argo-cd

Description

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

• https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
• https://github.com/argoproj/argo-cd

Overview

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 argocd-applicationset-controller

Namespace: default  |  Automount: ✅

🔑 Permissions (11)

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

• Read secrets in a namespace
• Read ConfigMaps in a namespace
• Modify ConfigMaps in a namespace
• Manage Leases in kube-system or kube-node-lease namespace

📦 Workloads (1)

🤖 argocd-server

Namespace: default  |  Automount: ✅

🔑 Permissions (11)

⚠️ Potential Abuse (10)

The following security risks were found based on the above permissions:

• Read secrets in a namespace
• Modify secrets in a namespace
• Read pod logs cluster-wide
• Read pod logs in a namespace
• Read ConfigMaps in a namespace
• Modify ConfigMaps in a namespace
• Delete namespaces
• Node proxy GET RCE via WebSocket

📦 Workloads (1)

🤖 argocd-application-controller

Namespace: default  |  Automount: ✅

🔑 Permissions (6)

⚠️ Potential Abuse (107)

The following security risks were found based on the above permissions:

• Cluster-wide pod exec
• Namespaced pod exec
• Cluster-wide pod attach
• Namespaced pod attach
• Cluster-wide pod port-forward
• Namespaced pod port-forward
• Create pods cluster-wide
• Create pods in a namespace
• Update/Patch pods cluster-wide
• Update/Patch pods in a namespace
• Read secrets cluster-wide
• Read secrets in a namespace
• Modify secrets cluster-wide
• Modify secrets in a namespace
• Node proxy access (Kubelet API)
• Modify node configuration (labels, taints)
• Delete nodes
• Manage PersistentVolumes (cluster-wide storage manipulation)
• Read pod logs cluster-wide
• Read pod logs in a namespace
• Manage ephemeral containers cluster-wide
• Manage ephemeral containers in a namespace
• Read ConfigMaps cluster-wide
• Read ConfigMaps in a namespace
• Modify ConfigMaps cluster-wide
• Modify ConfigMaps in a namespace
• Delete namespaces
• Manage ClusterRoles (create, update, patch, delete)
• Manage ClusterRoleBindings (create, update, patch, delete)
• Manage Roles in a namespace (create, update, patch, delete)
• Manage RoleBindings in a namespace (create, update, patch, delete)
• Escalate privileges via ClusterRoles (escalate verb)
• Bind ClusterRoles to identities (bind verb)
• Manage Deployments cluster-wide (potential for privileged pod execution)
• Manage Deployments in a namespace (potential for privileged pod execution)
• Manage DaemonSets cluster-wide (runs on all nodes, high impact)
• Manage DaemonSets in a namespace (runs on nodes, high impact)
• Manage StatefulSets cluster-wide
• Manage StatefulSets in a namespace
• Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
• Manage CronJobs in a namespace (scheduled privileged execution, persistence)
• Manage Jobs cluster-wide (one-off privileged execution)
• Manage Jobs in a namespace (one-off privileged execution)
