Skip to main content
The argocd admin command provides a set of administrative utilities that require direct Kubernetes access rather than going through the Argo CD API server.
These commands require kubectl access to the cluster where Argo CD is installed and typically need cluster-admin or similar elevated permissions.

Quick Examples

# Access Argo CD web UI locally
argocd admin dashboard

# Get initial admin password
argocd admin initial-password

# Export all Argo CD configuration
argocd admin export > backup.yaml

# Import configuration
argocd admin import backup.yaml

Subcommands

dashboard

Start Argo CD Web UI locally without exposing the server. 
# Start dashboard on default port (8080)
argocd admin dashboard

# Start on custom port
argocd admin dashboard --port 9090

# Specify namespace
argocd admin dashboard --namespace argocd

# With specific address
argocd admin dashboard --address 0.0.0.0 --port 8080
Key Flags:
--address
string
default:"localhost"
Listen address
--port
integer
default:"8080"
Listen port
--namespace
string
default:"argocd"
Argo CD namespace
Open your browser to http://localhost:8080 after running the command.

initial-password

Get the initial admin password from the cluster. 
# Get initial password
argocd admin initial-password

# Get from specific namespace
argocd admin initial-password --namespace argocd
Output: 
Password: abc123XYZ789

 This password must be only used for first time login. We strongly recommend you update the password using `argocd account update-password`.
The initial password is stored in the argocd-initial-admin-secret Secret. Delete this secret after changing the admin password.

redis-initial-password

Ensure Redis password exists, creating one if necessary. 
# Get or create Redis password
argocd admin redis-initial-password

# Specify namespace
argocd admin redis-initial-password --namespace argocd

export

Export all Argo CD data including applications, projects, and settings. 
# Export to stdout
argocd admin export

# Export to file
argocd admin export > argocd-backup.yaml

# Export from specific namespace
argocd admin export --namespace argocd > backup.yaml
What Gets Exported:
  • Applications
  • Application Projects
  • Repository credentials
  • Cluster credentials
  • Settings and configurations
Exported data includes sensitive information like credentials. Store backups securely.

import

Import Argo CD data from a file or stdin. 
# Import from file
argocd admin import backup.yaml

# Import from stdin
cat backup.yaml | argocd admin import -

# Import to specific namespace
argocd admin import backup.yaml --namespace argocd

# Dry run
argocd admin import backup.yaml --dry-run

# Use server-side apply
argocd admin import backup.yaml --prune
Key Flags:
--dry-run
boolean
Preview import without making changes
--prune
boolean
Delete resources not in the import file
--namespace
string
default:"argocd"
Target namespace

Application Management

app generate-spec

Generate application manifest without creating it. 
# Generate app spec
argocd admin app generate-spec my-app \
  --repo https://github.com/argoproj/argocd-example-apps.git \
  --path guestbook \
  --dest-server https://kubernetes.default.svc \
  --dest-namespace default

# Generate and save
argocd admin app generate-spec my-app \
  --repo https://github.com/example/repo.git \
  --path manifests \
  --dest-namespace production \
  --dest-server https://prod-cluster.example.com \
  > my-app.yaml

# With Helm parameters
argocd admin app generate-spec helm-app \
  --repo https://charts.helm.sh/stable \
  --helm-chart nginx-ingress \
  --revision 1.24.3 \
  --dest-namespace default \
  --dest-server https://kubernetes.default.svc \
  --helm-set replicaCount=3
This is useful for:
  • GitOps: committing app manifests to Git
  • Validation: checking generated specs before applying
  • Templating: generating multiple similar applications

app diff-reconcile-results

Compare reconciliation results. 
# Diff reconciliation results
argocd admin app diff-reconcile-results my-app

# From specific namespace
argocd admin app diff-reconcile-results my-app --namespace argocd

app get-reconcile-results

Get reconciliation results for debugging. 
# Get results
argocd admin app get-reconcile-results my-app

# Get as JSON
argocd admin app get-reconcile-results my-app -o json

Cluster Management

cluster generate-spec

Generate cluster secret manifest. 
# Generate cluster spec
argocd admin cluster generate-spec my-cluster \
  --server https://prod-cluster.example.com \
  --service-account argocd-manager

# Save to file
argocd admin cluster generate-spec my-cluster \
  --server https://prod-cluster.example.com \
  --name production \
  --label env=production \
  > cluster-secret.yaml

