docs(projects): Add section on how to restrict the default project

argoproj · Feb 3, 2025 · 43170ca · 43170ca
1 parent 95b8a4a
commit 43170ca
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/docs/user-guide/projects.md b/docs/user-guide/projects.md
@@ -9,7 +9,7 @@ Projects provide a logical grouping of applications, which is useful when Argo C
 
 ### The Default Project
 
-Every application belongs to a single project. If unspecified, an application belongs to the `default` project, which is created automatically and by default, permits deployments from any source repo, to any cluster, and all resource Kinds. The default project can be modified, but not deleted. When initially created, it's specification is configured to be the most permissive:
+Every application belongs to a single project. If unspecified, an application belongs to the `default` project, which is created automatically and by default, permits deployments from any source repo, to any cluster, and all resource Kinds. When initially created, it's specification is configured to be the most permissive:
 
 ```yaml
 spec:
@@ -23,6 +23,24 @@ spec:
     kind: '*'
 ```
 
+The `default` project can be modified, but not deleted. The project is useful for initial testing, but it is recommended to create dedicated projects with explicit source, destination, and resource permissions.
+
+To remove all permissions from the `default` project, apply the following manifest to the namespace where Argo CD is installed:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: default
+spec:
+  sourceRepos: []
+  sourceNamespaces: []
+  destinations: []
+  clusterResourceWhitelist: []
+```
+
+After you modify the `default` project, any application that attempts to use it will be denied until you explicitly move the application to a more permissive project.
+
 ### Creating Projects
 
 Additional projects can be created to give separate teams different levels of access to namespaces. The following command creates a new project `myproject` which can deploy applications to namespace `mynamespace` of cluster `https://kubernetes.default.svc`. The permitted Git source repository is set to `https://github.com/argoproj/argocd-example-apps.git` repository.