argo-cd :: RBAC ATLAS

Description

A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`argocd-application-controller`	default	❌	—	6	1	Critical
`argocd-dex-server`	default	❌	—	2	1	Critical
`argocd-server`	default	❌	—	9	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `argocd-server`

Namespace: default | Automount: ❌

🔑 Permissions (9)

Role	Resource	Verbs	Risk	Tags
ClusterRole `argo-cd-argocd-server`	*	delete · get · patch	Critical	AuthorizationBypass ClusterAdminAccess ClusterWideAccess ClusterWideLogAccess CodeExecution (+10 more)
Role `argo-cd-argocd-server`	core/secrets	create · delete · get · list · patch · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more)
Role `argo-cd-argocd-server`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `argo-cd-argocd-server`	core/pods/log	get	High	ClusterWideLogAccess DataExposure InformationDisclosure LogAccess
Role `argo-cd-argocd-server`	argoproj.io/applications	create · delete · get · list · patch · update · watch	Low
Role `argo-cd-argocd-server`	argoproj.io/appprojects	create · delete · get · list · patch · update · watch	Low
ClusterRole `argo-cd-argocd-server`	core/events	list	Low
Role `argo-cd-argocd-server`	core/events	create · list	Low
ClusterRole `argo-cd-argocd-server`	core/pods	get	Low

⚠️ Potential Abuse (10)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	argo-cd-argocd-server	server	argoproj/argocd:v1.2.4

🤖 `argocd-application-controller`

Namespace: default | Automount: ❌

🔑 Permissions (6)

Role	Resource	Verbs	Risk	Tags
ClusterRole `argo-cd-argocd-application-controller`	*	*	Critical	APIServerDoS APIServiceManipulation AuthorizationBypass AvailabilityImpact BackupAccess (+68 more)
Role `argo-cd-argocd-application-controller`	core/secrets	get · list · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `argo-cd-argocd-application-controller`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
Role `argo-cd-argocd-application-controller`	argoproj.io/applications	create · delete · get · list · patch · update · watch	Low
Role `argo-cd-argocd-application-controller`	argoproj.io/appprojects	create · delete · get · list · patch · update · watch	Low
Role `argo-cd-argocd-application-controller`	core/events	create · list	Low

⚠️ Potential Abuse (107)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	argo-cd-argocd-application-controller	application-controller	argoproj/argocd:v1.2.4

🤖 `argocd-dex-server`

Namespace: default | Automount: ❌

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
Role `argo-cd-argocd-dex-server`	core/secrets	get · list · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `argo-cd-argocd-dex-server`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	argo-cd-argocd-dex-server	dex-server	quay.io/dexidp/dex:v2.14.0

argo-cd

Description

Overview

Identities

🤖 argocd-server

🔑 Permissions (9)

⚠️ Potential Abuse (10)

📦 Workloads (1)

🤖 argocd-application-controller

🔑 Permissions (6)

⚠️ Potential Abuse (107)

📦 Workloads (1)

🤖 argocd-dex-server

🔑 Permissions (2)

⚠️ Potential Abuse (3)

📦 Workloads (1)

🤖 `argocd-server`

🤖 `argocd-application-controller`

🤖 `argocd-dex-server`