The ArgoCD image packages the core runtime and controller binaries: API/UI server, repo-server, and application controller, plus CLI tooling for Git, Helm, Kustomize and a minimal userland to run the Go binaries. It contains the processes that render manifests, authenticate to Git and artifact repositories, and communicate with the Kubernetes API.
In containerized and production environments it is deployed as Kubernetes Deployments/ReplicaSets with service accounts, RBAC and liveness/readiness probes; instances perform reconciliation, manifest rendering (Helm/Kustomize/Jsonnet), manifest diffing, health checks, and apply operations across target clusters.
Teams evaluate an ArgoCD hardened image in regulated or high-security environments to reduce attack surface and meet compliance: minimal packages, non-root runtime, signed/reproducible builds, CVE scanning, and tightened syscall/capability profiles for auditability and controlled supply-chain risk.
The Minimus ArgoCD image is a purpose-built container that differs from typical ArgoCD images by starting from scratch and including only the essential runtime components and binaries needed to run the controller and UI. By removing shells, package managers, and extraneous libraries, the image has a much smaller footprint and a reduced attack surface, which makes deployments faster to start, lighter to distribute, and easier to maintain and update across clusters.
The Minimus hardened ArgoCD image is additionally configured and validated against industry hardening guidance, including NIST SP 800-190 and relevant CIS Benchmarks, to enforce secure defaults and minimize exploitable configuration drift. These hardening controls, combined with the minimal build approach, simplify security reviews and ongoing maintenance for engineering and security teams.
The image updater for Argo CD is a Kubernetes controller that watches container image registries and updates image references in your GitOps manifests used by Argo CD. It can automate updates by creating pull requests or applying changes directly to your repository, keeping deployments current with new image tags or digests.
Key capabilities include registry support, configurable update policies, and seamless GitOps integration. In production, consider using a hardened ArgoCD image for security.
Yes. Argo CD provides a web UI that lets you view applications, sync status, and diffs. The UI is served by the container image running in your cluster and can be accessed in a browser after exposing the Argo CD server service (ClusterIP, NodePort, LoadBalancer, or Ingress).
For production, use a hardened ArgoCD image and secure it with TLS, authentication, and RBAC. The UI is one of several interfaces (also CLI and REST API) to manage applications.
To generate a container image, write a Dockerfile for your app, choose a small base image, install dependencies, copy source code, and define a startup command. Then build, tag, and push the image as needed.
FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
CMD ["python", "app.py"]
Build, tag, and run locally:
docker build -t my-app:1.0 .
docker run --rm -p 8080:8080 my-app:1.0
For production, build a hardened ArgoCD image by using a non-root user, a minimal base, multi-stage builds, and security scanning.