Skip to content

ArgoCD - Security

Evaluation Context

Argo CD relies on external OIDC for authentication and an internal Casbin-based RBAC system for authorization map-to-groups.

1. Decision Matrix / RBAC

Entity / Scope Context Target / Status
policy.csv Core mapping of OIDC groups to Casbin internal roles. e.g. g, [email protected], role:admin
policy.default Fallback policy applied to unauthenticated/unmapped users. MUST be role:readonly
users.anonymous.enabled Global public read toggle in argocd-cm. Generally false in Enterprise.

2. Threat Model & Extracted Constraints

Based on formal Context7 documentation review: - SSO Architecture: ArgoCD delegates SSO entirely to Dex or native OIDC (via oidc.config). When integrating, always map the exact claims via requestedIDTokenClaims to pull groups directly into Casbin. - State Manipulation: The resource.customizations.ignoreDifferences flag is critical to prevent ArgoCD from endlessly attempting to revert managed Webhooks (like MutatingWebhookConfiguration) manipulated dynamically by operators.