Maven / ArgoCD interview questions

1. What is ArgoCD and what problem does it solve? 2. What is GitOps and how does ArgoCD implement it? 3. What are the core components of ArgoCD? 4. What is an ArgoCD Application and what fields does its manifest require? 5. What are the different application sync statuses in ArgoCD? 6. How do you install ArgoCD on a Kubernetes cluster? 7. What is an ArgoCD Project and how does it differ from a Kubernetes namespace? 8. How does ArgoCD support Helm charts? 9. How does ArgoCD support Kustomize? 10. What is self-healing in ArgoCD and how do you enable it? 11. What is the difference between ArgoCD automated sync and self-healing? 12. How does ArgoCD handle resource pruning and what risks does enabling it carry? 13. What is the ArgoCD App of Apps pattern and when should you use it? 14. How do ArgoCD Sync Waves and Sync Hooks work together to control deployment ordering? 15. What is an ArgoCD ApplicationSet and how does the Git generator work? 16. How does ArgoCD integrate with external secret management tools like Vault or Sealed Secrets? 17. How do you configure ArgoCD RBAC and what are the built-in roles? 18. What is ArgoCD Image Updater and how does it automate container image updates? 19. How does ArgoCD manage multiple clusters and what are the methods for registering them? 20. What are ArgoCD Sync Windows and how do you configure them? 21. How does ArgoCD handle ignoreDifferences and when should you use it? 22. What are ArgoCD resource health checks and how do you write a custom one? 23. How does ArgoCD handle SSO and what identity providers does it support? 24. What is the ArgoCD CLI and what are the most common commands used day-to-day? 25. How does ArgoCD compare to Flux and when would you choose one over the other? 26. What is server-side apply in ArgoCD and why might you enable it? 27. How does ArgoCD handle notifications and what channels does it support? 28. How do you perform a rollback in ArgoCD? 29. What is the ArgoCD repository server caching strategy and how does it affect performance?

Could not find what you were looking for? send us the question and we would be happy to answer your question.

1. What is ArgoCD and what problem does it solve?

ArgoCD is a declarative, GitOps-based continuous delivery tool for Kubernetes. It automates the deployment of applications to Kubernetes clusters by continuously syncing the cluster state to match the desired state defined in a Git repository.

Before ArgoCD, teams often relied on push-based CI/CD pipelines where a CI server would apply manifests to the cluster after a build. This meant credentials to the cluster had to live inside the CI system, rollbacks required re-running pipelines, and there was no single source of truth for what was actually deployed. ArgoCD flips this to a pull-based model: an agent running inside the cluster watches Git and applies changes itself, removing the need to expose cluster credentials externally.

It solves three concrete problems: drift detection (it continuously compares live state vs Git state and reports or auto-corrects differences), auditability (every change is a Git commit with author, timestamp, and message), and multi-cluster management (a single ArgoCD instance can deploy to many clusters from one control plane).

ArgoCD uses which deployment model to apply changes to a Kubernetes cluster?Push-based: the CI server pushes manifests directly to the cluster

✗ Try again — that is the traditional CI/CD approach ArgoCD replaces.

Pull-based: an in-cluster agent pulls desired state from Git and applies it

✓ Well done! ArgoCD's agent inside the cluster pulls from Git, keeping credentials inside the cluster.

Event-based: a webhook fires directly into the Kubernetes API from GitHub

✗ Try again — webhooks notify ArgoCD to refresh, but the agent itself performs the apply.

Which of the following is a core problem ArgoCD solves?Compiling application source code faster

✗ Try again — ArgoCD is a CD tool; it does not handle build or compile steps.

Storing container images in a private registry

✗ Try again — image storage is the job of a container registry, not ArgoCD.

Detecting and correcting drift between desired Git state and live cluster state

✓ Well done! Drift detection and correction is one of ArgoCD's primary functions.

2. What is GitOps and how does ArgoCD implement it?

GitOps is an operational framework that uses Git as the single source of truth for infrastructure and application configuration. All desired states are stored as code in a Git repository, and automated agents continuously reconcile the live system to match what is in Git. Changes are made exclusively through Git operations (commits, pull requests, merges) rather than direct cluster access.

ArgoCD implements GitOps through its Application CRD and reconciliation loop. You define an Application that points to a Git repository path (Helm chart, Kustomize overlay, plain YAML, or Jsonnet) and a target cluster/namespace. The ArgoCD controller runs a continuous reconciliation loop — by default every 3 minutes, or immediately on Git webhook — comparing the rendered manifests from Git against the live cluster resources.

When differences are found, ArgoCD marks the application as OutOfSync. With automated sync enabled (syncPolicy.automated), it applies the Git state to the cluster automatically. With manual sync, an operator triggers the sync explicitly. Either way, the Git repo remains the authoritative record: to roll back, you revert the Git commit and ArgoCD reconciles back to the previous state.

The four GitOps principles ArgoCD satisfies are: declarative configuration, versioned and immutable state, pulled automatically by software agents, and continuously reconciled.

In GitOps, how should an operator roll back a failed deployment?Revert the Git commit; the ArgoCD agent reconciles the cluster back to the previous state

✓ Well done! Reverts in Git are the canonical rollback mechanism in GitOps.

Run kubectl rollout undo directly against the cluster

✗ Try again — direct cluster changes create drift and bypass the Git audit trail.

Delete the ArgoCD Application and recreate it from a backup

✗ Try again — deleting the Application removes ArgoCD tracking and is not a rollback pattern.

What is the default interval at which ArgoCD polls Git for changes?Every 30 seconds

✗ Try again — 30 seconds is too frequent; the default is 3 minutes.

Every 3 minutes

✓ Well done! ArgoCD polls Git every 3 minutes by default, though webhooks can trigger immediate refreshes.

Every 10 minutes

✗ Try again — 10 minutes is not the default poll interval.

Only when a webhook is received

✗ Try again — ArgoCD polls on a schedule even without webhooks configured.

3. What are the core components of ArgoCD?

ArgoCD is composed of several distinct components that work together to deliver GitOps continuous delivery:

API Server — Exposes the gRPC and REST API consumed by the ArgoCD UI, CLI (argocd), and any external tooling. It handles authentication, authorization (RBAC), and surfaces application status and operations.

Repository Server — Responsible for cloning Git repositories and rendering manifests. It supports Helm, Kustomize, Jsonnet, and plain YAML. It caches rendered manifests to reduce load on Git and templating engines. All manifest generation happens here in isolation from the rest of the system.

Application Controller — The core reconciliation engine. It continuously compares the live cluster state (via the Kubernetes API) against the desired state (rendered by the repo server) and determines sync status (Synced, OutOfSync, Unknown). It triggers sync operations and manages application health assessment.

ApplicationSet Controller — A separate controller that manages ApplicationSet CRDs, automatically generating and maintaining multiple Application resources from a single template and generator definition.

Dex (optional) — An identity provider proxy bundled with ArgoCD for SSO integration (GitHub, LDAP, SAML, OIDC). Can be replaced by an external OIDC provider.

Redis — Used as a caching layer for application state, reducing repeated calls to the Kubernetes API server and Git repositories. Not a persistent store — ArgoCD can rebuild its state from the cluster.

Which ArgoCD component is responsible for cloning Git repos and rendering Helm or Kustomize manifests?Application Controller

✗ Try again — the Application Controller handles reconciliation, not manifest rendering.

Repository Server

✓ Well done! The Repository Server clones repos and renders manifests for all supported tooling.

API Server

✗ Try again — the API Server handles requests and auth; it does not clone repos.

Redis

✗ Try again — Redis is a cache layer, not a rendering engine.

What role does Redis play in an ArgoCD deployment?It is the primary persistent database for all ArgoCD application state

✗ Try again — Redis is a cache; ArgoCD rebuilds state from Kubernetes if Redis is lost.

It caches application state and manifest renders to reduce API server and Git load

✓ Well done! Redis acts as a performance cache; ArgoCD does not rely on it for durable storage.

It queues incoming webhook events for the Application Controller

✗ Try again — webhook events are handled by the API Server, not queued through Redis.

4. What is an ArgoCD Application and what fields does its manifest require?

An ArgoCD Application is a Kubernetes Custom Resource (CRD) that represents a deployed application managed by ArgoCD. It is the fundamental unit of work in ArgoCD — one Application tracks one source (a Git repo path, Helm chart, or OCI artifact) and deploys it to one destination (a cluster and namespace).