# Apply to cluster
argocd admin cluster generate-spec my-cluster \
  --server https://prod-cluster.example.com | \
  kubectl apply -f -
--server
string
required
Cluster server URL
--name
string
Cluster name
--label
string[]
Cluster labels
--service-account
string
Service account name

cluster kubeconfig

Generate kubeconfig for accessing cluster via Argo CD. 
# Generate kubeconfig
argocd admin cluster kubeconfig production > kubeconfig-prod

# Use the kubeconfig
export KUBECONFIG=kubeconfig-prod
kubectl get pods

cluster stats

Display cluster statistics. 
# Show cluster statistics
argocd admin cluster stats

# For specific cluster
argocd admin cluster stats production

# With details
argocd admin cluster stats --shard 0

cluster shards

Display cluster sharding information. 
# Show shard distribution
argocd admin cluster shards

# For specific shard
argocd admin cluster shards --shard 0

cluster namespaces

Manage cluster namespace configurations. 
# List cluster namespaces
argocd admin cluster namespaces list production

# Enable namespaced mode
argocd admin cluster namespaces enable-namespaced-mode production

# Disable namespaced mode
argocd admin cluster namespaces disable-namespaced-mode production

Project Management

proj generate-spec

Generate project manifest. 
# Generate project spec
argocd admin proj generate-spec my-project \
  --src 'https://github.com/myorg/*' \
  --dest https://kubernetes.default.svc,default \
  --dest https://prod-cluster.example.com,'prod-*'

# Save to file
argocd admin proj generate-spec production \
  --description "Production applications" \
  --src 'https://github.com/myorg/prod-*' \
  --dest https://prod-cluster.example.com,'*' \
  > production-project.yaml

# Apply to cluster
argocd admin proj generate-spec my-project \
  --src '*' \
  --dest '*,*' | \
  kubectl apply -f -

proj generate-allow-list

Generate resource allow list for project. 
# Generate allow list
argocd admin proj generate-allow-list my-project

# For specific API groups
argocd admin proj generate-allow-list my-project \
  --group apps \
  --group '' \
  --group networking.k8s.io

proj update-role-policy

Update project role policies. 
argocd admin proj update-role-policy my-project developer \
  --action sync \
  --permission allow \
  --object '*'

Repository Management

repo generate-spec

Generate repository secret manifest. 
# Generate Git repo spec
argocd admin repo generate-spec https://github.com/myorg/myrepo.git \
  --username git \
  --password ghp_token123

# Generate Helm repo spec
argocd admin repo generate-spec https://charts.example.com \
  --type helm \
  --name my-charts \
  --username admin \
  --password secret

# Save and apply
argocd admin repo generate-spec git@github.com:myorg/private.git \
  --ssh-private-key-path ~/.ssh/deploy_key \
  > repo-secret.yaml

kubectl apply -f repo-secret.yaml -n argocd

Settings Management

settings validate

Validate Argo CD settings. 
# Validate settings
argocd admin settings validate

# Validate from specific namespace
argocd admin settings validate --namespace argocd

# Load from file
argocd admin settings validate --load-cluster-settings

settings rbac

Validate and test RBAC policies.

settings rbac validate

Validate RBAC configuration. 
# Validate RBAC policy
argocd admin settings rbac validate

# Validate from namespace
argocd admin settings rbac validate --namespace argocd

# Validate specific policy file
argocd admin settings rbac validate --policy-file rbac-policy.csv

settings rbac can

Test RBAC permissions. 
# Test if user can perform action
argocd admin settings rbac can alice sync applications '*'

# Test with project context
argocd admin settings rbac can bob get applications 'my-project/*'

# Test role permissions
argocd admin settings rbac can role:developer update applications '*'
Syntax: 
argocd admin settings rbac can <subject> <action> <resource> [<object>]
  • subject: Username, role, or group (e.g., alice, role:admin, group:developers)
  • action: Action to test (e.g., get, create, update, delete, sync, override)
  • resource: Resource type (e.g., applications, clusters, repositories, projects)
  • object: Specific object (e.g., my-project/my-app, *)

settings resource-overrides

Manage resource customizations.

