Controller doesn't skip refreshes for disallowed resources or for ignored fields

[crenshaw-dev]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

Suppose I have a frequently-updated resource in a namespace that is monitored by one or more Apps (whether explicitly or via an orphanedResources policy).

The App is refreshed even in these cases:

1. When the resource is monitored as part of an orphanedResource policy, but is disallowed by the App's Project.
2. When the changed fields are ignored at the App level.
3. When the changed fields are ignored at the argocd-cm level.

This fills up logs.

To Reproduce

1. Create a resource (say, a ConfigMap) called test-cm in a new namespace called test-namespace.
2. Create an App called test-app pointing to that namespace. Make sure orphanedResources: {} is set in the App.
3. Update the ConfigMap and note the line in the app controller logs: Refreshing app XYZ for change in cluster of object test-namespace/test-cm of type v1/ConfigMap
4. Add ConfigMaps to the ignoreDifferences in argocd-cm. Update the ConfigMap and notice that the refresh is still logged.
5. Add ConfigMaps to the ignoreDifferences in the Application. Update the ConfigMap and notice that the refresh is still logged.
6. Edit the test-app's Project to allow only non-ConfigMap resources (say, by adding Deployment as the only allowed namespaced resource). Update the ConfigMap and notice that the refresh is still logged.
7. Remove the orphanedResource: {} line from the App. Update the ConfigMap and notice that the refresh is no longer logged.

I believe this line is the problem:

argo-cd/controller/appcontroller.go

Line 295 in 61f48d5

// retrieve applications which monitor orphaned resources in the same namespace and refresh them unless resource is denied in app project

The comment indicates disallowed/ignored resources shouldn't trigger a refresh. But as far as I can tell, no such check is being performed.

Expected behavior

I expected the controller to not refresh the app for an ignored or disallowed resource.

Screenshots

Version

Paste the output from `argocd version` here.

Logs

Paste any relevant application logs here.

[crenshaw-dev]

There's reason to believe this doesn't only happen to orphaned resources. Any resource in the tree will be refreshed regardless of ignoreDifferences: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1654110592010629

[theluckiesthuman]

@crenshaw-dev I am working on this and will raise a PR soon.

[sidewinder12s]

@theluckiesthuman Did you get a chance to raise anything?

[pepe9012]

When a new ignoreResourceUpdates feature come to argocd v2.8, I've found that it's also affected. When orphanedResources are monitored, ignoreResourceUpdates is absolutely ignored.

CPU Usage with and without orphanedResources in AppProject:

Reconcilitation with and without orphanedResources in AppProject:

@agaudreault-jive maybe interested in fixing this one? 🙏 i saw more related issues with cpu usage when orphaned resources are monitored, but all of them are closed, but ignoreResourceUpdates is not a working solution.

[agaudreault]

@pepe9012 due to the current implementation of orphan resources, ignoreResourceUpdates will not filter the refreshes and will only filter it for resources that directly belong to an application.

I think it is fair to update the current issue to add When ignoreResourceUpdates is configured to ignore the property that changed.

[khorn7sk]

This is issue also impact us. We are using VPA, and VPA controller often refresh their CR, this is triggered ArgoCD for refreshing. A lot of refreshes make DDos attack on our git instance.

[duizabojul]

Any update on this? This is a fairly serious issue imho.

[icecoffee531]

We also have the same problem. We are using HPA without GitOps. Since HPA is an untracked resource, even if we configure the ingnoreUpdateResources, argocd-application-controller cannot ignore the changes to these HPAs.

[jdomag]

@crenshaw-dev can you shed some light on how objects that doesn't belong to an App cause the App refresh?
Example:

• I use aws-load-balancer-controller - the controller creates a configmap that doesn't belong to the App object.
• Every time the configmap changes, it causes App to be refreshed - how does argocd know to refresh it when it doesn't track it? The configmap doesn't have any labels or annotations point to argocd - see below:

  5 apiVersion: v1
  6 kind: ConfigMap
  7 metadata:
  8   annotations:
  9     control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"aws-load-balancer-controller-848cf7dfdc-88dpg_
 10   creationTimestamp: "2021-09-29T09:13:01Z"
 11   name: aws-load-balancer-controller-leader
 12   namespace: kube-system
 13   resourceVersion: "1408042931"
 14   uid: 6677c3a5-9022-44a7-8cb9-xyz

• what's more I see in the debug logs that changes in above configmap causes the refresh of kube2aim Application - which has nothing to do with aws-load-balancer-controller

application-controller {"api-version":"v1","application":"argocd/kube2iam","cluster-name":"","fields.level":1,"kind":"ConfigMap","level":"debug","msg":"Requesting app refresh caused by object update","name":"aws-load-balancer-controller-leader","namespace":"kube-system","server":"https://kubernetes.default.svc","time":"2024-05-06T09:53:02Z"}