The essential fields in an Application manifest are:

source: defines repoURL (the Git or Helm repo), targetRevision (branch, tag, or commit SHA), and path (directory within the repo) or chart (for Helm repos).
destination: specifies server (the cluster API URL; use https://kubernetes.default.svc for in-cluster) and namespace.
project: the ArgoCD Project this Application belongs to (controls source/destination whitelist and RBAC).

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/my-org/my-app
    targetRevision: HEAD
    path: k8s/overlays/production
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

Optional but commonly used: syncPolicy (automated sync, prune, selfHeal), ignoreDifferences (fields to exclude from diff), and info (free-form metadata displayed in the UI).

Which value should you use for destination.server when deploying to the same cluster where ArgoCD is installed?https://kubernetes.default.svc

✓ Well done! This is the in-cluster Kubernetes API endpoint used when ArgoCD targets its own cluster.

https://localhost:6443

✗ Try again — localhost refers to the pod's loopback, not the cluster API endpoint.

https://argocd-server.argocd.svc

✗ Try again — that is ArgoCD's own API server, not the Kubernetes cluster API.

cluster://default

✗ Try again — that is not a valid Kubernetes API server URL format.

What does the targetRevision field in an ArgoCD Application source control?The Kubernetes API version the manifests target

✗ Try again — targetRevision refers to the Git branch, tag, or commit SHA, not the Kubernetes API version.

The Git branch, tag, or commit SHA ArgoCD tracks for desired state

✓ Well done! targetRevision pins the Application to a specific Git reference.

The Helm chart version to install

✗ Try again — for Helm chart repos the chart version is set separately under source.targetRevision as a semver, but the concept is still a revision of the source, not a Kubernetes API version.

5. What are the different application sync statuses in ArgoCD?

ArgoCD reports two orthogonal status dimensions for every application: Sync Status and Health Status. Understanding both is essential for diagnosing application state.

Sync Status

ArgoCD Sync Status Values
Status	Meaning
Synced	Live cluster state matches the desired state in Git exactly.
OutOfSync	One or more resources differ between Git and the cluster. Could be a new commit in Git not yet applied, or manual changes to the cluster (drift).
Unknown	ArgoCD cannot determine sync status, typically due to cluster connectivity issues or RBAC permissions preventing resource reads.

Health Status

ArgoCD Health Status Values
Status	Meaning
Healthy	All resources pass their health checks (Deployments at desired replicas, Services with endpoints, etc.).
Progressing	Resources are being updated and not yet stable (e.g., a Deployment rollout in progress).
Degraded	Resources have failed health checks (e.g., a pod in CrashLoopBackOff, or a Deployment with 0 available replicas).
Suspended	The resource is intentionally paused (e.g., a suspended CronJob).
Missing	The resource is defined in Git but does not exist in the cluster at all.
Unknown	ArgoCD does not have a health check rule for this resource type.

An application can be Synced but Degraded — meaning the Git state was applied correctly but the workload is unhealthy. These two axes must be evaluated independently.

An ArgoCD application shows Synced + Degraded. What does this mean?The Git state was applied successfully but the running workload is unhealthy

✓ Well done! Sync status and health status are independent; Synced only confirms the apply, not the workload health.

ArgoCD failed to apply the manifests from Git

✗ Try again — a failed apply would result in OutOfSync, not Synced.

The application has drifted from the Git-defined state

✗ Try again — drift would show as OutOfSync, not Synced.

Which health status does ArgoCD assign to a resource type it has no built-in health check for?Healthy — it assumes custom resources are always healthy

✗ Try again — ArgoCD does not assume health for unknown resource types.

Missing — it treats the resource as absent

✗ Try again — Missing applies when the resource exists in Git but not in the cluster.

Unknown — ArgoCD has no health check rule for that resource type

✓ Well done! Custom resources without a Lua health check script return Unknown health status.

6. How do you install ArgoCD on a Kubernetes cluster?

The standard installation uses the official ArgoCD manifest published in the ArgoCD GitHub repository. There are two variants: non-HA (single replica, suitable for development) and HA (multiple replicas for the API server and application controller, for production).

# Create the argocd namespace
kubectl create namespace argocd

# Install ArgoCD (non-HA)
kubectl apply -n argocd -f \
  https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

After applying, verify all pods reach Running state:

kubectl get pods -n argocd

By default, the argocd-server Service is of type ClusterIP. To access the UI locally, use port-forwarding:

kubectl port-forward svc/argocd-server -n argocd 8080:443

The initial admin password is auto-generated and stored in the secret argocd-initial-admin-secret. Retrieve it with:

kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath={.data.password}" | base64 -d

argocd login localhost:8080 --username admin --password <password> --insecure

For production expose argocd-server via an Ingress or LoadBalancer Service with a valid TLS certificate. The Helm chart (argo/argo-cd) is an alternative installation method that provides easier configuration management.

Where does ArgoCD store the auto-generated initial admin password after installation?In a ConfigMap named argocd-cm in the argocd namespace

✗ Try again — argocd-cm holds configuration, not the admin password.

In a Secret named argocd-initial-admin-secret in the argocd namespace

✓ Well done! The initial password is base64-encoded in this Secret and should be changed after first login.

Printed to the argocd-server pod logs during startup

✗ Try again — the password is stored in a Secret, not logged to stdout.

What is the default Service type for argocd-server after a standard install.yaml installation?ClusterIP

✓ Well done! argocd-server defaults to ClusterIP; port-forward or an Ingress is needed for external access.

LoadBalancer

✗ Try again — LoadBalancer is not the default; it must be configured explicitly for external access.

NodePort

✗ Try again — NodePort is not the default Service type in the standard install.

7. What is an ArgoCD Project and how does it differ from a Kubernetes namespace?

An ArgoCD Project (AppProject CRD) is a logical grouping and access control boundary within ArgoCD itself. It is entirely separate from Kubernetes namespaces — a Project does not correspond to any Kubernetes object but rather enforces policies on which source repositories, destination clusters, and destination namespaces ArgoCD Applications within that Project are permitted to use.

Key things an AppProject controls:

sourceRepos: whitelist of Git/Helm repositories Applications may source from. Use * for any.
destinations: whitelist of cluster + namespace combinations the Applications may deploy to.
clusterResourceWhitelist / namespaceResourceBlacklist: restrict which Kubernetes resource kinds can be created (e.g., prevent Applications in a dev Project from creating ClusterRoles).
roles: Project-scoped RBAC roles that can be assigned to users/groups independently of the global ArgoCD RBAC.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: team-payments
  namespace: argocd
spec:
  sourceRepos:
    - https://github.com/my-org/payments-*
  destinations:
    - namespace: payments-*
      server: https://kubernetes.default.svc
  clusterResourceWhitelist:
    - group: ''
      kind: Namespace

A Kubernetes namespace, by contrast, is a runtime isolation boundary within the cluster that separates resource names and applies ResourceQuotas/NetworkPolicies. An ArgoCD Project can deploy to multiple namespaces, and multiple Projects can target the same namespace — they operate at different abstraction layers.

What does the sourceRepos field in an ArgoCD AppProject control?The Git or Helm repositories that Applications in this Project are permitted to source from

✓ Well done! sourceRepos is a whitelist; Applications referencing unlisted repos will be rejected.

The container image registries that pods in the Project can pull from

✗ Try again — image registry restrictions are enforced via admission controllers, not ArgoCD Projects.

The Git branches that ArgoCD is allowed to monitor for that Project

✗ Try again — branch restrictions are set in individual Application targetRevision, not in the Project.

Can a single ArgoCD Project deploy Applications to multiple Kubernetes namespaces?Yes — the destinations list can include multiple namespace entries including wildcard patterns

✓ Well done! Destinations support multiple entries and wildcards, allowing one Project to span many namespaces.

No — one Project maps to exactly one Kubernetes namespace

✗ Try again — there is no one-to-one mapping; Projects are ArgoCD-level groupings, not namespace-bound.

Only if the namespaces share the same ResourceQuota

✗ Try again — ResourceQuotas are Kubernetes-level constructs independent of ArgoCD Project definitions.

8. How does ArgoCD support Helm charts?

ArgoCD has first-class support for Helm and can render Helm charts as part of its manifest generation pipeline inside the Repository Server. There are two ways to use Helm with ArgoCD:

1. Helm repository as source — You specify a Helm chart repository URL and chart name directly in the Application's source. ArgoCD fetches and renders the chart at the specified version.

source:
  repoURL: https://charts.bitnami.com/bitnami
  chart: postgresql
  targetRevision: 12.5.6
  helm:
    values: |
      auth:
        postgresPassword: "{{ .Values.dbPassword }}"

2. Helm chart in a Git repository — A Chart.yaml exists at the specified path within a Git repo. ArgoCD detects Helm automatically and renders it.

