How to control what resources projects (not people) can apply?

[LCaparelli]

We manage all of our org's applications using ArgoCD. This means all product applications AND all platform/infra applications that our platform team takes care of.

We've recently introduced Crossplane in our clusters and we want platform applications to be able to use managed resources. These are low-level infra resources, representing API resources in the cloud. In our case, AWS, and it enables us to manage stuff like Security Groups directly from K8s.

However, we don't want product applications to have access to these directly, as it would bypass our security policies. For example, we don't want product applications to be able to directly manage IAM policies and roles.

Now, I know that ArgoCD has features to support authorization, but as far as I can tell, these apply to users with active sessions with ArgoCD's API. It controls what users can do and see in the UI, for example.

Is there a way to control what K8s resources a project or application can apply?

I believe that we could solve the problem I described above if:

• we denied access to all projects for resources of API groups matching *.crossplane.io
• granted access to a platform project for resources of API groups matching *.crossplane.io