ArgoCD Becomes Unresponsive and Frequently Disconnects from the Cluster When Kyverno is Installed (Same or Different Cluster) #20977

hablislim · 2024-11-27T16:03:16Z

argoCD version: v2.11.2+25f7504

kyverno version: 1.12.5

Checklist:

I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
I've included steps to reproduce the bug.
I've pasted the output of argocd version.

Describe the bug

When Kyverno is deployed on the Kubernetes cluster alongside ArgoCD (or in a separate cluster), ArgoCD becomes significantly slower and eventually disconnects from the k8s cluster. This issue affects the overall performance and usability of ArgoCD, causing interruptions in the continuous deployment process.

We set up ArgoCD following the official documentation and incorporated best practices outlined in the ArgoCD user notes. Additionally:

we excluded specific Kyverno-related objects by applying the following configuration:

resource.exclusions: |
  - apiGroups:
      - kyverno.io
      - reports.kyverno.io
      - wgpolicyk8s.io
    kinds:
      - ClusterPolicyReport
      - PolicyReport
      - EphemeralReport
    clusters:
      - '*'

Ignore diff in aggregated cluster roles

  resource.compareoptions: |
    ignoreAggregatedRoles: true

Enable Replace in the syncOptions in kyverno argoCD application

    syncOptions:
      - Replace=true

To Reproduce

Deploy a Kubernetes cluster.
Install ArgoCD on the cluster.
Configure ArgoCD with kyverno recommended configuration.
Install Kyverno policies on the same cluster.
Observe the performance degradation in ArgoCD, including delays and frequent disconnects.

Expected behavior

ArgoCD should remain stable and perform efficiently, even when Kyverno is deployed on the same cluster. Both tools should coexist without negatively impacting each other.

Screenshots

Version

argocd: v2.11.2+25f7504

Logs

Failed to load live state: failed to get cluster info for "https://xxx.xxx.xxx.xxx": 
error synchronizing cache state : error getting openapi resources: 
the server is currently unable to handle the request

Related links:
ArgoCD configuration with kyverno

The text was updated successfully, but these errors were encountered:

hablislim · 2024-11-27T16:23:58Z

@andrii-korotkov-verkada please note that argocD version is v2.11.2 (I updated the description)

andrii-korotkov-verkada · 2024-11-27T16:29:48Z

Can you share some logs, like for "Reconciliation Completed"?

LS80 · 2024-11-28T09:06:34Z

What is your Kyverno version? Could be this?

bygui86 · 2024-11-28T09:19:29Z

Hi guys
I'm working with @hablislim on the same project.

Here a screenshot about an ArgoCD App conditions while connectivity is lost

@andrii-korotkov-verkada actually the reconciliation doesn't happen because ArgoCD looses connection to the K8s cluster. We are 100% sure that there is no connectivity issues for following reasons:

before deploying Kyverno, no issues at all, ArgoCD working good 100% of time
kubectl commands from local and from within the ArgoCD cluster work perfectly
most importantly, right after removing Kyverno ArgoCD is able to re-establish the connection almost instantly

@LS80 as you can see in the description, we use Kyverno v1.12.5. I read that issue already and to avoid it we introduced the reports-server and excluded Kyverno ClusterPolicyReport, PolicyReport, EphemeralReport CRDs in ArgoCD configuration (as already reported in the description).

andrii-korotkov-verkada · 2024-11-28T12:38:30Z

These logs indicate to me that ArgoCD can't query URL from Kyverno. Do you have logs on Kyverno side, like whether there's some permission denied or rate limiting happening?

bygui86 · 2024-11-28T20:52:30Z

@andrii-korotkov-verkada thanks for your message.
Sorry but I'm not sure to understand. What do you mean by "ArgoCD can't query URL from Kyverno"?
Anyway we removed Kyverno after collecting some information but we found nothing relevant in the logs, we will deploy Kyverno again in a sandbox K8s cluster to see whether we can replicate the same behaviour.

andrii-korotkov-verkada · 2024-11-28T20:54:28Z

I was referring to get cluster info error for the cluster. Maybe I misunderstood. Can you try querying the url normally with Kyverno being there and see what happens?

bygui86 · 2024-11-28T21:28:00Z

@andrii-korotkov-verkada actually here is where it becomes weird :|
With Kyverno in place and ArgoCD with connection lost, the K8s cluster is perfectly reachable via kubectl from local. No issue running commands like "kubectl get pods" or any similar.

hablislim added the bug Something isn't working label Nov 27, 2024

andrii-korotkov-verkada added the version:2.13 Latest confirmed affected version is 2.13 label Nov 27, 2024

andrii-korotkov-verkada added version:2.11 Latest confirmed affected version is 2.11 and removed version:2.13 Latest confirmed affected version is 2.13 labels Nov 27, 2024

andrii-korotkov-verkada added the more-information-needed Further information is requested label Nov 27, 2024

andrii-korotkov-verkada removed the more-information-needed Further information is requested label Nov 28, 2024

andrii-korotkov-verkada added the more-information-needed Further information is requested label Nov 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ArgoCD Becomes Unresponsive and Frequently Disconnects from the Cluster When Kyverno is Installed (Same or Different Cluster) #20977

ArgoCD Becomes Unresponsive and Frequently Disconnects from the Cluster When Kyverno is Installed (Same or Different Cluster) #20977

ArgoCD Becomes Unresponsive and Frequently Disconnects from the Cluster When Kyverno is Installed (Same or Different Cluster) #20977

ArgoCD Becomes Unresponsive and Frequently Disconnects from the Cluster When Kyverno is Installed (Same or Different Cluster) #20977

Comments

argoCD version: v2.11.2+25f7504

kyverno version: 1.12.5