Agent RulesAgent Rules
AR

ArgoCD Security

RBAC, SSO, secret management with Sealed Secrets/External Secrets

Argo CD
Security
argocd
security
rbac
sso
sealed-secrets
external-secrets
Use in BuilderAll Argo CD Options

Details

Language / Topic
argocdArgo CD
Category
Security

Rules

balanced
- Never store plain-text secrets in Git — use Sealed Secrets, External Secrets Operator (ESO), or the Argo CD Vault Plugin to inject secrets at sync time
- Configure SSO via OIDC (Dex or direct provider) and disable the built-in `admin` account in production — set `accounts.admin.enabled: "false"` in argocd-cm
- Define granular RBAC policies in `argocd-rbac-cm`: map SSO groups to ArgoCD roles with per-project, per-action permissions instead of broad `role:admin`
- Restrict ArgoCD Projects with `sourceRepos`, `destinations`, and `clusterResourceWhitelist` — prevent teams from deploying outside their designated namespaces and clusters
- Enable TLS for all ArgoCD components and use Network Policies to restrict access to the ArgoCD API server from trusted sources only
- Never store plain-text secrets in Git — use Sealed Secrets for simple cases (encrypt with `kubeseal`, safe to commit), or External Secrets Operator (ESO) to sync from Vault/AWS SM/Azure KV
- Configure SSO via OIDC: integrate with your identity provider (Okta, Azure AD, GitHub) through Dex or direct OIDC config — all user authentication should flow through your IdP
- Disable the built-in `admin` account in production: set `accounts.admin.enabled: "false"` in argocd-cm and rotate the initial admin password immediately after installation
- Define granular RBAC in `argocd-rbac-cm`: map SSO groups to roles, scope permissions per project — e.g., `p, role:team-a-dev, applications, sync, team-a/*, allow`
- Set `policy.default: role:readonly` in RBAC config — deny all write access by default and explicitly grant sync/create/delete permissions per team and project
- Restrict ArgoCD Projects: whitelist `sourceRepos` to specific Git repos, limit `destinations` to specific clusters and namespaces, and use `clusterResourceWhitelist` to prevent CRD or ClusterRole creation
- Use `namespaceResourceBlacklist` in Projects to prevent teams from creating sensitive resources like Secrets directly — force them through ESO or Sealed Secrets
- Enable TLS on the ArgoCD API server and configure Ingress with valid certificates; set `--insecure=false` on argocd-server and terminate TLS at the load balancer or ingress controller
- Run ArgoCD components with minimal RBAC: use dedicated ServiceAccounts with least-privilege ClusterRoles — audit the permissions argocd-application-controller and argocd-server actually need
- Regularly audit ArgoCD access: review RBAC policies, rotate service account tokens, and monitor ArgoCD audit logs for unauthorized sync or application creation events
- Use Kubernetes Network Policies to restrict which pods can reach the ArgoCD API server, Redis, and repo-server — prevent lateral movement from compromised workloads