AppProject destination restrictions allow deployment to non-allowed namespace when using negated namespaces #26743
Description
Checklist:
- I've searched in the docs and FAQ for my answer: https://argo-cd.readthedocs.io/en/release-3.3/user-guide/projects/#managing-projects
- I've included steps to reproduce the bug.
- I've pasted the output of
argocd version.
Describe the bug
When using AppProject destination restrictions with a whitelist namespace and several negated namespaces, Argo CD allows Applications to deploy resources into namespaces that are not explicitly allowed.
Based on the documentation, a destination should be valid only if:
- An allow rule matches
- No deny rule rejects it
However, resources are still applied to namespaces that don't match the allow rule (1.)
To Reproduce
- Create an AppProject:
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: test-project
spec:
destinations:
- namespace: allowed-ns
server: "*"
- namespace: "!kyverno"
server: "*"
- namespace: "!argocd"
server: "*"
sourceRepos:
- "*"- Create an Application in this project:
spec:
project: test-project
destination:
server: https://kubernetes.default.svc
namespace: allowed-ns- Deploy manifests containing a resource with:
metadata:
namespace: not-allowed-nsObserved behavior
The resource is successfully created in not-allowed-ns even though this namespace is not listed in the project destinations. Which, as far as I understood from the documentation, means that the allow rule is not matching and should thus be invalid.
Expected behavior
Resources should only be deployable to allowed-ns.
Any resource targeting another namespace should be rejected during validation.
Version
v3.3.0
{
"Version": "v3.3.0",
"BuildDate": "2026-02-02T07:28:36Z",
"GitCommit": "fd6b7d5b3cba5e7aa7ad400b0fb905a81018a77b",
"GitTag": "v3.3.0",
"GitTreeState": "clean",
"GoVersion": "go1.25.5",
"Compiler": "gc",
"Platform": "linux/amd64",
"KustomizeVersion": "v5.8.0 2025-11-09T14:39:49Z",
"HelmVersion": "v3.19.4+g7cfb6e4",
"KubectlVersion": "v0.34.0",
"JsonnetVersion": "v0.21.0"
}