AppProject: explicit cluster-scoped kinds (webhooks, CRDs, RBAC, Cilium CWNP)

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-11 13:49:06 -04:00 · 2026-05-11 13:49:06 -04:00 · b4df833efb
parent 6b519f6b12
commit b4df833efb
1 changed files with 13 additions and 3 deletions
--- a/platform/bootstrap/root-app-project.yaml
+++ b/platform/bootstrap/root-app-project.yaml
@ -13,9 +13,7 @@ spec:
    - namespace: "*"
      server: https://kubernetes.default.svc
  clusterResourceWhitelist:
-    # Broad allow; some Argo CD builds still reject certain cluster kinds unless named explicitly.
-    - group: "*"
-      kind: "*"
+    # Avoid group/kind "*" alone on some Argo CD 3.x builds (can block webhooks); list common cluster-scoped kinds.
    - group: admissionregistration.k8s.io
      kind: MutatingWebhookConfiguration
    - group: admissionregistration.k8s.io
@ -26,6 +24,18 @@ spec:
      kind: ClusterRole
    - group: rbac.authorization.k8s.io
      kind: ClusterRoleBinding
+    - group: rbac.authorization.k8s.io
+      kind: Role
+    - group: rbac.authorization.k8s.io
+      kind: RoleBinding
+    - group: storage.k8s.io
+      kind: StorageClass
+    - group: scheduling.k8s.io
+      kind: PriorityClass
+    - group: networking.k8s.io
+      kind: IngressClass
+    - group: cilium.io
+      kind: CiliumClusterwideNetworkPolicy
  namespaceResourceWhitelist:
    - group: "*"
      kind: "*"