Unlocking Ultimate Argo CD Security

The Akuity Platform offers cloud-hosted Argo CD that allows managing hundreds of Kubernetes clusters with no hassle of maintaining and scaling the control plane. This is very useful for both small organizations and large enterprises. Small organizations can free up their resources to focus on their core business, and large enterprises get a truly scalable solution that covers the needs of dozens of teams.

However, one of the main questions of using a hosted platform is how secure it is. In this article, we'll walk together through the security aspects of using the cloud-hosted Argo CD and see how Akuity addresses all possible concerns.

The GitOps Model

Before digging deep into the security aspects of cloud-hosted Argo CD, let's take a couple of steps back and look at the tool's foundation - the GitOps methodology. GitOps not only improves developer experience but also dramatically changes the security model. So it's important to understand the difference from the security perspective.

The requirement to manage infrastructure and (at the same time) don't provide access to the management API sounds contradictory. The GitOps methodology is a key ingredient that allows us to achieve this. Unlike a continuous integration pipeline, GitOps operators are purpose-built tools, and it totally makes sense to host them inside of the managed cluster. This provides an opportunity to lock down the access to cluster management API and replace it with access to the Git repository. The cluster users still have the ability to make cluster configuration changes, but now they are strictly tied to the GitOps semantics.

Even if the Git repository is compromised, the attacker can't do anything more than what the GitOps operator which is running the kubectl apply command. This significantly reduces the attack surface compared to full Kubernetes access. You no longer need to worry about leaked credentials stored in the container or sensitive logs. Additionally, you can leverage features like GPG to secure your cluster even if the Git repository is compromised.

Self-Hosted Argo CD

Argo CD takes full advantage of the GitOps model. By default, Argo CD is configured to manage the cluster it's running. The core Argo CD features and additional tools, such as ApplicationSet, allow users to fully delegate cluster management to the Git provider and access Argo CD UI only to troubleshoot issues. The disadvantage is that this compromises the user experience and ultimately doesn't let engineers take full advantage of all Argo CD features.

The multi-cluster management feature is an answer to this problem. Argo CD allows connecting and managing multiple Kubernetes clusters. From the security point of view, it's not acceptable to have a single instance with god-level access to all clusters. However, it is reasonable to have a single instance that manages clusters of one business unit within the organization.

This provides the best user experience and effectively limits the blast radius of the potential attack. The engineers of a single business unit get a single Argo CD that manages all infrastructure peaces they care about. So Argo CD user interface is serving as a single pane of glass. At the same time, the attack surface is limited to the cluster of a single business unit and vulnerability won't affect the whole organization.

Akuity-Hosted Argo CD

I don't blame you if you winced while reading about the security compromise. Those two words never go well together, and we at Akuity feel the same way. That is why the Akuity Platform offers an innovative Argo CD architecture that provides the best of both worlds. The Akuity Platform splits that Argo CD into control and data planes. The cloud-hosted control plane includes API/user interface and Argo CD applications - the metadata that describes source Git repositories and target clusters. The data plane is a set of Argo CD controllers that reside in the managed clusters and are responsible for the actual cluster management.

Now is a good moment to come back to the GitOps security model and compare it with the Akuity-hosted Argo CD. The main GitOps advantage is a reduced attack surface that is limited by the GitOps methodology semantics. In other words, the attacker can't do anything more than what the GitOps operator is doing. The Akuity-hosted Argo CD is no different and doesn't increase the attack surface. The compromised control plane is not opening more doors than a compromised Git repository. This way, it's possible to have a single Argo CD instance that manages the entire organization's infrastructure with the best possible developer experience and with no security compromise.

Conclusion

The Akuity-hosted Argo CD provides the ultimate scalability that covers the needs of any organization. Combined with the extreme flexibility and security without compromises, we believe it's a perfect fit for any organization. At Akuity we're obsessed with the idea of making Argo CD the best Kubernetes management tool, and we're dedicated to working towards this goal. If you have any ideas or feedback, please don't hesitate to reach out! We are always happy to take feedback and turn it into the next great feature.