Problem statement

Application syncs in Argo CD have the same privileges as the Argo CD control plane. As a consequence, the Argo CD control plane privileges needs to match the tenant that needs the highest privileges. As an example, if an Argo CD instance has 10 Applications and only one of them needs cluster-admin privileges, the Argo CD control plane then must have cluster-admin privileges in order to successfully sync for that one Application. Argo CD provides a multi-tenancy model to limit what each Application can do even though the control plane has high privileges however that creates a large attack surface since if Argo CD is compromised, attackers would have cluster-admin access to the cluster.

Goal

As an admin, I want to decouple the privileges of Argo CD control plane from the tenants so that I can run Argo CD control plane with least privileges possible while adjusting the privileges for each tenant Application based on their requirements without increasing the attack surface of the cluster.
 

Proposed Solution

The Application 'sync' process to use a service account from the namespace it resides in through impersonation.

Implementation notes

Possibly use user impersonation for applying, example https://github.com/argoproj/argo-cd/issues/7689

Acceptance Criteria

1. Argo CD control plane service account privileges are separate from Application CR sync privileges
2. Different Application CRs can have different privileges to the cluster
3. Argo CD control plane service account privileges are reduced to minimum possible
4. Cluster admins do not need to change Argo CD control plane service account privileges based on the needs of Applications and tenants