Argo CD Security Baseline

Purpose: keep this page as a concise baseline instead of a dead compatibility stub. Use it when reviewing an Argo CD deployment or when deciding what belongs in the minimum secure GitOps control set.

Baseline expectations

• do not leave the default project permissive for long-lived production use;
• create dedicated AppProject objects with explicit sourceRepos, destinations, and resource allowlists;
• treat any project that can deploy into the Argo CD namespace as highly privileged;
• restrict who can override sync windows or use manual sync bypasses;
• review repository trust, image trust, and cluster destinations together.

What to open next

• Argo CD AppProject and Sync Windows
• Protected Environments and Deployment Approvals
• Runner Isolation and Trust Boundaries

Quick review questions

1. Is the default project still effectively * to *?
2. Can a non-admin team deploy into the Argo CD namespace or other control-plane namespaces?
3. Are sync windows used to separate normal delivery from emergency change paths?
4. Is there a clear approval and audit trail for manual overrides?