github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/applicationset/Security.md (about)

     1  # ApplicationSet Security
     2  
     3  ApplicationSet is a powerful tool, and it is crucial to understand its security implications before using it.
     4  
     5  ## Only admins may create/update/delete ApplicationSets
     6  
     7  ApplicationSets can create Applications under arbitrary [Projects](../../user-guide/projects.md). Argo CD setups often
     8  include Projects (such as the `default`) with high levels of permissions, often including the ability to manage the 
     9  resources of Argo CD itself (like the RBAC ConfigMap).
    10  
    11  ApplicationSets can also quickly create an arbitrary number of Applications and just as quickly delete them.
    12  
    13  Finally, ApplicationSets can reveal privileged information. For example, the [git generator](./Generators-Git.md) can
    14  read Secrets in the Argo CD namespace and send them to arbitrary URLs (e.g. URL provided for the `api` field) as auth headers.
    15  (This functionality is intended for authorizing requests to SCM providers like GitHub, but it could be abused by a malicious user.)
    16  
    17  For these reasons, **only admins** may be given permission (via Kubernetes RBAC or any other mechanism) to create, 
    18  update, or delete ApplicationSets.
    19  
    20  ## Admins must apply appropriate controls for ApplicationSets' sources of truth
    21  
    22  Even if non-admins can't create ApplicationSet resources, they may be able to affect the behavior of ApplicationSets.
    23  
    24  For example, if an ApplicationSet uses a [git generator](./Generators-Git.md), a malicious user with push access to the
    25  source git repository could generate an excessively high number of Applications, putting strain on the ApplicationSet
    26  and Application controllers. They could also cause the SCM provider's rate limiting to kick in, degrading ApplicationSet
    27  service.
    28  
    29  ### Templated `project` field
    30  
    31  It's important to pay special attention to ApplicationSets where the `project` field is templated. A malicious user with
    32  write access to the generator's source of truth (for example, someone with push access to the git repo for a git
    33  generator) could create Applications under Projects with insufficient restrictions. A malicious user with the ability to
    34  create an Application under an unrestricted Project (like the `default` Project) could take control of Argo CD itself
    35  by, for example, modifying its RBAC ConfigMap.
    36  
    37  If the `project` field is not hard-coded in an ApplicationSet's template, then admins _must_ control all sources of 
    38  truth for the ApplicationSet's generators.