search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.96k stars 5.47k forks source link

FEATURE: Notice / prune objects NOT created by Argocd #8490

Open KlavsKlavsen opened 2 years ago

KlavsKlavsen commented 2 years ago

Summary

It would be nice if argocd could be configured to notice objects NOT managed by it - and complain in a way

It would also be very nice to be able to simply 'sync' - for argocd to REMOVE the 'illegal' objects

Motivation

We can then make alerts if this happens, as we want to detect if anyone is editing or adding k8s objects outside argocd - to ensure we ARE 100% gitops.

We also often see that pvc sizes f.ex. are simply edited on pvc directly, instead of in argocd first.. This does create a sync complaint IF argocd creates the pvc directly, but NOT when f.ex. a statefulset creates the pvc.

Proposal

I would suggest that it is implemented as a general feature, which simply goes through every object in k8s, and verifies they are managed by an argocd application - allowing for some specific metadata header(or list in argocd - to avoid anyone purposely cheating perhaps :) to exclude object or namespace from ones being complained about.

jessesuen commented 2 years ago

I believe you are looking for the orphaned resource feature: https://argo-cd.readthedocs.io/en/stable/user-guide/orphaned-resources/

But it doesn't do anything with removal of objects. Just presentation and warning.