, , , / p, role:frontend-dev, applications, get, team-frontend/* p, role:frontend-dev, applications, sync, team-frontend/* p, role:frontend-dev, applications, action/*, team-frontend/* # g, , g, engineering-frontend@example.com, role:frontend-dev Built-in roles: role:readonly (view-only across all projects) and role:admin (full access). Custom roles can be scoped to a single AppProject. Combined, AppProjects and RBAC let you give a team full control over their own Applications without them being able to see or affect other teams' workloads."> , , , / p, role:frontend-dev, applications, get, team-frontend/* p, role:frontend-dev, applications, sync, team-frontend/* p, role:frontend-dev, applications, action/*, team-frontend/* # g, , g, engineering-frontend@example.com, role:frontend-dev Built-in roles: role:readonly (view-only across all projects) and role:admin (full access). Custom roles can be scoped to a single AppProject. Combined, AppProjects and RBAC let you give a team full control over their own Applications without them being able to see or affect other teams' workloads." />

Prev Next

Maven / GitOps Interview Questions

How does Argo CD handle RBAC and multi-tenancy?

Argo CD implements multi-tenancy through two complementary mechanisms: AppProjects (resource-level isolation) and RBAC policies (action-level access control).

AppProject is a CR that scopes what a group of Applications can do:

  • sourceRepos: limits which Git repositories are allowed as Application sources for this project.
  • destinations: limits which cluster/namespace combinations Applications in this project can deploy to.
  • clusterResourceWhitelist / namespaceResourceBlacklist: controls which Kubernetes resource kinds are permitted.
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: team-frontend
  namespace: argocd
spec:
  sourceRepos:
    - https://github.com/org/frontend-config.git
  destinations:
    - namespace: frontend-*
      server: https://kubernetes.default.svc
  clusterResourceWhitelist:
    - group: ""
      kind: Namespace
  namespaceResourceBlacklist:
    - group: ""
      kind: ResourceQuota

RBAC is configured in the argocd-rbac-cm ConfigMap using Casbin policy syntax. Subjects (users, SSO groups, service accounts) are assigned roles that grant permissions on Argo CD resources.

# argocd-rbac-cm data.policy.csv
# p, <subject>, <resource>, <action>, <appproject>/<object>
p, role:frontend-dev, applications, get, team-frontend/*
p, role:frontend-dev, applications, sync, team-frontend/*
p, role:frontend-dev, applications, action/*, team-frontend/*

# g, <user or group>, <role>
g, engineering-frontend@example.com, role:frontend-dev

Built-in roles: role:readonly (view-only across all projects) and role:admin (full access). Custom roles can be scoped to a single AppProject. Combined, AppProjects and RBAC let you give a team full control over their own Applications without them being able to see or affect other teams' workloads.

Which Argo CD resource restricts which Git repositories and destination namespaces a team's Applications can use?
What policy engine does Argo CD use internally to evaluate RBAC rules?

Invest now in Acorns!!! 🚀 Join Acorns and get your $5 bonus!

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Earn passively and while sleeping

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

What is GitOps and what core principles does it define? How does GitOps differ from traditional CI/CD pipelines? What is the 'single source of truth' principle in GitOps? What are the two GitOps deployment models: push-based vs pull-based? What is a GitOps operator and what role does it play? What is declarative infrastructure and why does GitOps require it? How does GitOps improve security and auditability compared to script-based deployments? What Git branching strategies are commonly used with GitOps? What is drift detection and how does a GitOps operator handle drift? What is the difference between GitOps and Infrastructure as Code (IaC)? What is Argo CD and how does it implement GitOps? How does Argo CD's sync process work — desired state vs live state? What are Argo CD Applications and ApplicationSets? How do you structure a GitOps repository — app-of-apps, environment folders, overlays? What is Flux CD and how does it differ from Argo CD? How does Flux's source-controller and kustomize-controller work together? How do you manage secrets in a GitOps workflow — Sealed Secrets, SOPS, External Secrets Operator? How do you handle multiple environments (dev/staging/prod) in a GitOps repo? How does image automation work in Flux for continuous delivery? What are Argo CD sync policies — automated vs manual — and sync waves? How do you roll back a deployment using GitOps? How do you integrate GitOps with a CI pipeline — separation of concerns? What is progressive delivery and how does it relate to GitOps — Argo Rollouts, Flagger? How do you handle Helm charts in a GitOps workflow? How do you use Kustomize overlays in a GitOps repository? How do you implement multi-cluster GitOps at scale? How does Argo CD handle RBAC and multi-tenancy? What are the Argo CD app-of-apps and ApplicationSet patterns and when do you use each? How do you implement GitOps for infrastructure provisioning with Crossplane and Cluster API? How do you observe and alert on GitOps sync failures in production? How do you manage database schema migrations in a GitOps workflow? How do you implement policy enforcement in a GitOps pipeline — OPA/Gatekeeper, Kyverno? What are the limitations and anti-patterns of GitOps? How do you migrate an existing deployment pipeline to GitOps? How does GitOps fit into a platform engineering strategy?


Comments & Discussions

Interviews Questions

About Javapedia.net

Javapedia.net is for Java and J2EE developers, technologist and college students who prepare of interview. Also this site includes many practical examples.

This site is developed using J2EE technologies by Steve Antony, a senior Developer/lead at one of the logistics based company.

contact: javatutorials2016[at]gmail[dot]com

Kindly consider donating for maintaining this website. Thanks.

Copyright © 2026, javapedia.net, all rights reserved. privacy policy.

DMCA.com Protection Status