• Manage MutatingWebhookConfigurations
• Manage ValidatingWebhookConfigurations
• Manage CustomResourceDefinitions
• Manage APIServices
• Create ServiceAccount Tokens
• Create ServiceAccount Tokens (ClusterRole for any SA in any namespace)
• Create TokenReviews (validate arbitrary tokens)
• Create SubjectAccessReviews (check arbitrary permissions)
• Create LocalSubjectAccessReviews (check permissions in a namespace)
• Approve CertificateSigningRequests
• Create CertificateSigningRequests
• Manage (get, list, watch, delete) CertificateSigningRequests
• Manage CSIDrivers (potential node compromise)
• Manage StorageClasses
• Evict Pods cluster-wide
• Evict Pods in a namespace
• Manage RuntimeClasses
• Wildcard permission on all resources cluster-wide (Cluster Admin)
• Wildcard permission on all resources in a namespace (Namespace Admin)
• Manage ClusterIssuers (cert-manager.io)
• Manage ArgoCD Applications (argoproj.io)
• Manage Cilium ClusterwideNetworkPolicies (cilium.io)
• Manage ETCDSnapshotFiles (k3s.cattle.io)
• Impersonate users, groups, or service accounts (cluster-wide)
• Manage ServiceAccounts cluster-wide
• Manage ServiceAccounts in a namespace
• Patch node status cluster-wide
• Read events cluster-wide
• Manage NetworkPolicies cluster-wide
• Manage NetworkPolicies in a namespace
• Manage Endpoints or EndpointSlices cluster-wide
• Manage Endpoints or EndpointSlices in a namespace
• Manage Services cluster-wide
• Manage Services in a namespace
• Read RBAC configuration cluster-wide
• Use privileged PodSecurityPolicy (deprecated)
• Manage PodDisruptionBudgets cluster-wide
• Manage Leases cluster-wide
• Manage Leases in kube-system or kube-node-lease namespace
• List Namespaces (Cluster Reconnaissance)
• List ValidatingWebhookConfigurations (Reconnaissance)
• List MutatingWebhookConfigurations (Reconnaissance)
• Create/Update ControllerRevisions (Potential Tampering)
• Create SelfSubjectRulesReviews (Discover Own Permissions)
• Read LimitRanges (Namespace Information Disclosure)
• Read ResourceQuotas (Namespace Information Disclosure)
• Read All ResourceQuotas (Cluster-wide Information Disclosure)
• Update CertificateSigningRequest Status (Tampering/DoS)
• Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
• Manage IngressClasses (Cluster-wide Traffic Control Tampering)
• Update NetworkPolicy Status (Cluster-wide Tampering)
• Update PodDisruptionBudget Status (Namespace Tampering/DoS)
• Read ComponentStatuses (Control Plane Reconnaissance)
• Update Deployment Scale (Resource Abuse/DoS)
• Update StatefulSet Scale (Resource Abuse/DoS)
• Manage FlowSchemas (API Server DoS/Manipulation)
• Manage PriorityLevelConfigurations (API Server DoS/Manipulation)
• Read CSINode Objects (Node & Storage Reconnaissance)
• Read CSIStorageCapacities (Namespace Storage Reconnaissance)
• Manage VolumeAttachments (Cluster-wide Storage/Node Manipulation)
• Watch All Resources in a Namespace (Broad Information Disclosure)
• Node proxy GET RCE via WebSocket

