
























ArgoCD has established itself as the leading GitOps continuous delivery tool for Kubernetes, but with widespread adoption comes significant responsibility. After years of growth and feedback from a massive user base, the ArgoCD maintainers are taking a bold step with version 3.0 - shifting from flexibility to opinionated defaults that embody security and operational best practices.
This major version is not about flashy new features. Instead, it's about taking the configurations that experienced ArgoCD administrators routinely change right after installation and making them the new defaults. It's about addressing technical debt and aligning the platform with modern Kubernetes security practices.
In this post, we'll explore the key changes in ArgoCD 3.0, with special attention to network policies and secrets management - two areas receiving significant security improvements.
You might wonder why the maintainers are incrementing the major version for what appears to be "just" configuration changes. As explained by the ArgoCD team:
"Argo CD is such a critical project of running systems... and changing defaults was something that the contributors, the maintainers were like 'we wish we didn't have that default' and people were using that default."
With so many organizations depending on ArgoCD for critical infrastructure, even small changes to default behaviors require careful consideration. The major version number serves as a signal to users: "Watch out, there's something changing here."
One of the most common changes administrators make immediately after installing ArgoCD is switching the resource tracking method from label to annotation or annotation plus label. Why? The label-based approach has length limitations that cause truncation issues for longer application names.
ArgoCD 3.0 makes annotation tracking the default, eliminating this common post-installation tweak.
ArgoCD has long supported storing repository credentials in secrets, but for backward compatibility, it also allowed storing them in config maps (argocd-cm). This practice poses a security risk as sensitive information like passwords and tokens is stored in plain text.
With 3.0, support for the config map approach is being removed entirely. As one maintainer put it:
"Storing it in a config map means you have information that should be secret, like your password and stuff, in plain text in a config map. There's no reason to do that."
This change is part of ArgoCD's broader security initiative, pushing users toward more secure practices by default.
The matrix and merge generators in ArgoCD will now have applyNestedSelectors: true as the default and only option. This setting was already being enabled by virtually all users, making it a prime candidate for becoming the new default.
Perhaps the most significant security evolution in ArgoCD 3.0 is its stronger opinion on secrets management. Historically, ArgoCD remained neutral on how secrets should be handled, leading to a variety of approaches, some more secure than others.
Many users have been using tools like ArgoCD Vault Plugin (AVP) to inject secrets into manifests during generation. While this approach worked, it introduced several security concerns:
The ArgoCD team is now explicitly recommending against this pattern:
"We really think you should not be doing that. That's not a secure way to do it. That's not a stable way to do it."
Instead, they're advocating for operator-based approaches using Kubernetes-native tools like:
These approaches keep secrets management independent from application deployment and prevent secrets from passing through ArgoCD's systems.
ArgoCD 3.0 introduces logic to prevent the usage of in-cluster configuration when it's explicitly disabled, removing a potential source of configuration conflicts and security risks.
While not explicitly highlighted in the 3.0 announcement, the recent critical vulnerability (CVE-2024-31989) in ArgoCD's Redis implementation exemplifies why these security-focused changes are necessary.
The vulnerability, which received a critical score of 9.1, exposed that by default:
ArgoCD has included network policies in its codebase for some time, with separate policies for different components:
However, many users weren't aware that:
The issue was patched in May 2024 with versions 2.11.1, 2.10.10, 2.9.15, and 2.8.19, which included an initialized password for the Redis server. This additional security measure helps prevent unauthorized access even when network policies aren't properly enforced.
This vulnerability highlights perfectly why ArgoCD 3.0's shift toward secure defaults is so important. Having security features available isn't enough if they're not properly implemented and enabled by default.
If you're using ArgoCD and are concerned about network security, you should verify that:
kubectl -n argocd get networkpolicy argocd-redis-network-policy
For those continuing to use generation-based secrets management (like ArgoCD Vault Plugin), the ArgoCD team recommends additional mitigations:
While security is a major focus, ArgoCD 3.0 also brings performance enhancements:
ArgoCD follows a "current minus 2" support model for security updates and critical bug fixes. This means:
The team has created tools and documentation to help identify if your current ArgoCD configuration will be affected by the 3.0 changes. While the upgrade is designed to be minimally disruptive, users are encouraged to:
ArgoCD 3.0 represents an important evolution in the project's approach to security and operational practices. By making the best practices the default, the maintainers are reducing the configuration burden on administrators while improving the security posture of new deployments.
The changes to network policies and secrets management are particularly important, addressing real security concerns that have been identified in production environments. While the platform still offers flexibility where needed, the more opinionated defaults will guide users toward safer, more secure implementations.
As one maintainer put it:
"This is meant to be an incremental upgrade in the exact same way that you've gone to Argo 2.13, 2.14 or those other minor version releases. What we've done in this release is we have gone through and basically distilled a lot of best practices into running Argo into the default operation of Argo CD."
For organizations using ArgoCD, now is the time to review your configurations and prepare for the upgrade. The improved defaults in 3.0 will provide a more secure, performant foundation for your GitOps workflows.
References
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。