🎉 DevOps Interview Prep Bundle is live — 1000+ Q&A across 20 topicsGet it →
All Articles

ArgoCD App Stuck in 'Unknown' Sync Status — Here's the Fix

If your ArgoCD application is stuck showing Unknown sync status and refresh doesn't help, this guide walks you through the exact steps to diagnose and fix it — including RBAC issues, webhook problems, and cluster connectivity errors.

Shubham4 min read
Share:Tweet

There's something uniquely frustrating about an ArgoCD app stuck in Unknown status. It's not Synced. It's not OutOfSync. It's just... Unknown. And clicking Refresh does absolutely nothing.

I've hit this exact issue more times than I care to admit — usually at the worst possible time, right when someone's asking why their deployment isn't live yet.

Let me walk you through what actually causes this and how to fix it.

What "Unknown" Sync Status Actually Means

In ArgoCD, Unknown doesn't mean ArgoCD can't find your app. It means ArgoCD can't determine the current state of your app in the target cluster.

This usually happens because:

  • ArgoCD can't connect to the target Kubernetes cluster
  • The ArgoCD application controller is having trouble talking to the API server
  • There's a permissions (RBAC) issue preventing ArgoCD from reading resources
  • The app's namespace doesn't exist in the cluster

The key distinction: Synced/OutOfSync means ArgoCD knows what's there. Unknown means it couldn't even check.

Step 1: Check ArgoCD Application Controller Logs

This is always my first move. The application controller is what actually talks to your cluster.

bash
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-application-controller --tail=100

Look for errors like:

level=error msg="Failed to get cluster info" error="..."
level=error msg="Unable to list resources" error="forbidden"
level=error msg="connection refused"

These will immediately tell you what's broken.

Step 2: Verify Cluster Connectivity

If you're managing a remote cluster (not in-cluster), ArgoCD needs to be able to reach it. Check if ArgoCD can actually see the cluster:

bash
argocd cluster list

You'll see something like:

SERVER                          NAME        VERSION  STATUS   MESSAGE
https://your-cluster-api:6443   production  1.29     Unknown  dial tcp: connection refused

That Unknown status with a connection error means ArgoCD can't reach the cluster API. Fix the network, firewall rules, or kubeconfig credentials first.

To re-add the cluster after fixing connectivity:

bash
argocd cluster add <context-name> --name production

Step 3: Check RBAC Permissions

This is the most common cause I see in practice. ArgoCD's service account needs permission to list and watch resources in your target namespace.

Check if the ArgoCD service account can list pods:

bash
kubectl auth can-i list pods \
  --as=system:serviceaccount:argocd:argocd-application-controller \
  -n <your-app-namespace>

If it says no, that's your problem. ArgoCD can't read the cluster state without proper RBAC.

Fix it by creating a ClusterRole binding:

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argocd-application-controller-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: argocd-application-controller
  namespace: argocd

In production, scope this down to only the namespaces ArgoCD manages. cluster-admin is for quick debugging only.

Step 4: Force a Hard Refresh

Sometimes ArgoCD's cache is stale. A normal refresh uses cached data. A hard refresh forces ArgoCD to re-fetch everything directly from Git and the cluster:

bash
argocd app get <app-name> --hard-refresh

Or from the UI: Click the dropdown arrow next to "Refresh" → select "Hard Refresh".

Step 5: Check the App's Target Namespace

If the namespace your app is targeting doesn't exist in the cluster, ArgoCD will show Unknown.

bash
kubectl get namespace <target-namespace>

If it's missing, either create it manually or enable CreateNamespace=true in your ArgoCD sync options:

yaml
spec:
  syncPolicy:
    syncOptions:
    - CreateNamespace=true

Step 6: Restart the Application Controller

If nothing above works, restart the application controller pod. I know it sounds like "turn it off and on again," but it genuinely fixes cases where the controller has gotten into a bad state:

bash
kubectl rollout restart deployment argocd-application-controller -n argocd

Wait 30-60 seconds, then check your app status again.

Step 7: Check ArgoCD Server and Repo Server

If multiple apps are showing Unknown (not just one), the issue is likely with ArgoCD itself rather than a specific app. Check all components:

bash
kubectl get pods -n argocd

All pods should be Running. If argocd-repo-server or argocd-server is in CrashLoopBackOff or Pending, fix those first.

Quick Reference: What Each Status Means

StatusMeaning
SyncedCluster matches Git
OutOfSyncCluster differs from Git
UnknownArgoCD couldn't check cluster state
ProgressingSync is in progress
DegradedResources are unhealthy
MissingResource exists in Git but not in cluster

The Fix That Works 90% of the Time

In my experience, Unknown status is almost always one of these three:

  1. RBAC issue — ArgoCD service account can't read resources → fix permissions
  2. Cluster connectivity — Network or credential problem → re-add the cluster
  3. Stale cache — Hard refresh fixes it

Start with the application controller logs. They'll tell you exactly what's wrong within 30 seconds.


If you're regularly hitting ArgoCD issues, check out our ArgoCD interview questions — knowing the internals makes debugging much faster.

🔧

Today I Fixed

Short real fixes from production — posted daily

Browse fixes
Newsletter

Stay ahead of the curve

Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.

Related Articles

Comments