Skip to main content
The argocd proj (or argocd project) command manages projects, which provide logical grouping of applications with RBAC policies, resource restrictions, and access controls.

Quick Examples

# List all projects
argocd proj list

# Create a new project
argocd proj create my-project

# Delete a project
argocd proj delete my-project

# Edit project settings
argocd proj edit my-project

Understanding Projects

Projects provide:
  • Logical grouping of applications
  • RBAC policies for access control
  • Source repositories whitelist
  • Destination clusters and namespaces whitelist
  • Resource allow/deny lists (which Kubernetes resources can be deployed)
  • Orphaned resources monitoring
  • Sync windows for controlling when deployments can occur
The default project exists in all Argo CD installations and has no restrictions by default.

Subcommands

create

Create a new project. 
# Basic project creation
argocd proj create my-project

# Create with description
argocd proj create my-project --description "Production applications"

# Create with source repositories
argocd proj create my-project \
  --src https://github.com/myorg/* \
  --src https://charts.helm.sh/stable

# Create with destinations
argocd proj create my-project \
  --dest https://kubernetes.default.svc,my-namespace \
  --dest https://prod-cluster,prod-*

# Create allowing specific resources
argocd proj create my-project \
  --allow-cluster-resource Namespace \
  --allow-namespaced-resource Deployment \
  --allow-namespaced-resource Service
Key Flags:
--description
string
Project description
--src
string[]
Permitted source repository URLs (supports wildcards)
--dest
string[]
Permitted destination in format: SERVER,NAMESPACE
--allow-cluster-resource
string[]
Allow cluster-scoped resource (e.g., Namespace, ClusterRole)
--allow-namespaced-resource
string[]
Allow namespaced resource (e.g., Deployment, Service)
--orphaned-resources-warn
boolean
Warn on orphaned resources

list

List all projects. 
# List projects
argocd proj list

# List as JSON
argocd proj list -o json

# List as YAML
argocd proj list -o yaml
Output: 
NAME         DESCRIPTION                     DESTINATIONS  SOURCES  CLUSTER-RESOURCE-WHITELIST  NAMESPACE-RESOURCE-WHITELIST  SIGNATURE-KEYS  ORPHANED-RESOURCES
default                                      *,*           *        */*                         */*                                           disabled
production   Production applications         2             3        5 resources                  10 resources                                  warn
dev-team     Development team applications   1             2        */*                         */*                                           disabled

get

Get detailed information about a project. 
# Get project details
argocd proj get my-project

# Get as YAML
argocd proj get my-project -o yaml

# Get as JSON
argocd proj get my-project -o json
Output: 
Name:                        my-project
Description:                 Production applications
Orphaned Resources:          enabled (warn)
Source Repositories:         
  https://github.com/myorg/*
  https://charts.helm.sh/stable

Destinations:
  Server                              Namespace  Name
  https://kubernetes.default.svc      prod-*     in-cluster
  https://prod-cluster.example.com    *          production

Allowed Cluster Resources:
  GROUP  KIND
  *      Namespace
  *      ClusterRole
  *      ClusterRoleBinding

Allowed Namespace Resources:
  GROUP  KIND
  *      Deployment
  *      Service
  *      ConfigMap
  *      Secret

Project Roles:
  NAME       POLICIES
  admin      Full access
  developer  Read-only access

set

Update project settings. 
# Set description
argocd proj set my-project --description "Updated description"

# Enable orphaned resources warning
argocd proj set my-project --orphaned-resources-warn

edit

Edit project in your default editor. 
# Edit project manifest
argocd proj edit my-project
This opens the project YAML in your $EDITOR.

delete

Delete a project. 
# Delete project
argocd proj delete my-project

# Delete without confirmation
argocd proj delete my-project --yes
You cannot delete a project that has applications. Delete or move all applications first.

