Openshift groups, ArgoCD Projects, resource allow lists, rbac access

We'll need to setup argocd projects for different teams, and control which projects are allowed to deploy what resources and to which namespaces etc. Then there's rbac access, limiting argocd access to users accordingly.

More information can be found from the argocd documentation:

• Rbac permissions structure
• Project roles
• Allo/Deny lists in Projects

With that said, the projects and team structure to start with I'm thinking would be:

Openshift Groups needed:

• argocdadmins
• operate-first
• thoth
• data-science

Argocd Projects:

• cluster-management
• thoth
• operate-first
• data-science.yaml

The relationship would be as follows:

• argocdadmins have unrestricted access to argocd, they are the only group that has access to cluster-management argocd project
• thoth, operate-first, data-science openshift groups would have access to their respective argocd projects and some additional read-only permissions to certain argocd resources.

Then we add an allow-list for thoth/operate-first/data-science containing the list of resources that users can deploy in via these projects, disallowing any cluster resources.