An external researcher found a way using External Secrets Operator(ESO) in Kubernetes ArgoCD to enable privilege escalation and authentication bypass. They want to know if there is a OpenShift GitOps x ESO deployment and if it’s secured, so this doesn’t happen.

• ArgoCD Secrets Write-Up
• ArgoCD Secrets Slidedeck

Discussed 06/23/25 with rh-ee-sghadi and jprabhak@redhat.com. This should be handled according to the Weakness Management Standard.

Action

• Recreate GitOps with AWS Secrets Manager deployment from ArgoCD Secrets Write-Up to confirm if GitOps is affected
• Referencing Recommendations from slide 16

• • Identify and review any GitOps x ESO default deployment configurations 
  • Update any GitOps x ESO documentation to warn users to securely configure their secrets managers (https://docs.redhat.com/en/documentation/red_hat_openshift_gitops/1.16/html/security/managing-secrets-securely-using-sscsid-with-gitops)