The Linux Foundation: Security Considerations for Hardening Declarative GitOps CD on Kubernetes

How the world's leading open source organisation promoted secure Argo CD deployments through end-user focused threat modeling
Featured image

About The Linux Foundation

The San Francisco-based Linux Foundation (LF) is a global leader in open source technology. Operating in over 160 countries, it champions open source principles and fosters innovation. Backed by a diverse community, the LF draws together Fortune 500 companies and independent developers to shape a collaborative digital future.

Threat Modelling a Multi-Tenant Argo CD Deployment on Kubernetes

As a global authority on open source technology, the Linux Foundation understands the far-reaching implications of cloud native security. Bearing the cloud native torch, the LF has contributed significantly to developing operational theories, supporting aspiring experts, and easing system complexities associated with building and managing cloud native applications. Yet, in spite of the increased focus on software security, the critical issue of misconfiguration, a leading cause of cloud breaches, often goes underemphasized.

In response, the Cloud Native Computing Foundation (CNCF) enlisted ControlPlane to conduct comprehensive threat modeling of Argo CD, from the perspective of an end user. This analysis unveiled nineteen threats, with six of them deemed high-priority, presenting significant potential risks to end-user security. Recommendations, including secure password management and role-based access control, were provided to mitigate these risks, ensuring that organisations can safely harness the efficiency and security benefits of Argo CD.


As the Linux Foundation supports declarative GitOps deployment methodologies with open source projects such as Argo CD, end-user security and hardening considerations become a forefront concern for practitioners looking to run these technologies.

The challenge in securing end-user GitOps deployments lies in the complexity of multi-tenant architectures, which can vary widely between individual use cases. For example, each unique deployment of Argo CD in multi-tenant mode can introduce differential security risks depending on synchronization configuration and Source Control Management (SCM) for their Application and AppProject resources. Moreover, the rapid adoption of GitOps necessitates novel, foundational documentation on implementing tools like Argo CD in a safe, secure, and repeatable manner.

Such challenges not only hinder end users looking to adopt declarative GitOps, but also the oft-overburdened project maintainers who now have an ever greater backlog of triage-related issues.


ControlPlane conducted a comprehensive threat modeling exercise that identified nineteen threats, including six high-priority threats, illuminating critical data assets and outlining the process flow of data within an Argo CD-enabled (Kubernetes) cluster architecture. This exercise was complemented with a multi-tenant Argo CD deployment on AWS EKS, emulating an end-user implementation of the tool. After assessing this demo environment for potential risks, ControlPlane mapped discovered security threats within detailed attack trees to help pave the way toward practical and actionable end-user mitigation strategies.

Holistically, the following key initiatives were implemented as part of the threat modelling exercise:

  • In-depth threat assessment based on a multi-tenant deployment of Argo CD across multiple Kubernetes clusters
  • Mapping enumerated threats into detailed attack trees to better visualise and understand exploit paths and mitigating controls
  • Outlining high priority threats and recommendations to provide clear guidance to end-users

These security solutions provided a multitude of benefits to the Linux Foundation, including:

  • Strengthened end-user confidence in deploying Argo CD through actionable recommendations and security control strategies
  • Streamlined deployment considerations for running Argo CD in multi-tenant mode
  • Cooperation with the project maintainers to ease security and triage overhead
  • Drawing attention to one of the forefront technologies in declarative GitOps

Business Outcomes

The Linux Foundation, in collaboration with ControlPlane, adopted a proactive approach to security with a focus on identifying and mitigating threats before they are exploited. By implementing comprehensive threat modeling practices, the foundation has enabled open source users to reduce the risk of cloud native breaches by improving their Argo CD security configuration.

To learn more about the threat model, check out the published Argo CD End User Threat Model on the argoproj GitHub repository.