Common Helm-specific fields in the Application spec:

helm.values / helm.valuesFiles: inline values or references to values files in the repo.
helm.parameters: individual key=value overrides (equivalent to --set).
helm.releaseName: override the Helm release name (defaults to the Application name).
helm.version: force Helm v2 or v3 (v3 is default).

Importantly, ArgoCD uses Helm purely as a templating engine — it renders the chart to Kubernetes manifests and then applies them with kubectl apply. The Helm release is not stored in a Helm Secret in the cluster; this means helm list won't show ArgoCD-managed charts, and helm upgrade/rollback commands should not be used alongside ArgoCD.

After ArgoCD deploys a Helm chart, will the release appear in the output of 'helm list'?Yes — ArgoCD stores a Helm release Secret in the target namespace

✗ Try again — ArgoCD renders Helm to plain manifests and uses kubectl apply; no Helm release Secret is created.

No — ArgoCD uses Helm only as a template engine and applies raw manifests without storing a release

✓ Well done! ArgoCD-managed Helm apps are invisible to the Helm CLI because no release Secret is written.

Only if helm.storeRelease: true is set in the Application spec

✗ Try again — there is no such flag; ArgoCD never stores Helm release state regardless of configuration.

Which Application field is equivalent to passing --set key=value to helm install?helm.valuesFiles

✗ Try again — valuesFiles references values YAML files in the repo, not individual key=value pairs.

helm.parameters

✓ Well done! helm.parameters accepts name/value pairs identical to helm install --set.

helm.releaseName

✗ Try again — releaseName only overrides the release name, not values.

9. How does ArgoCD support Kustomize?

ArgoCD has native Kustomize support built into its Repository Server. When ArgoCD detects a kustomization.yaml (or kustomization.yml / Kustomization) file at the specified path, it automatically runs kustomize build to render the manifests before applying them to the cluster.

No extra configuration is needed beyond pointing the Application's source.path at a Kustomize directory:

source:
  repoURL: https://github.com/my-org/app
  targetRevision: HEAD
  path: k8s/overlays/production

Kustomize-specific overrides available in the Application spec:

kustomize.images: override image names and tags without modifying the repo (useful with ArgoCD Image Updater).
kustomize.namePrefix / nameSuffix: prepend or append a string to all resource names.
kustomize.commonLabels: inject labels into all resources at sync time.
kustomize.version: pin the Kustomize binary version used for rendering.

A typical project structure with Kustomize and ArgoCD uses a base/ directory containing shared manifests and overlays/ directories per environment. Each overlay's kustomization.yaml references the base and applies environment-specific patches. ArgoCD Applications target the overlay path, so each environment gets its own Application pointing to its own overlay — giving full environment isolation with shared base configuration.

How does ArgoCD detect that a source path should be rendered with Kustomize?A kustomize: true flag must be set in the Application spec

✗ Try again — ArgoCD auto-detects Kustomize; no explicit flag is needed.

By finding a kustomization.yaml file at the specified source path

✓ Well done! The presence of kustomization.yaml triggers automatic Kustomize rendering.

Only if the path contains a Chart.yaml alongside the kustomization.yaml

✗ Try again — Chart.yaml indicates Helm, not Kustomize; the two are detected separately.

Which kustomize-specific Application field allows you to override a container image tag without modifying Git?kustomize.commonLabels

✗ Try again — commonLabels injects labels into resources, not image overrides.

kustomize.images

✓ Well done! kustomize.images lets you override image name and tag at the Application level without a Git commit.

kustomize.namePrefix

✗ Try again — namePrefix prepends a string to resource names, not image tags.

kustomize.version

✗ Try again — version pins the Kustomize binary, not the container image.

10. What is self-healing in ArgoCD and how do you enable it?

Self-healing in ArgoCD means that when the live cluster state drifts from the desired Git state — due to manual changes, operator mistakes, or other controllers modifying resources — ArgoCD automatically detects the drift and re-applies the Git state to bring the cluster back into sync, without any human intervention.

Self-healing is distinct from simply enabling automated sync. Automated sync fires when Git changes (a new commit is detected). Self-healing fires when the cluster changes while Git stays the same. Together they cover both directions of drift.

Enable self-healing in the Application's syncPolicy:

syncPolicy:
  automated:
    selfHeal: true
    prune: true       # also enable pruning if you want deleted Git resources removed

With selfHeal: true, the Application Controller compares live state against Git state every time a watch event fires from the Kubernetes API (near-real-time). When it detects OutOfSync, it immediately triggers a sync to restore the desired state.

A practical example: if an engineer runs kubectl scale deployment my-app --replicas=0 in production, ArgoCD with selfHeal enabled will detect the replica count change within seconds and restore replicas to the count defined in Git.

Self-healing should be combined with Sync Windows if you want to restrict when auto-corrections can occur (e.g., only during business hours or excluding a maintenance window).

What triggers ArgoCD's self-healing mechanism?A new commit pushed to the tracked Git branch

✗ Try again — a new Git commit triggers automated sync, not self-healing specifically.

A change to the live cluster state that deviates from what is defined in Git

✓ Well done! Self-healing fires when the cluster drifts from Git, regardless of whether Git changed.

A failed liveness probe on one of the application pods

✗ Try again — pod health is managed by Kubernetes itself; ArgoCD self-healing addresses resource drift, not pod restarts.

An engineer manually sets replicas to 0 on a Deployment managed by ArgoCD with selfHeal: true. What happens?The change persists; ArgoCD only corrects drift on the next Git commit

✗ Try again — selfHeal corrects cluster-side drift immediately, independent of Git commits.

ArgoCD detects the drift and restores replicas to the Git-defined count within seconds

✓ Well done! Self-healing responds to Kubernetes watch events and re-syncs near-immediately.

ArgoCD deletes and recreates the Deployment from scratch

✗ Try again — ArgoCD patches the diverged field, it does not delete and recreate unless pruning and resource recreation is specifically needed.

11. What is the difference between ArgoCD automated sync and self-healing?

ArgoCD's automated sync and self-healing are related but address different triggers for bringing a cluster into alignment with Git. They are configured together under syncPolicy.automated but serve distinct purposes.

Automated Sync vs. Self-Healing
Aspect	Automated Sync	Self-Healing
Trigger	A new commit is detected in the tracked Git branch	The live cluster state changes while Git stays the same (drift)
Direction of change	Git changed → apply to cluster	Cluster changed → revert to Git
Config field	`automated: {}` (just enabling automated is enough)	`automated: { selfHeal: true }`
Typical scenario	Developer pushes a new image tag to Git; ArgoCD deploys it automatically	Operator manually scales a Deployment; ArgoCD restores the original replica count

If you enable automated sync without selfHeal, ArgoCD will deploy new Git commits automatically but will ignore manual cluster changes until the next Git commit triggers a re-sync. With selfHeal added, both directions of drift are continuously corrected.

In practice, most production teams enable both together: automated: { prune: true, selfHeal: true }. The exception might be a team that wants operators to be able to temporarily scale resources manually without ArgoCD overriding them — in that case, selfHeal should remain disabled.

If automated sync is enabled but selfHeal is not, what happens when an operator manually changes a Deployment's replica count?The manual change persists until the next Git commit causes ArgoCD to re-sync

✓ Well done! Without selfHeal, ArgoCD only corrects drift when a new Git commit triggers a sync.

ArgoCD immediately reverts the replica count to match Git

✗ Try again — immediate reversion requires selfHeal: true.

The Application is marked as Failed and must be manually reset

✗ Try again — the Application shows OutOfSync, but it is not marked Failed automatically.

What is the minimal syncPolicy configuration to enable both automatic Git-driven deploys and cluster drift correction?syncPolicy: { automated: {} }

✗ Try again — that enables automated sync but not self-healing of cluster-side drift.

syncPolicy: { automated: { selfHeal: true } }

✓ Well done! selfHeal: true adds cluster drift correction on top of automated Git-driven syncing.

syncPolicy: { selfHeal: true } without automated block

✗ Try again — selfHeal is a field nested inside the automated block; it cannot stand alone.

12. How does ArgoCD handle resource pruning and what risks does enabling it carry?

Resource pruning in ArgoCD refers to the automatic deletion of Kubernetes resources that exist in the cluster but are no longer present in the Git repository. When you sync an application with pruning enabled, ArgoCD compares the live cluster state against the desired Git state and removes any resources that have been deleted from Git.

