How to protect your Kubernetes infrastructure from the Argo CD vulnerability

Argo CD is a popular open source, continuous delivery (CD) platform for Kubernetes that is used by hundreds of organizations globally. Recently, a serious vulnerability in Argo CD was uncovered by Apiiro, which enables attackers to access sensitive information such as secrets, passwords, and API keys. The vulnerability has been tagged as CVE-2022-24348.

The vulnerability could allow malicious actors to load specifically configured Kubernetes Helm charts that would grant them access to sensitive information through Argo CD.

What’s at risk?

In terms of the impact of this vulnerability, Apiiro has determined the following (so far). Note that the following information was from Apiiro’s website at the time of the announcement and may be subject to change. Please refer to Apiiro’s website for the latest information.

Here’s what we know about the vulnerability and what it could enable an attacker:

• The attacker can read and exfiltrate secrets, tokens, and other sensitive information residing on other applications.
• The attacker can “move laterally” from their application to another application’s data.

The risk was given a severity rating of high given that the malicious Helm chart could potentially expose sensitive information stored on a Git repository and also “roam” through applications allowing attackers to read secrets, tokens, and sensitive data that reside within the applications.

Tips for staying protected

The team behind Argo CD quickly provided a patch that impacted organizations should apply as soon as possible as the vulnerability affects all versions of the tool. The patch is available via Argo CD’s GitHub repository.

While it is possible to take immediate action to protect your organization from the Argo CD vulnerability today, it’s important to think about ways to stay protected against future Kubernetes vulnerabilities.

Here are some key tactics and measures you can implement to ensure that your organization maintains a high security posture:

• Software supply chain governance: Ensures that only reviewed and approved software components are allowed to operate on Kubernetes clusters.
• Zero-trust access: Allows organizations to implement a just-in-time (JIT) credential provisioning model for user and system access to clusters to ensure that there are no permanently dangling, out-of-sync credentials. This avoids potential back doors and shrinks the attack surface significantly.
• Role-based access control (RBAC): Implement separation of duties so that no user or system is operating in “God mode.” Ensure that users and external systems only have the minimum level of access they need on clusters.
• Secrets management: Ensures that secrets are dynamically retrieved from a central source of truth that enables at-will rotation of secrets if necessary.
• SaaS: Leverage a SaaS provider for services where possible because they can patch vulnerabilities very quickly for all customers and help shrink the attack window dramatically.

The reality is that security breaches happen, and will continue to happen, especially in the open source world of Kubernetes. Luckily, Argo CD was able to apply a patch right away when their vulnerability was revealed.

However, knowing that security will likely continue to be a concern, it’s best to prepare as much as possible today for incidents of the future. It’s hard to know exactly what else may come, but following the five best practices mentioned above will boost your protection.

Mohan Atreya is SVP of products and solutions at Rafay Systems, provider of the Kubernetes Operations Platform.

—

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.