ArgoCD drift detection

12/3/2019

How does argoCD does drift detection ? Say I used a git repo to deploy an app to K8S, which exposes the service to LoadBalancer. Once the sync happens on ArgoCD the application get deployed and endpoint is accessible using LoadBalancer. Now somebody with access to AWS Console goes and changes the security group rule for the LoadBalancer. Whitelisted cidr is not part of securitygroup anymore. How does ArgoCD catches this drift and puts the desirable state which is in the git back to the deployment

-- devnull
continuous-integration
detection
drift
kubernetes

2 Answers

12/3/2019

In general, via the exposed metrics https://argoproj.github.io/argo-cd/operator-manual/metrics/. That said, the specific case you ask about, I'm not sure that would help. That's more at the level of Kubernetes' cloud controller system than Argo. At most, Argo can detect when Kubernetes' object data is out of sync with Git or vice versa. The issue you raise is when Kubernetes' object is right, but is itself out of sync with some deeper reality. The ccm should, in theory, correct this automatically through periodic reconciliation but I'm not certain it does, would have to check the code.

-- coderanger
Source: StackOverflow

12/13/2019

Argo CD uses the same logic as kubectl diff/apply. It calculates json patch between live k8s resource manifest, manifest from git and manifest from kubectl.kubernetes.io/last-applied-configuration annotation if it is presented. If calculated patch is not empty then the resource is considered out of sync.

However same as kubectl Argo CD only cares about Kubernetes resource manifest. It is unable to detect the change in AWS configuration. This is the job of the corresponding resource controller. It should notice the difference and resolve it.

-- Alexander Matyushentsev
Source: StackOverflow