By default, pruning is disabled. You enable it per sync operation via the CLI (argocd app sync <app> --prune) or by setting syncPolicy.automated.prune: true in the Application manifest for fully automated flows.

Pruning: Benefits vs. Risks
Aspect	Detail
Accidental deletion	A mistaken removal from Git triggers permanent cluster deletion; rollback requires re-adding the resource and syncing.
Out-of-band resources	Resources created manually or by other controllers outside Git are pruned if ArgoCD tracks the namespace.
Cascading deletes	Pruning a parent resource (e.g., a Namespace) can cascade-delete child resources even if the children are still needed.
Finalizer loops	Resources with deletion finalizers may block sync and leave the application in a degraded state.

To mitigate risk, use the argocd.argoproj.io/managed-by label carefully and consider combining pruning with Sync Windows to limit when automated pruning can fire. The PruneLast=true sync option instructs ArgoCD to delete resources only after all other sync steps complete successfully, reducing mid-sync inconsistency.

syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - PruneLast=true

What does ArgoCD do when pruning is enabled and a resource is removed from Git?It marks the resource as OutOfSync but does not delete it

✗ Try again — that is the default behavior without pruning; with pruning enabled the resource is deleted.

It deletes the resource from the cluster during the next sync

✓ Well done! Pruning removes cluster resources absent from Git during sync.

It archives the resource manifest to a backup ConfigMap

✗ Try again — ArgoCD has no built-in archive on prune; the resource is simply deleted.

Which sync option defers pruning until after all other resources sync successfully?RespectIgnoreDifferences

✗ Try again — that option controls diff ignoring, not deletion order.

PruneLast=true

✓ Well done! PruneLast defers resource deletion until after all other resources in the sync complete.

ApplyOutOfSyncOnly=true

✗ Try again — that option skips in-sync resources but does not control prune timing.

13. What is the ArgoCD App of Apps pattern and when should you use it?

The App of Apps pattern is an ArgoCD design where one root Application manifest manages a collection of child Application manifests stored in Git. The root app syncs a directory of Application CRDs into the cluster; ArgoCD then picks up each child Application and reconciles it independently.

Structurally, the root application points to a Git path containing files like apps/frontend.yaml, apps/backend.yaml, each of which is itself an ArgoCD Application resource targeting its own source repo and destination namespace.

# root-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: root-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/my-org/infra
    targetRevision: HEAD
    path: apps/
  destination:
    server: https://kubernetes.default.svc
    namespace: argocd
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

When to use it: App of Apps is ideal for platform teams that want to onboard new services by simply adding a file to the apps/ directory in Git without touching ArgoCD UI or CLI. It also works well for multi-tenant setups where each tenant gets a dedicated child Application with its own project and RBAC.

Compared to ApplicationSets, App of Apps gives finer manual control over each child application but requires more boilerplate per application. ApplicationSets are preferred when child applications follow a repeatable template (e.g., one per cluster or one per Git directory). App of Apps shines when each child needs unique configuration that cannot be easily templated.

In the App of Apps pattern, what does the root Application point to in Git?Helm chart values for all child services

✗ Try again — the root app points to ArgoCD Application manifests, not Helm values files.

A Git directory containing child ArgoCD Application CRD manifests

✓ Well done! The root app syncs Application resources that ArgoCD then reconciles independently.

A Kustomize base overlay shared by all environments

✗ Try again — App of Apps contains Application CRDs, not Kustomize configuration.

When is ApplicationSet preferred over the App of Apps pattern?When child applications follow a repeatable template such as one app per cluster

✓ Well done! ApplicationSets excel at templating identical application structures across generators.

When each child application has a completely unique sync policy and project

✗ Try again — unique per-app configuration favors App of Apps over a generator template.

When you need to track more than 10 Git repositories simultaneously

✗ Try again — the number of repos is not the deciding factor between the two patterns.

14. How do ArgoCD Sync Waves and Sync Hooks work together to control deployment ordering?

ArgoCD provides two complementary mechanisms for controlling the order of resource application during a sync: Sync Waves control the sequence of resource groups, and Sync Hooks inject one-off Jobs at specific lifecycle phases.

Sync Waves

Every resource can be assigned an integer wave via the annotation argocd.argoproj.io/sync-wave. Resources with lower wave numbers are applied first; ArgoCD waits for all resources in wave N to become healthy before advancing to wave N+1. The default wave is 0. Negative waves are useful for CRDs or Namespaces that must exist before other resources reference them.

metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "-1"  # Namespace first
---
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "0"   # Default: Deployments, Services
---
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "1"   # Last: Ingress or smoke-test Job

Sync Hooks

Hooks are Kubernetes resources (usually Jobs) annotated with argocd.argoproj.io/hook. Available hook phases:

Hook Phase	When it runs
PreSync	Before any resources are applied (e.g., database migrations)
Sync	During the sync alongside other resources
PostSync	After all resources are healthy (e.g., smoke tests, notifications)
SyncFail	Only when the sync fails (e.g., rollback alerting job)

Waves and hooks compose naturally: a PreSync hook runs before wave -1, and a PostSync hook runs after the highest wave reaches healthy. Use argocd.argoproj.io/hook-delete-policy to clean up completed hook Jobs automatically.

What does ArgoCD do between sync waves before advancing to the next wave?Waits for all resources in the current wave to become healthy

✓ Well done! ArgoCD health-gates each wave; the next wave only starts when all current wave resources are healthy.

Pauses for a configurable fixed timer between waves

✗ Try again — the gate is resource health status, not a timer.

Rolls back the previous wave before applying the next

✗ Try again — waves advance progressively; there is no automatic rollback between waves.

Which sync hook phase is best suited for running a database migration before application pods are deployed?PostSync

✗ Try again — PostSync runs after all resources are healthy, which is too late for a pre-deploy migration.

PreSync

✓ Well done! PreSync hooks run before any resource is applied, making them ideal for migration Jobs.

SyncFail

✗ Try again — SyncFail only triggers when the sync operation itself fails.

Sync

✗ Try again — the Sync phase runs alongside other resources, not before them.

15. What is an ArgoCD ApplicationSet and how does the Git generator work?

An ApplicationSet is an ArgoCD CRD that automates the creation, update, and deletion of multiple Application resources from a single template. Instead of manually writing one Application manifest per environment or cluster, you define a template once and pair it with a generator that produces parameter sets used to fill the template. The ApplicationSet controller manages these generated Applications automatically.

Git Generator

The Git generator has two modes:

Directories mode: scans a repo for directories matching a glob; each matching directory becomes one Application with path set to that directory.
Files mode: reads JSON/YAML config files matching a pattern; each file's key-value pairs are passed as parameters into the template.

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: cluster-apps
  namespace: argocd
spec:
  generators:
    - git:
        repoURL: https://github.com/my-org/infra
        revision: HEAD
        directories:
          - path: apps/*
  template:
    metadata:
      name: "{{path.basename}}"
    spec:
      project: default
      source:
        repoURL: https://github.com/my-org/infra
        targetRevision: HEAD
        path: "{{path}}"
      destination:
        server: https://kubernetes.default.svc
        namespace: "{{path.basename}}"
      syncPolicy:
        automated:
          prune: true

When a new directory apps/payments is pushed to Git, the controller automatically creates an Application named payments — no manual ArgoCD intervention needed. Removing the directory triggers deletion of the generated Application when pruning is enabled on the ApplicationSet.

In the ApplicationSet Git generator, which mode reads config files to supply template parameters?Directories mode

✗ Try again — Directories mode maps folder paths to Applications, not config file contents.

Files mode

✓ Well done! Files mode reads matching config files and passes their key-value pairs to the ApplicationSet template.

Matrix generator

✗ Try again — Matrix combines two generators; it is not a Git generator mode.

What happens in Git directories mode when a new folder is pushed to the tracked Git path?The ApplicationSet controller automatically generates a new ArgoCD Application for that folder

✓ Well done! The Git generator creates an Application per matching directory without any manual step.

An operator must manually trigger a refresh for the new folder to be detected

✗ Try again — the controller polls Git or receives webhooks and auto-generates the Application.

The folder must be added to an explicit allowlist in the ApplicationSet spec first

✗ Try again — the glob pattern in the spec is the allowlist; matching folders auto-generate Applications.