Managing Sources

add-source

Add permitted source repository. 
# Add specific repository
argocd proj add-source my-project https://github.com/myorg/myrepo.git

# Add with wildcard
argocd proj add-source my-project 'https://github.com/myorg/*'

# Add Helm repository
argocd proj add-source my-project https://charts.bitnami.com/bitnami

remove-source

Remove permitted source repository. 
argocd proj remove-source my-project https://github.com/myorg/oldrepo.git

add-source-namespace

Add source namespace for ApplicationSet. 
argocd proj add-source-namespace my-project argocd
argocd proj add-source-namespace my-project my-apps

remove-source-namespace

Remove source namespace. 
argocd proj remove-source-namespace my-project old-namespace

Managing Destinations

add-destination

Add permitted destination cluster and namespace. 
# Add specific cluster and namespace
argocd proj add-destination my-project \
  https://kubernetes.default.svc \
  production

# Add with namespace wildcard
argocd proj add-destination my-project \
  https://prod-cluster.example.com \
  'prod-*'

# Add allowing all namespaces
argocd proj add-destination my-project \
  https://kubernetes.default.svc \
  '*'
server
string
required
Kubernetes cluster server URL
namespace
string
required
Target namespace (supports wildcards)
--name
string
Cluster name instead of server URL

remove-destination

Remove permitted destination. 
argocd proj remove-destination my-project \
  https://old-cluster.example.com \
  old-namespace

add-destination-service-account

Add service account for destination. 
argocd proj add-destination-service-account my-project \
  https://kubernetes.default.svc \
  production \
  deployer

remove-destination-service-account

Remove service account from destination. 
argocd proj remove-destination-service-account my-project \
  https://kubernetes.default.svc \
  production \
  old-deployer

Resource Whitelists/Blacklists

allow-cluster-resource

Add cluster-scoped resource to allow list. 
# Allow specific cluster resources
argocd proj allow-cluster-resource my-project Namespace
argocd proj allow-cluster-resource my-project ClusterRole
argocd proj allow-cluster-resource my-project CustomResourceDefinition

# Allow with API group
argocd proj allow-cluster-resource my-project PersistentVolume --group ''
argocd proj allow-cluster-resource my-project ClusterIssuer --group cert-manager.io

deny-cluster-resource

Add cluster-scoped resource to deny list. 
argocd proj deny-cluster-resource my-project ClusterRoleBinding

allow-namespace-resource

Add namespaced resource to allow list. 
# Allow common resources
argocd proj allow-namespace-resource my-project Deployment
argocd proj allow-namespace-resource my-project Service
argocd proj allow-namespace-resource my-project ConfigMap
argocd proj allow-namespace-resource my-project Secret

# Allow with API group
argocd proj allow-namespace-resource my-project Certificate --group cert-manager.io
argocd proj allow-namespace-resource my-project Rollout --group argoproj.io

deny-namespace-resource

Add namespaced resource to deny list. 
argocd proj deny-namespace-resource my-project NetworkPolicy

Project Roles

Manage RBAC roles within a project.

role create

Create a new project role. 
# Create role
argocd proj role create my-project developer

# Create with description
argocd proj role create my-project ops-team \
  --description "Operations team access"

role list

List project roles. 
argocd proj role list my-project
Output: 
NAME       DESCRIPTION
admin      Project administrators
developer  Developer access
ci-cd      CI/CD service account

role get

Get role details. 
argocd proj role get my-project developer

role delete

Delete a project role. 
argocd proj role delete my-project old-role

role add-policy

Add policy to project role. 
# Allow getting any application
argocd proj role add-policy my-project developer \
  --action get \
  --permission allow \
  --object '*'

# Allow syncing specific applications
argocd proj role add-policy my-project developer \
  --action sync \
  --permission allow \
  --object 'my-project/my-app'

# Multiple permissions
argocd proj role add-policy my-project admin \
  --action '*' \
  --permission allow \
  --object '*'
Policy Actions:
  • get - View application
  • create - Create application
  • update - Update application
  • delete - Delete application
  • sync - Sync application
  • override - Override application parameters
  • * - All actions

role remove-policy

Remove policy from project role. 
argocd proj role remove-policy my-project developer \
  --action sync \
  --object 'my-project/old-app'

role add-group

Associate SSO group with project role. 
# Add OIDC/SAML group
argocd proj role add-group my-project developer engineering-team
argocd proj role add-group my-project admin platform-admins

role remove-group

Remove SSO group from project role. 
argocd proj role remove-group my-project developer old-team

role create-token

Create authentication token for project role. 
# Create token
argocd proj role create-token my-project ci-cd

