Multi-Cluster Sync Failures from Stale Cluster Credentials

warning

Connection ManagementUpdated Aug 25, 2025

ArgoCD cannot sync applications to remote clusters when cluster API endpoints change (common with managed Kubernetes services) or service account tokens expire, causing 'connection refused' errors.

Sources

Troubleshoot issues with Argo CD capabilities - Amazon EKSdocs.aws.amazon.com

ArgoCD Production Troubleshooting - Fix the Shit That Breaks at 3AMtoolstac.com

Technologies:

ArgoCDSymptoms of this issue are visible in ArgoCD metrics and logs

KubernetesThe root cause of this issue originates in Kubernetes

How to detect:

Monitor for applications targeting remote clusters stuck in 'connection refused' or authentication errors. Check argocd-application-controller logs for cluster connectivity failures. Applications syncing successfully to local cluster but failing to remote clusters indicates credential/endpoint issues. Verify cluster secret metadata.generation hasn't updated.

Recommended action:

Re-register affected clusters using argocd cluster add to refresh credentials and API endpoints. For AWS EKS, implement automated credential refresh using aws-iam-authenticator or IRSA. Verify target cluster RBAC permissions grant ArgoCD service account necessary privileges. Check network policies aren't blocking traffic from ArgoCD namespace to cluster API servers. For EKS specifically, use cluster ARN as server field in cluster secret instead of API URL.