16. How does ArgoCD integrate with external secret management tools like Vault or Sealed Secrets?

ArgoCD deliberately does not manage secrets natively — it stores no sensitive values and recommends keeping plaintext secrets out of Git. Two widely adopted patterns bridge ArgoCD with secret management:

1. Sealed Secrets (Bitnami)

Sealed Secrets encrypts a Kubernetes Secret into a SealedSecret CRD safe to commit to Git. The sealed-secrets-controller decrypts it back into a standard Secret using a cluster-side private key. From ArgoCD's perspective, a SealedSecret is just another manifest to sync.

kubeseal --fetch-cert > pub-cert.pem
kubectl create secret generic db-pass --from-literal=password=s3cr3t \
  --dry-run=client -o yaml | kubeseal --cert pub-cert.pem -o yaml > sealed-db-pass.yaml
# Commit sealed-db-pass.yaml to Git; ArgoCD syncs it; controller decrypts

2. External Secrets Operator (ESO)

ESO introduces ExternalSecret and SecretStore CRDs. You commit these CRDs (which contain no secret values — only references like Vault paths or AWS Secrets Manager ARNs) to Git. ArgoCD syncs them; ESO fetches actual values from the external provider and creates a native Kubernetes Secret.

Sealed Secrets vs. External Secrets Operator
Dimension	Sealed Secrets	ESO
Secret storage	Encrypted ciphertext in Git	External vault; only references in Git
Rotation support	Manual re-seal required	Automatic via refreshInterval
Multi-provider	No (cluster key only)	Yes (Vault, AWS, GCP, Azure, etc.)

What does the External Secrets Operator store in Git when integrated with ArgoCD?The plaintext secret values encrypted with ArgoCD's internal key

✗ Try again — ESO stores no secret values in Git at all.

ExternalSecret CRDs containing only references to secret paths in the provider

✓ Well done! Only provider path references are committed; actual values remain in the external store.

A Vault token that the cluster uses to fetch secrets at runtime

✗ Try again — committing tokens to Git is a security anti-pattern; ESO uses SecretStore auth config separately.

Which ESO feature automatically refreshes secret values from the provider without redeploying?ArgoCD selfHeal on the ExternalSecret resource

✗ Try again — selfHeal corrects drift in the CRD definition, not the secret value content.

The refreshInterval field in the ExternalSecret spec

✓ Well done! ESO polls the provider on the configured interval and updates the Kubernetes Secret automatically.

A CronJob that re-syncs the ArgoCD Application on a schedule

✗ Try again — refreshInterval is built into ESO; no external CronJob is required.

17. How do you configure ArgoCD RBAC and what are the built-in roles?

ArgoCD's RBAC is configured via the argocd-rbac-cm ConfigMap in the argocd namespace. Policies are written in Casbin CSV format and map subjects (users, groups, SSO claims) to resources and actions.

Built-in Roles

Role	Permissions
`role:readonly`	Read-only access to all resources: applications, clusters, repositories, and logs. Cannot sync, create, update, or delete.
`role:admin`	Full access to all resources and actions across all projects.

Custom Policy Syntax

Policy lines follow: p, <subject>, <resource>, <action>, <object>, allow|deny. Group-to-role bindings use: g, <group>, <role>.

# argocd-rbac-cm data
policy.default: role:readonly
policy.csv: |
  p, role:dev-team, applications, sync, staging/*, allow
  p, role:dev-team, applications, sync, production/*, deny
  p, role:dev-team, applications, get, */*, allow
  g, my-org:developers, role:dev-team

Resources include: applications, clusters, repositories, projects, accounts, logs. Actions include get, create, update, delete, sync, override, action.

ArgoCD Projects add a second scoping layer — RBAC controls who can do what, while Projects control what Applications are allowed to target (repos, clusters, namespaces).

What does setting policy.default: role:readonly control in argocd-rbac-cm?The permissions granted to authenticated users who have no explicit role assignment

✓ Well done! policy.default is the fallback role for any authenticated user without a matching policy.

The permissions of the built-in ArgoCD admin account specifically

✗ Try again — the admin account always has full access regardless of policy.default.

Read-only access to the ArgoCD UI dashboard only

✗ Try again — policy.default applies to API and CLI access, not only the UI.

Which line correctly maps an SSO group to a custom ArgoCD role in Casbin policy format?p, my-org:developers, role:dev-team, get, */*, allow

✗ Try again — that is a permission policy line (p), not a group-to-role binding.

g, my-org:developers, role:dev-team

✓ Well done! The g prefix binds a subject (SSO group or user) to a role in ArgoCD's Casbin policy.

role, my-org:developers, dev-team, bind

✗ Try again — that is not valid Casbin/ArgoCD policy syntax.

18. What is ArgoCD Image Updater and how does it automate container image updates?

ArgoCD Image Updater is an optional add-on controller that monitors container registries for new image tags and automatically updates the image tag references used by ArgoCD Applications — without requiring a CI pipeline to commit changes back to Git manually.

Image Updater watches Applications annotated with argocd-image-updater.argoproj.io/image-list. On each poll cycle it queries the container registry, determines the newest tag satisfying the configured update strategy, then updates the Application's image either by writing a commit back to Git (git write-back mode) or patching the Application's parameter overrides directly in ArgoCD (in-cluster mode).

Image Updater Update Strategies
Strategy	Behavior
semver	Picks the highest tag satisfying a semver constraint (e.g., ~1.2)
latest	Picks the most recently pushed tag by registry timestamp
digest	Tracks a mutable tag (e.g., latest) by its immutable SHA digest
name	Picks the lexicographically greatest tag name

metadata:
  annotations:
    argocd-image-updater.argoproj.io/image-list: myapp=docker.io/myorg/myapp
    argocd-image-updater.argoproj.io/myapp.update-strategy: semver
    argocd-image-updater.argoproj.io/myapp.allow-tags: regexp:^v[0-9]+\.[0-9]+\.[0-9]+$
    argocd-image-updater.argoproj.io/write-back-method: git

In git write-back mode, Image Updater commits the updated image tag to a dedicated branch or the tracked branch, creating a full audit trail in Git. ArgoCD then detects the commit and syncs normally, preserving GitOps principles.

Which Image Updater write-back method preserves GitOps auditability by committing tag changes to the repository?In-cluster parameter override mode

✗ Try again — in-cluster mode patches ArgoCD directly without creating a Git commit.

Git write-back mode

✓ Well done! Git write-back commits the new image tag to the repo, maintaining Git as the source of truth.

Registry webhook mode

✗ Try again — Image Updater polls the registry; there is no distinct webhook write-back mode.

Which Image Updater strategy tracks a mutable tag like 'latest' by its immutable content hash?semver

✗ Try again — semver requires properly tagged version images; it does not track mutable tags by digest.

latest

✗ Try again — the latest strategy picks by registry push timestamp, not by digest pinning.

digest

✓ Well done! The digest strategy monitors a mutable tag but pins deployments to its specific immutable SHA digest.

name

✗ Try again — name picks lexicographically, useful for date-stamped tags, not digest tracking.

19. How does ArgoCD manage multiple clusters and what are the methods for registering them?

ArgoCD is designed to manage applications across multiple Kubernetes clusters from a single control plane. Each cluster is registered with the ArgoCD API server and stored as a Secret in the argocd namespace with the label argocd.argoproj.io/secret-type: cluster.

Two Methods for Registering Clusters

1. CLI (argocd cluster add) — The most common method. The CLI reads your local kubeconfig, creates a ServiceAccount and ClusterRoleBinding in the target cluster, then stores the credentials as a Secret in ArgoCD:

kubectl config use-context my-prod-cluster
argocd cluster add my-prod-cluster --name production

2. Declarative (Secret manifest) — For GitOps-managed ArgoCD deployments, you can commit a cluster Secret directly:

apiVersion: v1
kind: Secret
metadata:
  name: prod-cluster-secret
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: production
  server: https://prod-k8s-api.example.com
  config: |
    {
      "bearerToken": "<token>",
      "tlsClientConfig": { "insecure": false, "caData": "<base64-ca>" }
    }

The in-cluster cluster (https://kubernetes.default.svc) is always available without registration — ArgoCD uses its own service account to access it. For external clusters, the ArgoCD application controller makes API calls to the registered cluster endpoint using the stored credentials.

In practice, tools like the ArgoCD Cluster Generator (part of ApplicationSets) can dynamically register and manage Applications across all clusters registered as Secrets.

How does ArgoCD store registered external cluster credentials?As entries in the argocd-cm ConfigMap

✗ Try again — argocd-cm holds general configuration; cluster credentials are stored in Secrets.

As Kubernetes Secrets labeled argocd.argoproj.io/secret-type: cluster in the argocd namespace

✓ Well done! Each registered cluster is stored as a labeled Secret containing the API endpoint and credentials.