settings resource-overrides health

Test health assessment for resources. 
# Test health assessment
argocd admin settings resource-overrides health \
  --kind Deployment \
  --group apps \
  --resource deployment.yaml

settings resource-overrides ignore-differences

Test ignore differences configuration. 
argocd admin settings resource-overrides ignore-differences \
  --kind Deployment \
  --resource deployment.yaml

settings resource-overrides list-actions

List available resource actions. 
argocd admin settings resource-overrides list-actions \
  --kind Rollout \
  --group argoproj.io

settings resource-overrides run-action

Run a resource action. 
argocd admin settings resource-overrides run-action restart \
  --kind Deployment \
  --resource-name my-deployment \
  --namespace default

Notifications

notifications template

Manage notification templates. 
# Get template
argocd admin notifications template get app-sync-succeeded

# Test template
argocd admin notifications template notify app-sync-succeeded my-app

notifications trigger

Manage notification triggers. 
# Get trigger
argocd admin notifications trigger get on-sync-succeeded

# Run trigger
argocd admin notifications trigger run on-sync-succeeded my-app

Common Workflows

Backup and Restore

# Create backup
argocd admin export > argocd-backup-$(date +%Y%m%d).yaml

# Restore from backup
argocd admin import argocd-backup-20240115.yaml

# Test restore (dry run)
argocd admin import argocd-backup-20240115.yaml --dry-run

Local Development Setup

# Start local dashboard
argocd admin dashboard --port 8080 &

# Get admin password
PASSWORD=$(argocd admin initial-password | head -n1 | cut -d: -f2 | tr -d ' ')

echo "Dashboard: http://localhost:8080"
echo "Username: admin"
echo "Password: $PASSWORD"

GitOps Application Manifests

# Generate app manifests for Git
mkdir -p apps

# Generate multiple apps
for app in app1 app2 app3; do
  argocd admin app generate-spec $app \
    --repo https://github.com/myorg/$app.git \
    --path manifests \
    --dest-namespace $app \
    --dest-server https://kubernetes.default.svc \
    > apps/$app.yaml
done

# Commit to Git
git add apps/
git commit -m "Add application manifests"
git push

Cluster Registration Script

#!/bin/bash
# register-clusters.sh

for cluster in prod-us-east prod-us-west prod-eu-west; do
  argocd admin cluster generate-spec $cluster \
    --server https://$cluster.example.com \
    --name $cluster \
    --label environment=production \
    --label region=$(echo $cluster | cut -d- -f2-) \
    > clusters/$cluster.yaml
  
  kubectl apply -f clusters/$cluster.yaml -n argocd
done

RBAC Testing

# Test permissions for different users
users=("alice" "bob" "charlie")
actions=("get" "sync" "delete")

for user in "${users[@]}"; do
  echo "Testing permissions for $user:"
  for action in "${actions[@]}"; do
    result=$(argocd admin settings rbac can $user $action applications '*' 2>&1)
    echo "  $action: $result"
  done
  echo ""
done

Validate Configuration

# Validate all settings
echo "Validating Argo CD configuration..."

# Validate settings
argocd admin settings validate

# Validate RBAC
argocd admin settings rbac validate

# Check cluster connectivity
for cluster in $(argocd cluster list -o name); do
  echo "Checking cluster: $cluster"
  kubectl --context $cluster cluster-info || echo "  Failed to connect"
done

Troubleshooting

Debug Initial Setup

# Get initial password
argocd admin initial-password

# Start dashboard
argocd admin dashboard

# Export current configuration
argocd admin export > debug-export.yaml

# Check settings
argocd admin settings validate

RBAC Issues

# Validate RBAC policy
argocd admin settings rbac validate

# Test specific permission
argocd admin settings rbac can alice sync applications '*'

# List all effective permissions
argocd admin settings rbac can alice '*' applications '*'

Application Reconciliation

# Get reconciliation status
argocd admin app get-reconcile-results my-app

# Compare reconciliation results
argocd admin app diff-reconcile-results my-app

Best Practices

  • Regular Backups: Schedule regular exports of Argo CD configuration
  • Test Imports: Always use --dry-run before importing to production
  • Secure Backups: Exported data contains secrets; encrypt and store securely
  • RBAC Testing: Use rbac can command to validate policies before applying
  • Local Dashboard: Use admin dashboard for troubleshooting without exposing server
  • Generate Specs: Use generate-spec commands for GitOps workflows
  • Validate Settings: Run settings validate after configuration changes
  • Document Changes: Keep changelog of admin operations

Next Steps

Account Commands

Manage user accounts and passwords

App Commands

Manage applications