📦 Workloads (1)

🤖 argocd-notifications-controller

Namespace: default  |  Automount: ✅

🔑 Permissions (6)

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

• Read secrets in a namespace
• Read ConfigMaps in a namespace

📦 Workloads (1)

🤖 argocd-dex-server

Namespace: default  |  Automount: ✅

🔑 Permissions (2)

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

• Read secrets in a namespace
• Read ConfigMaps in a namespace

📦 Workloads (1)

🤖 argo-cd-argocd-repo-server

Namespace: default  |  Automount: ✅

🔑 Permissions (1)

⚠️ Potential Abuse (106)

The following security risks were found based on the above permissions:

• Cluster-wide pod exec
• Namespaced pod exec
• Cluster-wide pod attach
• Namespaced pod attach
• Cluster-wide pod port-forward
• Namespaced pod port-forward
• Create pods cluster-wide
• Create pods in a namespace
• Update/Patch pods cluster-wide
• Update/Patch pods in a namespace
• Read secrets cluster-wide
• Read secrets in a namespace
• Modify secrets cluster-wide
• Modify secrets in a namespace
• Node proxy access (Kubelet API)
• Modify node configuration (labels, taints)
• Delete nodes
• Manage PersistentVolumes (cluster-wide storage manipulation)
• Read pod logs cluster-wide
• Read pod logs in a namespace
• Manage ephemeral containers cluster-wide
• Manage ephemeral containers in a namespace
• Read ConfigMaps cluster-wide
• Read ConfigMaps in a namespace
• Modify ConfigMaps cluster-wide
• Modify ConfigMaps in a namespace
• Delete namespaces
• Manage ClusterRoles (create, update, patch, delete)
• Manage ClusterRoleBindings (create, update, patch, delete)
• Manage Roles in a namespace (create, update, patch, delete)
• Manage RoleBindings in a namespace (create, update, patch, delete)
• Escalate privileges via ClusterRoles (escalate verb)
• Bind ClusterRoles to identities (bind verb)
• Manage Deployments cluster-wide (potential for privileged pod execution)
• Manage Deployments in a namespace (potential for privileged pod execution)
• Manage DaemonSets cluster-wide (runs on all nodes, high impact)
• Manage DaemonSets in a namespace (runs on nodes, high impact)
• Manage StatefulSets cluster-wide
• Manage StatefulSets in a namespace
• Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
• Manage CronJobs in a namespace (scheduled privileged execution, persistence)
• Manage Jobs cluster-wide (one-off privileged execution)
• Manage Jobs in a namespace (one-off privileged execution)
• Manage MutatingWebhookConfigurations
• Manage ValidatingWebhookConfigurations
• Manage CustomResourceDefinitions
• Manage APIServices
• Create ServiceAccount Tokens
• Create ServiceAccount Tokens (ClusterRole for any SA in any namespace)
• Create TokenReviews (validate arbitrary tokens)
• Create SubjectAccessReviews (check arbitrary permissions)
• Create LocalSubjectAccessReviews (check permissions in a namespace)
• Approve CertificateSigningRequests
• Create CertificateSigningRequests
• Manage (get, list, watch, delete) CertificateSigningRequests
• Manage CSIDrivers (potential node compromise)
• Manage StorageClasses
• Evict Pods cluster-wide
• Evict Pods in a namespace
• Manage RuntimeClasses
• Wildcard permission on all resources cluster-wide (Cluster Admin)
• Wildcard permission on all resources in a namespace (Namespace Admin)
• Manage ClusterIssuers (cert-manager.io)
• Manage ArgoCD Applications (argoproj.io)
• Manage Cilium ClusterwideNetworkPolicies (cilium.io)
• Manage ETCDSnapshotFiles (k3s.cattle.io)
• Impersonate users, groups, or service accounts (cluster-wide)
• Manage ServiceAccounts cluster-wide
• Manage ServiceAccounts in a namespace
• Patch node status cluster-wide
• Read events cluster-wide
• Manage NetworkPolicies cluster-wide
• Manage NetworkPolicies in a namespace
• Manage Endpoints or EndpointSlices cluster-wide
• Manage Endpoints or EndpointSlices in a namespace
• Manage Services cluster-wide
• Manage Services in a namespace
• Read RBAC configuration cluster-wide
• Use privileged PodSecurityPolicy (deprecated)
• Manage PodDisruptionBudgets cluster-wide
• Manage Leases cluster-wide
• Manage Leases in kube-system or kube-node-lease namespace
• List Namespaces (Cluster Reconnaissance)
• List ValidatingWebhookConfigurations (Reconnaissance)
• List MutatingWebhookConfigurations (Reconnaissance)
• Create/Update ControllerRevisions (Potential Tampering)
• Create SelfSubjectRulesReviews (Discover Own Permissions)
• Read LimitRanges (Namespace Information Disclosure)
• Read ResourceQuotas (Namespace Information Disclosure)
• Read All ResourceQuotas (Cluster-wide Information Disclosure)
• Update CertificateSigningRequest Status (Tampering/DoS)
• Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
• Manage IngressClasses (Cluster-wide Traffic Control Tampering)
• Update NetworkPolicy Status (Cluster-wide Tampering)
• Update PodDisruptionBudget Status (Namespace Tampering/DoS)
• Read ComponentStatuses (Control Plane Reconnaissance)
• Update Deployment Scale (Resource Abuse/DoS)
• Update StatefulSet Scale (Resource Abuse/DoS)
• Manage FlowSchemas (API Server DoS/Manipulation)
• Manage PriorityLevelConfigurations (API Server DoS/Manipulation)
• Read CSINode Objects (Node & Storage Reconnaissance)
• Read CSIStorageCapacities (Namespace Storage Reconnaissance)
• Manage VolumeAttachments (Cluster-wide Storage/Node Manipulation)
• Watch All Resources in a Namespace (Broad Information Disclosure)
• Node proxy GET RCE via WebSocket

📦 Workloads (1)

🤖 argo-cd-redis-ha

Namespace: default  |  Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (3)

🤖 argo-cd-redis-ha-haproxy

Namespace: default  |  Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)