In a dedicated etcd cluster separate from the target Kubernetes clusters

✗ Try again — ArgoCD does not use a separate etcd; it stores state in Kubernetes Secrets and CRDs.

Which cluster does ArgoCD access without any registration step?The in-cluster Kubernetes API at https://kubernetes.default.svc

✓ Well done! ArgoCD uses its own service account to access the cluster it is installed in; no registration needed.

Any cluster whose kubeconfig is stored in the argocd namespace

✗ Try again — kubeconfig files are not how ArgoCD stores cluster credentials; labeled Secrets are used.

Only clusters within the same VPC as the ArgoCD control plane

✗ Try again — network locality is not the determining factor; the in-cluster endpoint is always pre-registered.

20. What are ArgoCD Sync Windows and how do you configure them?

ArgoCD Sync Windows are time-based rules that allow or deny automated sync operations during specific time periods. They give platform teams the ability to prevent ArgoCD from automatically deploying changes during critical periods (e.g., business hours for production, or during a maintenance freeze) or to restrict deployments to specific allowed windows (e.g., only during off-peak hours).

Sync Windows are configured at the AppProject level and apply to all Applications in that Project. Each window has four properties:

kind: allow or deny — whether this window permits or blocks sync.
schedule: a cron expression (e.g., 0 22 * * * for 10 PM daily).
duration: how long the window lasts (e.g., 2h).
applications / namespaces / clusters: optional filters to apply the window to specific targets.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: production
  namespace: argocd
spec:
  syncWindows:
    - kind: deny
      schedule: "* * * * 1-5"   # deny all day Mon-Fri
      duration: 24h
      applications:
        - "*"
    - kind: allow
      schedule: "0 22 * * 5"    # allow Friday at 10 PM
      duration: 4h
      applications:
        - "*"

When a deny window is active, ArgoCD marks the Application as SyncWindowDenied and automated sync is blocked. Manual sync is also blocked unless the Application has the manualSync flag enabled in the window definition, which lets operators override in emergencies.

At which ArgoCD resource level are Sync Windows configured?On each individual Application manifest

✗ Try again — Sync Windows are defined in AppProject specs and apply to all Applications in that Project.

On the AppProject resource

✓ Well done! Sync Windows are a spec field of AppProject and govern all Applications belonging to it.

In the argocd-cm ConfigMap as a global setting

✗ Try again — argocd-cm holds general settings; Sync Windows are Project-scoped.

What ArgoCD sync status does an Application show when a deny Sync Window is active?OutOfSync

✗ Try again — OutOfSync reflects a diff between Git and cluster state; SyncWindowDenied is the specific status for a blocked window.

Suspended

✗ Try again — Suspended is a health status, typically for paused CronJobs, not a sync window block.

SyncWindowDenied

✓ Well done! ArgoCD shows SyncWindowDenied when an active deny window blocks automated or manual sync.

21. How does ArgoCD handle ignoreDifferences and when should you use it?

The ignoreDifferences field in an ArgoCD Application spec tells ArgoCD to exclude specific fields from the diff calculation between the desired Git state and the live cluster state. Without it, any field that differs — even one managed by Kubernetes controllers or admission webhooks — causes the Application to show as OutOfSync.

Common scenarios requiring ignoreDifferences:

Kubernetes controllers that mutate resources after creation (e.g., the HPA controller adding status, or the API server injecting creationTimestamp: null).
Admission webhooks that inject sidecar containers or default annotations.
Fields deliberately managed outside Git (e.g., replicas when using an HPA — you don't want ArgoCD overwriting the HPA-managed replica count with the static Git value).

ignoreDifferences:
  - group: apps
    kind: Deployment
    jsonPointers:
      - /spec/replicas         # HPA manages this; ignore Git's static value
  - group: "*"
    kind: "*"
    managedFieldsManagers:
      - kube-controller-manager
      - helm-operator

You can scope ignoreDifferences to specific resource groups/kinds and use JSON pointers for field-level precision, or use managedFieldsManagers to ignore all fields last-written by a specific field manager. The RespectIgnoreDifferences sync option extends this further — not only does ArgoCD ignore the diff, it also skips overwriting those fields during sync, letting external controllers retain full ownership.

Why would you add /spec/replicas to ignoreDifferences for a Deployment managed by an HPA?To prevent ArgoCD from overwriting the HPA-managed replica count with the static Git value during sync

✓ Well done! The HPA continuously adjusts replicas; ignoring that field lets ArgoCD and the HPA coexist without conflict.

To allow the Deployment to scale to zero automatically on low traffic

✗ Try again — scale-to-zero is KEDA/HPA behavior; ignoreDifferences controls ArgoCD's diff logic, not autoscaling.

To hide the Deployment from the ArgoCD UI entirely

✗ Try again — ignoreDifferences affects diff calculation only; the resource still appears in the UI.

What does the RespectIgnoreDifferences sync option add beyond the base ignoreDifferences behavior?It applies ignoreDifferences rules to child resources as well as parent resources

✗ Try again — ignoreDifferences can already be scoped to any resource type; that is not what RespectIgnoreDifferences adds.

It also skips overwriting the ignored fields during sync, letting external controllers retain ownership

✓ Well done! Without RespectIgnoreDifferences, ArgoCD still overwrites ignored fields during sync even though it ignores them in diffs.

It removes the ignored fields from the live cluster resource permanently

✗ Try again — it preserves external management of those fields; it does not delete them.

22. What are ArgoCD resource health checks and how do you write a custom one?

ArgoCD evaluates the health of every managed Kubernetes resource using health check scripts written in Lua. For built-in resource types (Deployments, StatefulSets, DaemonSets, Services, Ingresses, PVCs, Jobs, CronJobs, etc.), ArgoCD ships with health checks out of the box. For Custom Resource Definitions (CRDs), ArgoCD returns Unknown health unless you provide a custom Lua script.

A Lua health check script receives the live resource object and must return a hs table with at least two fields: status (one of Healthy, Progressing, Degraded, Suspended) and message (a human-readable explanation).

Custom health checks are registered in the argocd-cm ConfigMap under the resource.customizations.health key:

# argocd-cm ConfigMap
data:
  resource.customizations.health: |
    certmanager.k8s.io/Certificate: |
      hs = {}
      if obj.status ~= nil then
        if obj.status.conditions ~= nil then
          for i, condition in ipairs(obj.status.conditions) do
            if condition.type == "Ready" and condition.status == "True" then
              hs.status = "Healthy"
              hs.message = "Certificate is ready"
              return hs
            end
          end
        end
      end
      hs.status = "Progressing"
      hs.message = "Waiting for certificate to become ready"
      return hs

The Lua sandbox in ArgoCD is restricted — it has no network access, file I/O, or most standard library functions. You work with the resource object (as a Lua table) and the hs return table only. This makes health checks fast and safe but requires understanding Lua table syntax for navigating nested JSON-like structures.

What language are ArgoCD resource health check scripts written in?Python

✗ Try again — ArgoCD health checks use Lua, not Python.

JavaScript

✗ Try again — ArgoCD uses Lua for scripting, not JavaScript.

Lua

✓ Well done! ArgoCD embeds a restricted Lua sandbox for both health checks and resource actions.

OPA Rego

✗ Try again — Rego is used in OPA/Gatekeeper; ArgoCD uses Lua for its scripting needs.

Where do you register a custom health check script for a CRD in ArgoCD?In the argocd-cm ConfigMap under resource.customizations.health

✓ Well done! Custom health checks are registered in argocd-cm keyed by group/Kind.

As an annotation on the CRD resource itself

✗ Try again — health checks are configured centrally in argocd-cm, not per-resource annotations.

In the AppProject spec under healthChecks

✗ Try again — AppProject does not have a healthChecks field; health customizations live in argocd-cm.

23. How does ArgoCD handle SSO and what identity providers does it support?

ArgoCD supports Single Sign-On (SSO) through two integration paths: built-in Dex (bundled OpenID Connect identity broker) and external OIDC providers (configured directly in argocd-cm without Dex).

Built-in Dex

Dex acts as an OIDC proxy that federates authentication to upstream identity providers. You configure connectors in the argocd-cm ConfigMap under the dex.config key. Dex supports: GitHub/GitHub Enterprise (OAuth), GitLab, LDAP, SAML 2.0, Microsoft (Azure AD), Google, and any generic OIDC provider.

# argocd-cm
data:
  dex.config: |
    connectors:
      - type: github
        id: github
        name: GitHub
        config:
          clientID: $dex-github-client-id
          clientSecret: $dex-github-client-secret
          orgs:
            - name: my-org

External OIDC

If you already have an OIDC provider (Okta, Auth0, Keycloak, Azure AD with OIDC), you can bypass Dex entirely by configuring ArgoCD to accept tokens directly:

data:
  oidc.config: |
    name: Okta
    issuer: https://my-org.okta.com
    clientID: <client-id>
    clientSecret: $oidc-client-secret
    requestedScopes: [openid, profile, email, groups]

After SSO is configured, groups from the identity provider are mapped to ArgoCD roles in the RBAC policy using g, <group-name>, <argocd-role> lines. This means managing ArgoCD access becomes a matter of IdP group membership rather than per-user ArgoCD configuration.

What is the role of Dex in ArgoCD's SSO architecture?It replaces the ArgoCD API server for authentication requests

✗ Try again — Dex is a separate service that proxies to upstream IdPs; the API Server still handles ArgoCD requests.

It acts as an OIDC broker that federates authentication to upstream providers like GitHub or LDAP

✓ Well done! Dex translates upstream IdP protocols (OAuth, SAML, LDAP) into OIDC tokens for ArgoCD.

It stores user credentials in a dedicated ArgoCD database

✗ Try again — Dex is stateless (or uses a lightweight store); it does not maintain a credential database for ArgoCD.

After SSO is configured, how are identity provider groups mapped to ArgoCD permissions?By creating a Kubernetes RoleBinding for each group in the argocd namespace

✗ Try again — ArgoCD RBAC uses its own policy.csv in argocd-rbac-cm, not Kubernetes RoleBindings.

Using g, group-name, argocd-role lines in the argocd-rbac-cm policy.csv

✓ Well done! Group-to-role bindings in argocd-rbac-cm connect IdP groups to ArgoCD's Casbin policy roles.

By annotating the Dex connector config with allowed group names

✗ Try again — Dex connector config controls what groups are forwarded; role mapping happens in argocd-rbac-cm separately.

24. What is the ArgoCD CLI and what are the most common commands used day-to-day?

The ArgoCD CLI (argocd) is a command-line tool for interacting with the ArgoCD API Server. It is the primary interface for operators who prefer the terminal over the UI and is also used in CI/CD pipelines for triggering or waiting on syncs.

Before using the CLI, you must log in:

argocd login <argocd-server> --username admin --password <password>
# Use --grpc-web if behind an HTTP proxy or load balancer

Common day-to-day commands:

Command	Purpose
`argocd app list`	List all Applications with sync and health status
`argocd app get <app>`	Show detailed status, sync info, and resource tree for an Application
`argocd app sync <app>`	Trigger a sync; add `--prune` to allow pruning, `--dry-run` to preview
`argocd app wait <app>`	Block until the Application reaches a target health/sync state (useful in CI)
`argocd app diff <app>`	Show the diff between live cluster state and Git desired state
`argocd app rollback <app> <id>`	Roll back to a specific sync history revision
`argocd app set <app> --helm-set key=val`	Override Helm values at the Application level without changing Git
`argocd cluster list`	List all registered clusters
`argocd proj list`	List all AppProjects

In CI/CD pipelines, the typical pattern is: build image → push image → update Git tag → argocd app wait <app> --health to block the pipeline until ArgoCD confirms the deployment is healthy.

Which CLI command is most useful in a CI/CD pipeline to block execution until a deployment is healthy?argocd app sync <app>

✗ Try again — sync triggers the apply but does not block until health is confirmed.

argocd app wait <app> --health

✓ Well done! argocd app wait blocks the pipeline until the Application reaches the desired health state.

argocd app get <app>

✗ Try again — get shows current status as a snapshot; it does not block waiting for a state change.

argocd app diff <app>

✗ Try again — diff shows the difference between Git and cluster; it does not block for health.

What does the --dry-run flag do in argocd app sync?It syncs the Application but skips running any PreSync hooks

✗ Try again — skipping hooks uses --skip-hooks; --dry-run previews without applying anything.

It previews what would be applied without making any changes to the cluster

✓ Well done! --dry-run shows the planned changes as a diff without touching the live cluster.

It syncs using Helm's --dry-run flag specifically for Helm applications

✗ Try again — --dry-run on the ArgoCD CLI applies to all app types, not just Helm.

25. How does ArgoCD compare to Flux and when would you choose one over the other?

ArgoCD and Flux are the two most popular GitOps tools for Kubernetes, and both implement the GitOps principles well. The key differences come down to architecture, UX, and ecosystem fit.

ArgoCD vs. Flux Comparison
Dimension	ArgoCD	Flux
Architecture	Centralized: one ArgoCD instance can manage multiple clusters from a control-plane cluster	Distributed: Flux agents run inside each managed cluster
UI	Rich web UI showing resource trees, sync status, diffs, and logs	No built-in UI; relies on CLI and external dashboards (Weave GitOps)
Multi-tenancy	AppProjects + RBAC built-in	Requires additional tooling or Flux Tenancy controllers
Notification system	ArgoCD Notifications (separate controller)	Flux Notification controller (built-in)
Image automation	ArgoCD Image Updater (separate add-on)	Flux Image Reflector + Automation controllers (built-in)
OCI artifacts	Supported (Application source)	Supported (OCIRepository source)
Secret management	External tools (Sealed Secrets, ESO)	External tools (SOPS native support built-in)

Choose ArgoCD when: you want a rich UI, centralized multi-cluster management from a single pane, and strong built-in RBAC with AppProjects. It is often preferred by platform teams managing many teams and clusters through one control plane.

Choose Flux when: you prefer a CLI-first, lightweight approach with no central control-plane dependency, want native SOPS secret encryption, or are building a distributed multi-cluster setup where each cluster is fully self-contained.

How does Flux's architecture differ from ArgoCD's in a multi-cluster setup?Flux uses a central control-plane cluster that pushes changes to managed clusters

✗ Try again — that describes ArgoCD's centralized model; Flux runs agents inside each cluster.

Flux agents run inside each managed cluster independently, with no central control plane required

✓ Well done! Flux is distributed by design; each cluster runs its own controllers and reconciles against Git independently.

Flux and ArgoCD both require a dedicated management cluster separate from workload clusters

✗ Try again — ArgoCD can run on a management cluster, but Flux runs inside each workload cluster.

Which secret management approach does Flux support natively that ArgoCD does not?External Secrets Operator integration

✗ Try again — both ArgoCD and Flux work with ESO; it is not a Flux-exclusive native feature.

SOPS-encrypted secrets decrypted at reconciliation time

✓ Well done! Flux natively decrypts SOPS-encrypted manifests using age or GPG; ArgoCD requires external tooling for SOPS.

Sealed Secrets with automatic cluster key rotation

✗ Try again — Sealed Secrets is an external tool used by both ecosystems; Flux has no special native advantage here.

26. What is server-side apply in ArgoCD and why might you enable it?

Server-side apply (SSA) is a Kubernetes API feature (GA since Kubernetes 1.22) where the API server — rather than the client — merges resource updates and tracks field ownership via managed fields. ArgoCD can use SSA instead of its default client-side apply (kubectl apply) by setting the ServerSideApply=true sync option.

With the default client-side apply, ArgoCD computes the three-way merge on the client using the last-applied-configuration annotation. This can cause conflicts when multiple tools (e.g., ArgoCD and a Helm operator) modify the same resource, or when large resources exceed the annotation size limit (generally ~256KB).

Benefits of enabling SSA in ArgoCD:

Field ownership tracking: The API server knows which field manager last set each field, enabling clean conflict detection and resolution without the last-applied annotation hack.
No annotation size limits: Large resources (e.g., CRDs with huge schemas, ConfigMaps with large data) no longer hit the 256KB annotation ceiling.
Better multi-manager coexistence: ArgoCD can own some fields while another controller owns others, without either overwriting the other's fields on each apply.
CRD-friendly: Works better with CRDs that have complex structural schemas.

syncOptions:
  - ServerSideApply=true

The trade-off: SSA errors are sometimes harder to interpret than client-side apply errors, and not all Kubernetes versions or configurations handle all edge cases identically. It is worth enabling for complex resources or when you hit annotation size limits.

What is the primary mechanism used by ArgoCD's default client-side apply to track what was last applied to a resource?The kubectl.kubernetes.io/last-applied-configuration annotation

✓ Well done! Client-side apply stores the last full manifest in this annotation for three-way merge calculations.

A dedicated ArgoCD Secret storing diffs for each resource

✗ Try again — ArgoCD does not store per-resource diffs in Secrets; it uses the standard last-applied annotation.

