetworkPolicy
   namespaceResourceWhitelist:
     - group: "*"
       kind: "*"