Summary
argocd-repo-server and argocd-cmp-server execute external binaries
(Helm, Kustomize, and arbitrary CMP plugin scripts) with the same
privileges and filesystem visibility as the server process itself.
Those tools can therefore inadvertently or maliciously read secrets,
traverse the repository cache of other applications, or make
unexpected outbound network calls.
This proposal introduces "Tool Execution Sandbox" - A mechanism to restrict the filesystem access, network connectivity, and system call surface of tools executed by argocd-repo-server and argocd-cmp-server(Helm, Kustomize, Config Management Plugins) using Linux kernel security primitives.
Please see proposal text in the attached pull request
Summary
argocd-repo-serverandargocd-cmp-serverexecute external binaries(Helm, Kustomize, and arbitrary CMP plugin scripts) with the same
privileges and filesystem visibility as the server process itself.
Those tools can therefore inadvertently or maliciously read secrets,
traverse the repository cache of other applications, or make
unexpected outbound network calls.
This proposal introduces "Tool Execution Sandbox" - A mechanism to restrict the filesystem access, network connectivity, and system call surface of tools executed by
argocd-repo-serverandargocd-cmp-server(Helm, Kustomize, Config Management Plugins) using Linux kernel security primitives.Please see proposal text in the attached pull request