How IP Allow Listing can affect cluster agents
The IP Allow List feature in Akuity ArgoCD can restrict access to the ArgoCD API/UI to specific IPs. However, if applied incorrectly it may also affect cluster agents, leading to connectivity issues.
By default, the allow list only applies to the ArgoCD API/UI. If extended to include cluster agents, the following endpoints must also be allowed:
- Agent server: <argocd-instance-id>-agentsvr.cdsvcs.akuity.cloud
- K3s control plane: <argocd-instance-id>-cplane.cdsvcs.akuity.cloud
- Akuity API: akuity.cloud (Not affected by IP allowlisting)
If the public NAT IPs of all clusters connected to the control plane are included, there will be no service disruption. However, if any required IPs are missing, the cluster agent will be unable to connect, causing degraded service for that cluster.
Ensure that all necessary public IPs are included when applying the IP Allow List to prevent unintended disruptions.