Kubernetes managed fields tracked by the API server

✗ Try again — managed fields are the server-side apply mechanism, not the client-side apply mechanism.

Which scenario is a strong reason to enable ServerSideApply=true in ArgoCD?You want to speed up ArgoCD's reconciliation loop by reducing API calls

✗ Try again — SSA does not materially reduce API call count; it changes who computes the merge.

A large resource exceeds the 256KB last-applied-configuration annotation size limit

✓ Well done! SSA eliminates the annotation, removing the size ceiling that client-side apply imposes.

You need ArgoCD to apply manifests faster by skipping health checks

✗ Try again — SSA is about apply strategy, not health check skipping.

27. How does ArgoCD handle notifications and what channels does it support?

ArgoCD Notifications is a separate controller (shipped as part of the ArgoCD Helm chart and optionally in the install manifest) that sends alerts and messages when ArgoCD Application events occur. It subscribes to Application state changes and triggers configured notification services when conditions are met.

The notification system has three components:

Triggers: conditions that activate a notification (e.g., on-sync-succeeded, on-health-degraded, on-sync-failed). You can also write custom trigger expressions.
Templates: message content rendered as text or structured blocks (Slack attachments, email HTML). Templates use Go template syntax and have access to the Application object.
Services: the channels where messages are sent. Configured in a Secret (argocd-notifications-secret) and a ConfigMap (argocd-notifications-cm).

Supported notification channels include: Slack, Microsoft Teams, Email (SMTP), PagerDuty, OpsGenie, GitHub (commit status), Bitbucket, Grafana annotations, Rocketchat, Telegram, Webhook (generic HTTP), and more via community contributions.

# Subscribe an Application to a notification
metadata:
  annotations:
    notifications.argoproj.io/subscribe.on-sync-failed.slack: my-deployments-channel
    notifications.argoproj.io/subscribe.on-health-degraded.pagerduty: "true"

Subscriptions are set as annotations on the Application resource. This means different teams can subscribe their applications to different channels without central coordination, and the configuration lives in Git alongside the Application manifest.

How do you subscribe an ArgoCD Application to receive Slack notifications on sync failure?Add an annotation notifications.argoproj.io/subscribe.on-sync-failed.slack: channel-name to the Application

✓ Well done! Notification subscriptions are annotation-based, keeping them co-located with the Application manifest in Git.

Add the Application name to the slack.subscriptions list in argocd-notifications-cm

✗ Try again — subscriptions are set as annotations on the Application, not as entries in the notifications ConfigMap.

Configure a PostSync hook Job that calls the Slack API directly

✗ Try again — that works but is not the ArgoCD Notifications approach; it bypasses the notifications controller entirely.

Where are ArgoCD Notifications service credentials (e.g., Slack token) stored?In the argocd-cm ConfigMap alongside other ArgoCD configuration

✗ Try again — credentials are stored in the argocd-notifications-secret Secret, not in a ConfigMap.

In the argocd-notifications-secret Kubernetes Secret

✓ Well done! Sensitive service credentials like API tokens are stored in argocd-notifications-secret.

Directly in the Application annotations as base64-encoded values

✗ Try again — storing credentials in annotations would expose them in Git; they are kept in a Secret.

28. How do you perform a rollback in ArgoCD?

ArgoCD stores a history of every sync operation for each Application, including the Git commit SHA, parameters, and manifests that were applied. Rolling back means telling ArgoCD to re-sync the Application to a specific previous revision from this history, overriding the current HEAD of the tracked branch.

Rollback via CLI

# View sync history
argocd app history my-app

# Roll back to history ID 3
argocd app rollback my-app 3

Rollback via UI

In the ArgoCD UI, navigate to the Application → History and Rollback tab. Each entry shows the commit SHA, time, and initiator. Click Rollback on any row to restore that state.

Important caveats:

A rollback puts the Application into an OutOfSync state relative to the current Git HEAD, because the cluster is now running a different revision than what Git currently says.
If automated sync or self-healing is enabled, ArgoCD will immediately re-sync back to HEAD after the rollback, undoing it. You must disable automated sync before rolling back if you want the rollback to persist.
The GitOps-native alternative to rollback is to revert the Git commit — this preserves the audit trail and lets ArgoCD sync forward to the reverted state rather than syncing backward.

History retention is configurable via server.app.revision.history.limit in argocd-cm (default is 10 revisions).

What sync status does an Application enter immediately after an ArgoCD rollback operation?OutOfSync — because the cluster is now running a different revision than the current Git HEAD

✓ Well done! The cluster diverges from HEAD after rollback, so ArgoCD correctly reports OutOfSync.

Synced — because ArgoCD considers the rollback revision as the new desired state

✗ Try again — ArgoCD always compares against the tracked Git revision; a rollback creates a mismatch.

Suspended — because automated sync is automatically disabled after a rollback

✗ Try again — ArgoCD does not automatically suspend; you must manually disable automated sync before rolling back.

Why is reverting a Git commit generally preferred over using argocd app rollback?Because argocd app rollback is slower than a Git revert

✗ Try again — speed is not the distinction; the reason is auditability and GitOps consistency.

A Git revert preserves the full audit trail and keeps Git as the source of truth without creating a diverged state

✓ Well done! A Git revert is a forward operation that ArgoCD syncs to normally, maintaining GitOps principles throughout.

Because argocd app rollback requires cluster-admin privileges that Git revert does not

✗ Try again — permissions are not the key distinction here.

29. What is the ArgoCD repository server caching strategy and how does it affect performance?

The ArgoCD Repository Server caches rendered manifests to avoid redundant Git clones and template renders on every reconciliation cycle. Understanding this cache is important for diagnosing stale manifest issues and tuning performance at scale.

What is cached:

Rendered manifests keyed by (repoURL, targetRevision, path, applicationSourceType, parameters). If all these inputs are identical to a previous render, the cached output is returned without re-running helm template or kustomize build.
Git repository metadata (refs, commit SHAs) to avoid repeated git ls-remote calls.
The actual git clone is reused as a local cache on disk within the repository server pod.

Cache storage: By default, rendered manifest cache is stored in Redis. The default TTL is 24 hours. When Redis is unavailable, the repo server falls back to re-rendering on every request.

Cache invalidation: The cache is invalidated when any of the cache key components change — primarily when a new commit is pushed (changing the resolved SHA for HEAD). Webhook delivery from Git accelerates this by immediately triggering a refresh without waiting for the 3-minute poll cycle.

Configurable limits:

# argocd-cm
data:
  reposerver.parallelism.limit: "10"    # max parallel manifest generations
  timeout.reconciliation: 180s           # how often apps are reconciled

At large scale (hundreds of applications), the repository server becomes a bottleneck. Horizontal scaling is possible — you can run multiple repo server replicas behind a load balancer. Combine this with reposerver.parallelism.limit tuning to prevent OOM from concurrent Helm renders.

What storage backend does ArgoCD use by default for its rendered manifest cache?A PersistentVolume mounted by the repository server pod

✗ Try again — ArgoCD does not use a PersistentVolume for its manifest cache; it uses Redis.

Redis

✓ Well done! Rendered manifests are cached in Redis with a default 24-hour TTL.

An in-memory cache local to each repository server pod

✗ Try again — the in-memory git clone is local, but rendered manifest cache is stored in Redis so multiple repo server replicas can share it.

What is the primary benefit of configuring Git webhooks for ArgoCD?Webhooks allow ArgoCD to push manifests directly to the cluster on commit

✗ Try again — ArgoCD always pulls; webhooks notify ArgoCD of new commits to trigger an immediate refresh, not a push.

Webhooks trigger an immediate cache invalidation and refresh instead of waiting for the 3-minute poll cycle

✓ Well done! Webhooks reduce the latency between a Git commit and ArgoCD detecting and acting on the change.

Webhooks enable ArgoCD to receive Kubernetes events from the cluster directly

✗ Try again — Kubernetes events reach ArgoCD through its watch on the API server, not through Git webhooks.

Testing

	Interviews Questions Java Spring Hibernate Maven Testing API BigData Web DataStructures AI Database MuleESB Cloud Scala Tools	About Javapedia.net Javapedia.net is for Java and J2EE developers, technologist and college students who prepare of interview. Also this site includes many practical examples. This site is developed using J2EE technologies by Steve Antony, a senior Developer/lead at one of the logistics based company.
	contact: javatutorials2016[at]gmail[dot]com
Kindly consider donating for maintaining this website. Thanks.
	Copyright © 2026, javapedia.net, all rights reserved. privacy policy.