What is a self-heal in ArgoCD, and when would you disable it?
CI/CD & GitOps · Intermediate level
Answer
Self-heal means Argo CD automatically corrects live changes that drift from Git. I would disable or limit it when debugging, during emergency manual intervention, when another controller intentionally mutates fields, or when automatic correction could cause operational risk.
Technical explanation
Drift can be intentional during emergency response, but it should be time-bound and reconciled back into Git.
Self-heal is powerful, but it can fight other controllers if ownership boundaries are unclear.
GitOps separates build from deploy: CI produces immutable artifacts, while the GitOps controller reconciles declarative desired state into the cluster.
Argo CD status has two dimensions: sync status indicates desired versus live state; health status indicates whether live resources appear operationally healthy.
Use projects, RBAC, repository allowlists, destination restrictions, sync windows, and admission policies to constrain what an Application may deploy.
Prefer reviewed Git changes over direct kubectl changes; direct changes create drift and bypass audit, policy, and promotion workflow.
Hands-on example
1. Model the desired state for: What is a self-heal in ArgoCD, and when would you disable it in a GitOps repository, for example environments/staging/apps/payments and environments/prod/apps/payments.
2. Create an Argo CD Application that points to repoURL, targetRevision, path or chart, destination server, namespace, and project; render with Helm/Kustomize before merging.
3. Open a pull request that changes only the desired version or values, require review and policy checks, then merge to let Argo CD detect OutOfSync state.
4. Run argocd app get payments and argocd app diff payments, then sync manually or let automated sync reconcile; verify sync status, health status, events, and Kubernetes rollout status.
5. Test rollback by reverting the Git commit or promoting the previous artifact digest, then watch Argo CD reconcile the cluster back to the known-good desired state.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?