ApplicationSet Controller policies¶
The ApplicationSet controller supports a parameter --policy
, which is specified on launch (within the controller Deployment container), and which restricts what types of modifications will be made to managed Argo CD Application
resources.
ApplicationSet Controller Policy configuration¶
The --policy
parameter takes four values: sync
, create-only
, create-delete
, and create-update
. (sync
is the default, which is used if the --policy
parameter is not specified; the other policies are described below).
- Policy
create-only
: Prevents ApplicationSet controller from modifying or deleting Applications. WARNING: It doesn't prevent Application controller from deleting Applications according to ownerReferences when deleting ApplicationSet. - Policy
create-update
: Prevents ApplicationSet controller from deleting Applications. Update is allowed. WARNING: It doesn't prevent Application controller from deleting Applications according to ownerReferences when deleting ApplicationSet. - Policy
create-delete
: Prevents ApplicationSet controller from modifying Applications. Delete is allowed. - Policy
sync
: Update and Delete are allowed.
It is also possible to set this policy per ApplicationSet. This can be achieved using the configuration described in the Argo CD documentation.
If the controller parameter --policy
is set, it takes precedence on the ApplicationSet field applicationsSync
. It is possible to allow per ApplicationSet sync policy by setting variable ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE
to argocd-cmd-params-cm applicationsetcontroller.enable.policy.override
or directly with controller parameter --enable-policy-override
(default to false
).
Policy create-only
: Prevent ApplicationSet controller from modifying and deleting Applications¶
To allow the ApplicationSet controller to create Application
resources, but prevent any further modification, such as deletion, or modification of Application fields, add this parameter in the ApplicationSet controller:
--policy create-only
WARNING: "deletion" indicates the case as the result of comparing generated Application between before and after, there are Applications which no longer exist. It doesn't indicate the case Applications are deleted according to ownerReferences to ApplicationSet. See How to prevent Application controller from deleting Applications when deleting ApplicationSet
Example:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: argocd-sample
spec:
applicationSet:
extraCommandArgs:
- --policy create-only
Policy create-update
: Prevent ApplicationSet controller from deleting Applications¶
To allow the ApplicationSet controller to create or modify Application
resources, but prevent Applications from being deleted, add the following parameter to the ApplicationSet controller:
--policy create-update
WARNING: "deletion" indicates the case as the result of comparing generated Application between before and after, there are Applications which no longer exist. It doesn't indicate the case Applications are deleted according to ownerReferences to ApplicationSet. See How to prevent Application controller from deleting Applications when deleting ApplicationSet
This may be useful to users looking for additional protection against deletion of the Applications generated by the controller.
Example:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: argocd-sample
spec:
applicationSet:
extraCommandArgs:
- --policy create-update
Policy create-delete
: Prevent ApplicationSet controller from modifying Applications¶
To allow the ApplicationSet controller to create or delete Application
resources, but prevent Applications from being modified, add the following parameter to the ApplicationSet controller:
--policy create-delete
Example:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: argocd-sample
spec:
applicationSet:
extraCommandArgs:
- --policy create-delete