6. February 2022

This article has been indexed from

CySecurity News – Latest Information Security and Hacking Incidents

Argo CD is among the most popular Kubernetes continuous deployment technologies. Besides being easy to operate, it has a lot of power too. Kubernetes GitOps is the first tool that comes to mind. For cluster bootstrapping, Argo CD uses the App of Apps pattern.

Instead of manually developing each Argo CD app, we can make it programmatically and automatically. The idea is simple: make a single Argo CD application that looks for a git repo directory and puts all of the Argo CD application configuration files there. As a result, whenever an application definition file is created on the git repo location, the Argo CD application is immediately produced. Inspiringly, any Kubernetes object, including Argo CD, can be generated or handled. 

Apiiro’s Security Research team discovered a vulnerability scanning supply chain 0-day vulnerability (CVE-2022-24348) in Argo CD, another famous open source Continuous Delivery platform, which allows attackers to access sensitive data like secrets, passwords, and API keys. 

Argo CD organizes and instigates the operation and monitoring of post-integration application deployment. A user can create a new deployment pipeline by specifying an Archive or a Kubernetes Helm Chart file which contains:

The metadata and data required to deploy the correct Kubernetes setup. The ability to update the cloud setup dynamically as the manifest is changed. 

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: