Prune Operations Deleting Unintended Resources

critical

reliabilityUpdated Feb 2, 2026

ArgoCD auto-prune enabled on applications deletes resources not explicitly defined in Git, including operator-managed resources (External Secrets, Istio sidecars, cert-manager certificates), causing service disruption and data loss.

Sources

How to Debug ArgoCD Sync Issuesoneuptime.com

ArgoCD Production Troubleshooting - Fix the Shit That Breaks at 3AMtoolstac.com

Technologies:

ArgoCDSymptoms of this issue are visible in ArgoCD metrics and logs

KubernetesKubernetes metrics correlate with this issue and help confirm diagnosis

How to detect:

Detect by monitoring for unexpected resource deletions coinciding with ArgoCD syncs. Check application events for Prune operations removing resources with labels indicating external management (managed-by annotations). Look for applications with syncPolicy.automated.prune=true combined with missing ignoreDifferences configuration.

Recommended action:

Set syncPolicy.automated.prune=false globally unless explicitly needed. For resources that must be pruned, add argocd.argoproj.io/sync-options: Prune=false annotation to operator-managed resources. Configure ignoreDifferences for resource types managed by operators (Istio, cert-manager, External Secrets). Implement RBAC policies requiring manual approval for prune operations on production applications.