Description

A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
argocd-application-controllerdefault61Critical
argocd-dex-serverdefault21Critical
argocd-serverdefault91Critical
argo-cd-redis-hadefault03
argo-cd-redis-ha-haproxydefault01

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 argocd-server

Namespace: default  |  Automount:

🔑 Permissions (9)

RoleResourceVerbsRiskTags
ClusterRole argo-cd-argocd-server*delete · get · patchCriticalAuthorizationBypass ClusterAdminAccess ClusterWideAccess ClusterWideLogAccess CodeExecution (+10 more)
Role argo-cd-argocd-servercore/secretscreate · delete · get · list · patch · update · watchCriticalCredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more)
Role argo-cd-argocd-servercore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole argo-cd-argocd-servercore/pods/loggetHighClusterWideLogAccess DataExposure InformationDisclosure LogAccess
Role argo-cd-argocd-serverargoproj.io/applicationscreate · delete · get · list · patch · update · watchLow
Role argo-cd-argocd-serverargoproj.io/appprojectscreate · delete · get · list · patch · update · watchLow
ClusterRole argo-cd-argocd-servercore/eventslistLow
Role argo-cd-argocd-servercore/eventscreate · listLow
ClusterRole argo-cd-argocd-servercore/podsgetLow

⚠️ Potential Abuse (10)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentargo-cd-argocd-serverserverquay.io/argoproj/argocd:v2.0.1

🤖 argocd-application-controller

Namespace: default  |  Automount:

🔑 Permissions (6)

RoleResourceVerbsRiskTags
ClusterRole argo-cd-argocd-application-controller**CriticalAPIServerDoS APIServiceManipulation AuthorizationBypass AvailabilityImpact BackupAccess (+68 more)
Role argo-cd-argocd-application-controllercore/secretsget · list · watchCriticalCredentialAccess DataExposure InformationDisclosure SecretAccess
Role argo-cd-argocd-application-controllercore/configmapsget · list · watchMediumConfigMapAccess DataExposure InformationDisclosure
Role argo-cd-argocd-application-controllerargoproj.io/applicationscreate · delete · get · list · patch · update · watchLow
Role argo-cd-argocd-application-controllerargoproj.io/appprojectscreate · delete · get · list · patch · update · watchLow
Role argo-cd-argocd-application-controllercore/eventscreate · listLow

⚠️ Potential Abuse (107)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentargo-cd-argocd-application-controllerapplication-controllerquay.io/argoproj/argocd:v2.0.1

🤖 argocd-dex-server

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role argo-cd-argocd-dex-servercore/secretsget · list · watchCriticalCredentialAccess DataExposure InformationDisclosure SecretAccess
Role argo-cd-argocd-dex-servercore/configmapsget · list · watchMediumConfigMapAccess DataExposure InformationDisclosure

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentargo-cd-argocd-dex-serverdex-serverquay.io/dexidp/dex:v2.26.0

🤖 argo-cd-redis-ha

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (3)

KindNameContainerImage
StatefulSetargo-cd-redis-ha-serverredisredis:6.2.2-alpine
StatefulSetargo-cd-redis-ha-serverredis-exporteroliver006/redis_exporter:v1.15.1
StatefulSetargo-cd-redis-ha-serversentinelredis:6.2.2-alpine

🤖 argo-cd-redis-ha-haproxy

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
Deploymentargo-cd-redis-ha-haproxyhaproxyhaproxy:2.0.4