From b4df833efbe48f62c01a2c3d7f2229a38ba267c6 Mon Sep 17 00:00:00 2001
From: Deep Koluguri <deepkoluguri@gmail.com>
Date: Mon, 11 May 2026 13:49:06 -0400
Subject: [PATCH] AppProject: explicit cluster-scoped kinds (webhooks, CRDs,
 RBAC, Cilium CWNP)

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 platform/bootstrap/root-app-project.yaml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/platform/bootstrap/root-app-project.yaml b/platform/bootstrap/root-app-project.yaml
index 7969369..23af588 100644
--- a/platform/bootstrap/root-app-project.yaml
+++ b/platform/bootstrap/root-app-project.yaml
@@ -13,9 +13,7 @@ spec:
     - namespace: "*"
       server: https://kubernetes.default.svc
   clusterResourceWhitelist:
-    # Broad allow; some Argo CD builds still reject certain cluster kinds unless named explicitly.
-    - group: "*"
-      kind: "*"
+    # Avoid group/kind "*" alone on some Argo CD 3.x builds (can block webhooks); list common cluster-scoped kinds.
     - group: admissionregistration.k8s.io
       kind: MutatingWebhookConfiguration
     - group: admissionregistration.k8s.io
@@ -26,6 +24,18 @@ spec:
       kind: ClusterRole
     - group: rbac.authorization.k8s.io
       kind: ClusterRoleBinding
+    - group: rbac.authorization.k8s.io
+      kind: Role
+    - group: rbac.authorization.k8s.io
+      kind: RoleBinding
+    - group: storage.k8s.io
+      kind: StorageClass
+    - group: scheduling.k8s.io
+      kind: PriorityClass
+    - group: networking.k8s.io
+      kind: IngressClass
+    - group: cilium.io
+      kind: CiliumClusterwideNetworkPolicy
   namespaceResourceWhitelist:
     - group: "*"
       kind: "*"