docs: Add section on how to lock down/restrict the default project

[dag-andersen]

Motivation
This section clarifies how to lock down the default project — something that wasn’t immediately clear in the original documentation. By outlining the steps to restrict its default permissions, it helps teams maintain tighter security and safer clusters.

Related to this GitHub Issue: Restrict the default project #11058

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

[bunnyshell]

✅ Preview Environment deployed on Bunnyshell

Component	Endpoints
argocd	https://argocd-lowbwn.bunnyenv.com/
argocd-ttyd	https://argocd-web-cli-lowbwn.bunnyenv.com/

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔴 /bns:stop to stop the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[crenshaw-dev]

Big fan of this! One note.

[crenshaw-dev]

clusterResourceWhitelist: [] is the default.

Namespaced resources are all allowed by default. To lock that down, you'd want a ,,* rule for namespaceResourceBlacklist.

[dag-andersen]

Ah, alright!

I've now added namespaceResourceBlacklist instead 👍🏻

Is clusterResourceWhitelist: [] equivalent to:

  clusterResourceWhitelist:
  - group: '*'
    kind: '*'

?

When running argocd proj list, the first option appears as <none>, while the second one shows as */*. Are they treated the same behind the scenes? :)

[crenshaw-dev]

An empty cluster whitelist is equivalent to "don't allow anything," which is the default. So it's not problematic, just redundant.

[dag-andersen]

Ah, yes! Now I understand — I had flipped it in my mind.
Thanks! 😊