-
Epic
-
Resolution: Done
-
Major
-
None
-
Decouple control plane and application sync privileges
-
False
-
False
-
To Do
-
SECFLOWOTL-86 - Improve GitOps Service tenant isolation
-
0% To Do, 0% In Progress, 100% Done
Problem statement
Application syncs in Argo CD have the same privileges as the Argo CD control plane. As a consequence, the Argo CD control plane privileges needs to match the tenant that needs the highest privileges. As an example, if an Argo CD instance has 10 Applications and only one of them needs cluster-admin privileges, the Argo CD control plane then must have cluster-admin privileges in order to successfully sync for that one Application. Argo CD provides a multi-tenancy model to limit what each Application can do even though the control plane has high privileges however that creates a large attack surface since if Argo CD is compromised, attackers would have cluster-admin access to the cluster.
Goal
As an admin, I want to decouple the privileges of Argo CD control plane from the tenants so that I can run Argo CD control plane with least privileges possible while adjusting the privileges for each tenant Application based on their requirements without increasing the attack surface of the cluster.
Proposed Solution
The Application 'sync' process to use a service account from the namespace it resides in through impersonation.
Implementation notes
Possibly use user impersonation for applying, example https://github.com/argoproj/argo-cd/issues/7689
Acceptance Criteria
- Argo CD control plane service account privileges are separate from Application CR sync privileges
- Different Application CRs can have different privileges to the cluster
- Argo CD control plane service account privileges are reduced to minimum possible
- Cluster admins do not need to change Argo CD control plane service account privileges based on the needs of Applications and tenants
- relates to
-
GITOPS-917 Support Application CRs in non-control plane namespaces
- Closed