ExcludedResourceWarning appears when ArgoCD encounters resources excluded in global settings. Configure resource inclusions/exclusions properly or override exclusions per-application using sync options.
ArgoCD shows ExcludedResourceWarning when it encounters a Kubernetes resource type that has been excluded from management via the global resource exclusion configuration. This is typically a warning rather than an error, but it prevents ArgoCD from managing those resources. Common exclusions include ServiceAccount, Secret, and NetworkPolicy by default to prevent security issues.
Check the argocd-cm ConfigMap to see what is excluded:
kubectl get configmap argocd-cm -n argocd -o yaml | grep -A 20 resource.exclusionsCommon exclusions include ServiceAccount, Secret, ResourceQuota, and NetworkPolicy for security.
Use ArgoCD UI to see which resources are excluded. Go to the Application details and check the Resource Tree tab. Resources marked as excluded will show a warning icon.
To allow specific excluded resources in your application, add the IgnoreExtraneous sync option:
apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
syncPolicy:
syncOptions:
- RespectIgnoreDifferences=trueOr use annotations on resources to exclude them from diff detection.
To allow a specific resource type globally, edit the ConfigMap:
kubectl edit configmap argocd-cm -n argocdAdd resource.inclusions to override exclusions:
resource.inclusions: |
- apiGroups:
- apps
kinds:
- DeploymentTo stop excluding a resource type entirely, edit argocd-cm and remove it from resource.exclusions:
resource.exclusions: |
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRoleBindingWhen using the App of Apps pattern, the Application CRD itself must not be excluded. If it is, add it to inclusions:
resource.inclusions: |
- apiGroups:
- argoproj.io
kinds:
- ApplicationFor production, enable RBAC-aware exclusions in argocd-cm:
resource.respectRBAC: "strict"This ensures resources are only excluded if the service account does not have permissions.
Use cluster comparison options to handle excluded resources more carefully:
resource.customizations.comparison.rules: |
- kinds:
- Secret
jqFilter: .Exclusions exist for security reasons - be cautious when removing them, especially for Secrets and RBAC resources. Use inclusion lists rather than exclusion lists when you want to manage only specific resource types. For multi-tenant clusters, use RBAC-aware exclusions to ensure access control is enforced. Consider using an external secrets operator instead of syncing Secrets through ArgoCD for better security posture.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes