A cluster-scoped instance is intended to deploy and manage resources across a cluster.
|
Note
|
If you intend to use the Applications in any namespace feature, choose the mode of the Argo CD instance scope as cluster-scoped instance. |
Cluster-scoped instances have access to cluster-level resources and thus are typically, but not always, used for cluster configuration. You can choose to elevate certain namespace-scoped Argo CD instances to become cluster-scoped. To elevate the instances, you must change the Subscription resource of the {gitops-shortname} Operator.
|
Important
|
|
Much care must be taken when setting up multitenancy in Argo CD. For example, if cluster administrators manage a shared Argo CD instance for many application teams, a custom cluster-scoped instance might be appropriate.
To prevent users from deploying Argo CD instances with cluster-admin privileges, you must identify the namespaces with cluster privileges by using the ARGOCD_CLUSTER_CONFIG_NAMESPACES environment variable in the Subscription resource.
Because non-cluster administrators do not have access to the Subscription resource, they cannot elevate the privileges of their instance and bypass cluster security.
When an instance is designated as cluster-scoped, the Operator automatically creates cluster roles and cluster role bindings. These are created for the Argo CD Application Controller and server service accounts in that namespace.
This default role is not intended to be equal to the standard cluster-admin role. It gives a much smaller set of permissions. You can extend these permissions by creating additional cluster roles or cluster role bindings as needed.