# Create with expiration
argocd proj role create-token my-project ci-cd --expires-in 90d

# Create with specific ID
argocd proj role create-token my-project ci-cd --id github-actions
Output: 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

role list-tokens

List tokens for a project role. 
argocd proj role list-tokens my-project ci-cd

role delete-token

Delete authentication token. 
argocd proj role delete-token my-project ci-cd 1234567890

Sync Windows

Control when applications can be synced.

windows add

Add a sync window. 
# Allow sync during business hours
argocd proj windows add my-project \
  --schedule "0 9 * * 1-5" \
  --duration 8h \
  --applications '*'

# Deny sync during maintenance
argocd proj windows add my-project \
  --kind deny \
  --schedule "0 2 * * 0" \
  --duration 4h \
  --applications '*'

# Allow manual sync only
argocd proj windows add my-project \
  --schedule "0 0 * * *" \
  --duration 24h \
  --manual-sync
--schedule
string
required
Cron schedule (e.g., “0 9 * * 1-5” for weekdays 9am)
--duration
string
required
Window duration (e.g., 1h, 30m, 8h)
--kind
string
default:"allow"
Window type: allow or deny
--applications
string[]
Applications to which window applies (supports wildcards)
--namespaces
string[]
Namespaces to which window applies
--clusters
string[]
Clusters to which window applies
--manual-sync
boolean
Allow manual sync during this window

windows list

List sync windows. 
argocd proj windows list my-project

windows delete

Delete a sync window. 
argocd proj windows delete my-project 0

windows enable-manual-sync / disable-manual-sync

Control manual sync in windows. 
# Enable manual sync for window
argocd proj windows enable-manual-sync my-project 0

# Disable manual sync
argocd proj windows disable-manual-sync my-project 0

Common Workflows

Create Production Project

# Create project
argocd proj create production \
  --description "Production applications and infrastructure"

# Add source repositories
argocd proj add-source production 'https://github.com/myorg/prod-apps/*'
argocd proj add-source production 'https://charts.helm.sh/stable'

# Add destination clusters
argocd proj add-destination production https://prod-us-east.example.com '*'
argocd proj add-destination production https://prod-us-west.example.com '*'

# Allow standard resources
argocd proj allow-cluster-resource production Namespace
argocd proj allow-namespace-resource production Deployment
argocd proj allow-namespace-resource production Service
argocd proj allow-namespace-resource production ConfigMap
argocd proj allow-namespace-resource production Secret
argocd proj allow-namespace-resource production Ingress

# Add maintenance window
argocd proj windows add production \
  --kind deny \
  --schedule "0 2 * * 0" \
  --duration 4h \
  --applications '*'

Create Development Project

# Create project with relaxed permissions
argocd proj create development \
  --description "Development and testing applications"

# Allow any source
argocd proj add-source development '*'

# Allow dev clusters and namespaces
argocd proj add-destination development https://dev-cluster.example.com 'dev-*'
argocd proj add-destination development https://dev-cluster.example.com 'test-*'

# Allow all resources (development only!)
argocd proj allow-cluster-resource development '*' --group '*'
argocd proj allow-namespace-resource development '*' --group '*'

Setup RBAC for Team

# Create team role
argocd proj role create my-project developers

# Add policies
argocd proj role add-policy my-project developers \
  --action get --permission allow --object '*'
argocd proj role add-policy my-project developers \
  --action sync --permission allow --object '*'
argocd proj role add-policy my-project developers \
  --action update --permission allow --object '*'

# Link to SSO group
argocd proj role add-group my-project developers engineering-team

# Create token for CI/CD
argocd proj role create-token my-project developers --id github-actions

Best Practices

  • Use separate projects for different environments (prod, staging, dev)
  • Define explicit source repositories instead of using wildcards
  • Use resource whitelists to enforce governance
  • Leverage sync windows for production change management
  • Create role-based access with SSO group integration
  • Use project tokens for CI/CD pipelines
  • Monitor orphaned resources in production projects
  • Document project policies and intended usage

Next Steps

App Commands

Create applications within projects

Account Commands

Manage user accounts and permissions