Skip to content

security: enforce least-privilege RBAC and prevent wildcard regressions#66

Open
cjeanner wants to merge 1 commit into
mainfrom
security/argocd
Open

security: enforce least-privilege RBAC and prevent wildcard regressions#66
cjeanner wants to merge 1 commit into
mainfrom
security/argocd

Conversation

@cjeanner

@cjeanner cjeanner commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Apply principle of least privilege to ArgoCD ClusterRole permissions and add automated CI validation to prevent future regressions.

RBAC Improvements:

  • Replace wildcard verbs on core API resources (secrets, pods, PVCs) with explicit verb lists to prevent implicit dangerous permissions
  • Change pods permissions to read-only (get, list, watch) - ArgoCD only needs to monitor pod status, not create/delete them
  • Replace wildcard resources in metal3.io, lvm.topolvm.io, and baremetal.openstack.org with explicit resource lists
  • Comment out unused multicluster.openshift.io permissions

Security Rationale:

  • Wildcard verbs ('*') grant implicit permissions including 'impersonate', 'escalate', and 'bind' which can lead to privilege escalation
  • Wildcard resources ('*') prevent least-privilege enforcement and grant access to all current and future resources in an API group
  • Explicit permissions reduce attack surface and follow Kubernetes RBAC best practices

CI Regression Prevention:

  • Add automated RBAC validation script that scans ClusterRole/Role definitions for dangerous wildcard patterns
  • Integrate validation as new job in yamllint workflow (runs on all PRs)
  • Fail CI if critical violations detected (wildcard verbs on core API resources or wildcard resources in any API group)
  • Provide clear remediation guidance in error messages
  • Document validation rules, security rationale, and how to fix violations

Apply principle of least privilege to ArgoCD ClusterRole permissions and
add automated CI validation to prevent future regressions.

RBAC Improvements:
- Replace wildcard verbs on core API resources (secrets, pods, PVCs) with
  explicit verb lists to prevent implicit dangerous permissions
- Change pods permissions to read-only (get, list, watch) - ArgoCD only
  needs to monitor pod status, not create/delete them
- Replace wildcard resources in metal3.io, lvm.topolvm.io, and
  baremetal.openstack.org with explicit resource lists
- Comment out unused multicluster.openshift.io permissions

Security Rationale:
- Wildcard verbs ('*') grant implicit permissions including 'impersonate',
  'escalate', and 'bind' which can lead to privilege escalation
- Wildcard resources ('*') prevent least-privilege enforcement and grant
  access to all current and future resources in an API group
- Explicit permissions reduce attack surface and follow Kubernetes RBAC
  best practices

CI Regression Prevention:
- Add automated RBAC validation script that scans ClusterRole/Role
  definitions for dangerous wildcard patterns
- Integrate validation as new job in yamllint workflow (runs on all PRs)
- Fail CI if critical violations detected (wildcard verbs on core API
  resources or wildcard resources in any API group)
- Provide clear remediation guidance in error messages
- Document validation rules, security rationale, and how to fix violations

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@cjeanner cjeanner self-assigned this Jul 6, 2026
@cjeanner

cjeanner commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

I could get a successful run with the updated RBAC. I ensured the deployment was using that updated content by getting the ClusterRole gitops-openstack - it didn't show the problematic wildcards. The job was running in our internal infra, so I can't link it in here.

Comment thread openshift-gitops.deploy/enable/clusterrole.yaml

@pinikomarov pinikomarov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

didn't FIND-01 request the current ClusterRole for gitops-openstack be replaced with namespace-scoped Roles ?

which is a big change TBH , so not entirely sure it's worth it, while all other FINDs are being fixed

@cjeanner

cjeanner commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

didn't FIND-01 request the current ClusterRole for gitops-openstack be replaced with namespace-scoped Roles ?

which is a big change TBH , so not entirely sure it's worth it, while all other FINDs are being fixed

We're already enumerating the resources ArgoCD manages. The wildcards have been dropped/replaced for cluster-wide resources, while keeping wildcards for openstack-only resources. I propose we go with the current state, while keeping in mind there's now a fair warning about how (not really) secure are the proposed configuration, added in #68 (merged already). WDYT?

@pinikomarov

Copy link
Copy Markdown
Contributor

We're already enumerating the resources ArgoCD manages. The wildcards have been dropped/replaced for cluster-wide resources, while keeping wildcards for openstack-only resources. I propose we go with the current state, while keeping in mind there's now a fair warning about how (not really) secure are the proposed configuration, added in #68

I agree with that approach, lgtm

@pinikomarov

Copy link
Copy Markdown
Contributor

@cjeanner rebase needed , then we're good to go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants