Objective: [[Gain Unauthorized Control over Target Kubernetes Cluster(s)]]
[[Gain Unauthorized Control over Target Kubernetes Cluster(s)]] === [[Compromise Argo CD Instance]] | === [Abuse Argo CD API] | | ||||| [[Direct API Calls (if exposed)]] | === [Compromise Argo CD Credentials] | --- [Stolen Token] | --- [Phishing] === [[Exploit Misconfigured Argo CD Access/Permissions]] === [[Overly Permissive RBAC]] | || [[Cluster-wide Admin]] === [[Weak/Default App Project Config]] || [[No App Restrictions]]
Attack Tree Path: [[Gain Unauthorized Control over Target Kubernetes Cluster(s)]]
- Description: The ultimate objective of the attacker. Successful exploitation of any of the child nodes leads to this outcome.
- Impact: Very High - Complete control over the Kubernetes cluster(s), allowing for malicious deployments, data exfiltration, and service disruption.
Attack Tree Path: [[Compromise Argo CD Instance]]
- Description: Gaining administrative or operational control over the Argo CD server itself. This is a critical stepping stone to controlling the managed clusters.
- Impact: Very High - Provides a direct path to manipulating deployments and accessing cluster resources.
Attack Tree Path: [Abuse Argo CD API] === ||||| [[Direct API Calls (if exposed)]]
- Description: If the Argo CD API is exposed to the internet or an untrusted network without proper authentication and authorization, an attacker can directly interact with it using standard HTTP requests.
- Impact: Very High - Allows the attacker to create, modify, or delete applications, sync deployments, and potentially access sensitive information.
- Likelihood: Medium (High if exposed, otherwise Low)
- Effort: Low
- Skill Level: Beginner
- Detection Difficulty: Medium (API calls are logged, but might be missed without proper monitoring and alerting).
- Mitigation:
- Never expose the Argo CD API directly to the public internet.
- Use a reverse proxy or API gateway with strong authentication (e.g., OIDC, OAuth 2.0, mTLS).
- Implement strict authorization policies using Argo CD's RBAC.
- Enable and monitor API access logs.
- Use network policies to restrict access to the API server.
Attack Tree Path: [Compromise Argo CD Credentials] === [Stolen Token]
- Description: An attacker obtains a valid Argo CD API token through various means, such as theft from a compromised system, interception of network traffic, or social engineering.
- Impact: High - Grants the attacker access to Argo CD with the permissions associated with the stolen token.
- Likelihood: Medium
- Effort: Low to Medium
- Skill Level: Intermediate
- Detection Difficulty: Medium (unusual activity from the token's associated user/service account might be detected).
- Mitigation:
- Use short-lived tokens.
- Implement multi-factor authentication (MFA).
- Regularly rotate tokens.
- Monitor for suspicious login activity and token usage.
- Educate users about the risks of token theft and phishing.
- Store tokens securely (e.g., using a secrets management system).
Attack Tree Path: [Compromise Argo CD Credentials] === [Phishing]
- Description: An attacker tricks a legitimate Argo CD user into revealing their credentials (username/password or API token) through a deceptive email, website, or other communication.
- Impact: High - Grants the attacker access to Argo CD with the compromised user's permissions.
- Likelihood: Medium
- Effort: Low to Medium
- Skill Level: Intermediate
- Detection Difficulty: Medium (depends on email security, user reporting, and anomaly detection).
- Mitigation:
- User education and awareness training on phishing techniques.
- Implement strong email security measures (e.g., spam filtering, DMARC, DKIM, SPF).
- Use multi-factor authentication (MFA).
- Encourage users to report suspicious emails and communications.
Attack Tree Path: [[Exploit Misconfigured Argo CD Access/Permissions]]
- Description: Leveraging overly permissive or incorrectly configured access controls within Argo CD to gain unauthorized access or escalate privileges.
- Impact: Very High - Can lead to complete control over managed clusters, depending on the misconfiguration.
Attack Tree Path: [[Overly Permissive RBAC]] === || [[Cluster-wide Admin]]
- Description: The Argo CD service account, or a user account used to interact with Argo CD, is granted the
cluster-adminrole within the target Kubernetes cluster(s). This grants excessive privileges. - Impact: Very High - Provides full control over the target cluster(s), bypassing any intended restrictions.
- Likelihood: Medium (a common misconfiguration)
- Effort: Very Low (if the role is already granted)
- Skill Level: Beginner
- Detection Difficulty: Medium (requires auditing RBAC configurations)
- Mitigation:
- Never grant the
cluster-adminrole to Argo CD or its users. - Create custom roles and role bindings with the minimum necessary permissions for Argo CD to function.
- Regularly review and audit RBAC configurations.
- Use the principle of least privilege.
- Never grant the
Attack Tree Path: [[Weak/Default App Project Config]] === || [[No App Restrictions]]
- Description: Argo CD AppProjects are not configured with appropriate restrictions, or the default AppProject is used without modification, allowing applications to be deployed to any cluster, namespace, or with any resources.
- Impact: Very High - An attacker can deploy malicious applications, potentially gaining control of the cluster or accessing sensitive data.
- Likelihood: Medium (a common misconfiguration)
- Effort: Very Low
- Skill Level: Beginner
- Detection Difficulty: Medium (requires auditing AppProject configurations)
- Mitigation:
- Always define specific AppProjects with restrictions on:
- Source repositories (allowed Git repos).
- Destination clusters and namespaces.
- Allowed Kubernetes resource types (e.g., Deployments, Services, Secrets).
- Avoid using the default AppProject with overly broad permissions.
- Regularly review and audit AppProject configurations.
- Always define specific AppProjects with restrictions on: