Cloud native technologies bring a great homogenisation to the skillsets, operational theory, and systems complexity that makes building and running them a more easily understood and secured problem. There are many eyes on the developmental and supply chain security of cloud native software, but far fewer on the greatest cause of cloud breach: misconfiguration.
Progressive delivery of applications with the GitOps pattern has proliferated. It provides inversion of control for build servers that would otherwise write to production, instead indirectly writing to a Git repository to reduce overall privilege, and a statically analysable declarative configuration that supports security testing before deployment, reducing configuration drift.
In light of the important place that GitOps occupies in the cloud native application and security ecosystems, ControlPlane was engaged by the Cloud Native Computing Foundation to provide a comprehensive threat modelling analysis of a representative production setup of Argo CD within the context of an end user application deployment, and its associated management infrastructure
In this document we enumerate quantifiable hardening recommendations and controls for Argo CD operators and architects. These controls are baselined against threats to an organisation using Argo CD based upon the official documentation, with threats criticality ordered for a non-classified data use case.
The Argo CD deployment in scope for this threat model operates in multi-tenant mode on an “Operations” Kubernetes cluster hosting the Argo CD control plane, and managing three subordinate tenant clusters.
The report findings identify nineteen (19) threats with varying priority levels, including six (6) high-priority threats that pose significant risks to this end user’s security posture. These enumerated threats account for risks such as the storage of the Argo CD initial admin password as a Kubernetes Secret object, the use of local users’ credentials without strong authentication, and the storage of Argo CD tenant cluster credentials as Kubernetes Secret objects.
To mitigate identified threats, the report provides several immediately actionable recommendations to the end user, such as rotating and storing the admin password in an external key management solution with restricted RBAC for break-glass activities, using Single Sign-On integration for local users, and restricting RBAC forreading secrets from the Argo CD namespace according to least privilege.
The report also includes the creation of two attack trees that cover highest ranked threats, to provide an approachable visualisation of the identified threat landscape. These attack trees may be used to guide non-technical stakeholders through the model in order to support justification of the application of controls.
In addition, the report provides a summary of the Argo CD deployment architecture and the Terraform code to reproduce it for validation — including the Operations Kubernetes cluster hosting the control plane and Gitea Server, synchronisation configurations, and SSH bastion host access security.
This report’s technical insights into threat vectors associated with an unhardened instance of Argo CD are supported by actionable recommendations to enhance itssecurity posture. By implementing these recommendations, end users reduce their overall risk in line with their organisational appetite, whilst enjoying the benefits and efficiencies of Argo CD.
Views: 13
