Headline
CVE-2023-40026: Installation - Argo CD - Declarative GitOps CD for Kubernetes
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User’s still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.
Argo CD has two type of installations: multi-tenant and core.
Multi-Tenant¶
The multi-tenant installation is the most common way to install Argo CD. This type of installation is typically used to service multiple application developer teams in the organization and maintained by a platform team.
The end-users can access Argo CD via the API server using the Web UI or argocd CLI. The argocd CLI has to be configured using argocd login <server-host> command (learn more here).
Two types of installation manifests are provided:
Non High Availability:¶
Not recommended for production use. This type of installation is typically used during evaluation period for demonstrations and testing.
install.yaml - Standard Argo CD installation with cluster-admin access. Use this manifest set if you plan to use Argo CD to deploy applications in the same cluster that Argo CD runs in (i.e. kubernetes.svc.default). It will still be able to deploy to external clusters with inputted credentials.
namespace-install.yaml - Installation of Argo CD which requires only namespace level privileges (does not need cluster roles). Use this manifest set if you do not need Argo CD to deploy applications in the same cluster that Argo CD runs in, and will rely solely on inputted cluster credentials. An example of using this set of manifests is if you run several Argo CD instances for different teams, where each instance will be deploying applications to external clusters. It will still be possible to deploy to the same cluster (kubernetes.svc.default) with inputted credentials (i.e. argocd cluster add <CONTEXT> --in-cluster --namespace <YOUR NAMESPACE>).
Note: Argo CD CRDs are not included into namespace-install.yaml. and have to be installed separately. The CRD manifests are located in the manifests/crds directory. Use the following command to install them: kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds?ref=stable
High Availability:¶
High Availability installation is recommended for production use. This bundle includes the same components but tuned for high availability and resiliency.
ha/install.yaml - the same as install.yaml but with multiple replicas for supported components.
ha/namespace-install.yaml - the same as namespace-install.yaml but with multiple replicas for supported components.
Core¶
The Argo CD Core installation is primarily used to deploy Argo CD in headless mode. This type of installation is most suitable for cluster administrators who independently use Argo CD and don’t need multi-tenancy features. This installation includes fewer components and is easier to setup. The bundle does not include the API server or UI, and installs the lightweight (non-HA) version of each component.
Installation manifest is available at core-install.yaml.
For more details about Argo CD Core please refer to the official documentation
Kustomize¶
The Argo CD manifests can also be installed using Kustomize. It is recommended to include the manifest as a remote resource and apply additional customizations using Kustomize patches.
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization
namespace: argocd resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.7.2/manifests/install.yaml
For an example of this, see the kustomization.yaml used to deploy the Argoproj CI/CD infrastructure.
Helm¶
The Argo CD can be installed using Helm. The Helm chart is currently community maintained and available at argo-helm/charts/argo-cd.
Supported versions¶
Similar to the Kubernetes project, the supported versions of Argo CD at any given point in time are the latest patch releases for the N and N - 1 minor versions. These Argo CD versions are supported on the same versions of Kubernetes that are supported by Kubernetes itself (normally the last 3 released versions).
Essentially the Argo CD project follows the same support scheme as Kubernetes but for N, N-1 while Kubernetes supports N, N-1, N-2 versions.
For example if the latest minor version of ArgoCD are 2.4.3 and 2.3.5 while supported Kubernetes versions are 1.24, 1.23 and 1.22 then the following combinations are supported:
- Argo CD 2.4.3 on Kubernetes 1.24
- Argo CD 2.4.3 on Kubernetes 1.23
- Argo CD 2.4.3 on Kubernetes 1.22
- Argo CD 2.3.5 on Kubernetes 1.24
- Argo CD 2.3.5 on Kubernetes 1.23
- Argo CD 2.3.5 on Kubernetes 1.22
Tested versions¶
The following table shows the versions of Kubernetes that are tested with each version of Argo CD.
Argo CD version
Kubernetes versions
2.8
v1.27, v1.26, v1.25, v1.24
2.7
v1.26, v1.25, v1.24, v1.23
2.6
v1.24, v1.23, v1.22
Related news
### Impact In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. ### Patches This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. ### Workarounds User's still using Argo CD 2.3 or below are advised to update to a [supported ver...