Securing GitOps Workflows with ArgoCD and Flux

2 minute
307 words
Tags:
#kubernetes #gitops #argocd #flux

GitOps brings powerful automation to Kubernetes deployments, but it also introduces new security considerations. Let’s explore how to secure your GitOps workflows.

GitOps Security Principles

  1. Git is the source of truth: All changes must go through Git
  2. Pull-based deployments: Cluster pulls changes, no direct access needed
  3. Audit trail: Every change is tracked in Git history
  4. Review process: Changes require approval via pull requests

Securing ArgoCD

Enable SSO

YAML
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  url: https://argocd.example.com
  oidc.config: |
    name: Okta
    issuer: https://company.okta.com
    clientID: argo-cd
    clientSecret: $oidc.okta.clientSecret
    requestedScopes: ["openid", "profile", "email", "groups"]
Click to expand and view more

RBAC Configuration

YAML
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    g, developers, role:developer
  policy.default: role:readonly
Click to expand and view more

Repository Credentials

Use sealed secrets or external secret managers:

YAML
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: repo-creds
spec:
  encryptedData:
    password: AgBc7...
Click to expand and view more

Securing Flux

Enable Multi-Tenancy

YAML
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: app
spec:
  serviceAccountName: app-reconciler
  sourceRef:
    kind: GitRepository
    name: app-repo
Click to expand and view more

SOPS Integration

Encrypt secrets in Git:

YAML
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: app
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
Click to expand and view more

Security Best Practices

Branch Protection

Restrict Sync Permissions

Don’t give GitOps controllers cluster-admin. Use minimal RBAC.

Separate Repositories

Network Policies

Restrict GitOps controller network access.

Scanning Manifests

Integrate security scanning in CI:

YAML
- name: Scan manifests
  run: |
    kubesec scan deployment.yaml
    kube-linter lint manifests/
Click to expand and view more

GitOps enhances security when implemented correctly.

Related Posts

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut